“Who Stole My Cookie?”

In June 2011, the FFIEC issued a supplement to their guidance entitled  Authentication in an Internet Banking Environment,” originally published in 2005.  The supplement keyed on several widely-adopted controls, one of which they referred to as “simple device identification.” Simple device identification is known as the process of identifying a customer or end user by nothing more than verifying the presence of an HTTP cookie.  But more than two years since the guidance was published by the FFIEC, financial institutions of all sizes continue to rely on this traditional, undoubtedly broken, authentication method. In fact, it remains rather prevalent across many banking sites.

So why are banks and credit unions still using such methods for authentication?  Understand, I’m not suggesting cookies are evil nor am I suggesting we should stop using cookies in our web applications. Due to the stateless nature of the HTTP protocol (which is how we navigate the World Wide Web), cookies are a very credible means for a server to maintain a certain level of state for each session. HTTP cookies are sent from the client (browser) to the server (application) on every navigation request or HTTP call that is made—this is web applications maintain the state of a session. E-Commerce sites, which feature online shopping carts, or social sites, which track user preferences often rely on cookies. In reality, these cookies do not present any risk to an end user.

The problem lies in how financial institutions are relying on the presence of these cookies as their primary control for end user authentication (e.g. simple device identification). Unfortunately, cookies are usually not associated with a particular device, but rather a particular end user. Adding to that problem, there’s no mechanism that prevents cookies from being stolen or copied from the browser cache. Modern financial malware has capabilities to not only log keystrokes to steal credentials, but can also steal information such as cookies.  Surprisingly, many financial institutions are unaware cookies are even susceptible to being lifted from a computer.


Simple device identification vs. Complex device identification

Although no device authentication method can mitigate all threats, the FFIEC considers complex device identification to be more secure and preferable to simple device identification. Clearly stated in the guidance, “institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.” The method of complex device identification alone is not enough, as an attacker can spoof many of the attributes that are examined.  However, using techniques to detect unusual values in headers along with the analysis of historical patterns makes it much more difficult for an attacker attempting to impersonate the legitimate end user.

Of course the best defense a financial institution can deploy is one that uses multiple layers.  With a layered security model, the weakness in one control is compensated by the strength of another. Ultimately, the reliance on any single control or mitigating factor is insufficient—but using a stratified approach prevents a shortcoming in any one defense.