Comment On Classic WTF: Banking So Advanced

Student-run branches? More like student-designed security systems. And...1st? Oh wait it's not valid... so frist :-p

Red... I mean... Frist

Well since "DELETE [whatever]" is just as valid of a SQL statement as "DELETE FROM [whatever]" they can still be Little Bobby Tables'd.

Now if you'll excuse me, I need to go back to coding via my onscreen keyboard.

Sorry, I won't be joining your little cause...

...or any of those banks.

"What is your favorite color?"

"RED .. no, Blue AAAAAAAAAAAAAAAAAAAGH!"

The Article:

Steven King

Seriously? That's got to suck.

The credit union where my account is at with actually uses this system. I can assure you this is a complete disaster!

They really need to hire someone who understand a bit of computer security... If my bank had such a system, they'd have one less customer.

I've had the misfortune to deal with this software before.

The good thing about the security question is that you can write your own.

That way you can choose a password like, for example (never use this btw) "password". Enter something like "Whats with asdf?" and the answer is "passwordasdf".

Yeah, it's a kludgy hack, but then again so was the question thing in the first place.

And regarding the virtual keyboard, if you look at the form field it types into with Firebug, it doesn't even use the correct ASCII characters, it uses a substitution cypher.

You know, in case anybody's sniffing your HTTPS connection.

Or if the bank in question didn't use HTTPS, that would be a genuine WTF.

Exactly why I keep my money in a mayonnaise jar. But don't worry, I have authentication for my jar. Currently it is located in a secure spot (under ground in yard). My authentication is as such: a doberman will attack anyone who approaches the spot in the yard. I monitor their screams. If they sound familiar (wife, children, etc) I perform a visual confirmation to ensure their identity and allow them access (BAM! Two-factor). If I do not recognize their scream after 15 seconds, my band of wild ninjas swoops down carried by 47 crows to kill the intruder. Their weapons, of course, are blank CDs and tupperware lids (both sharpened), a bottle of 409, a 9-iron, and a spoon.

I am currently marketing this service to all financial institutions. Doberman's not your style or looking to cut down costs? I offer a wide selection including (but not limited to) miniature donkeys, lemars, sharks (yes, with lasers), dogs, and Bobby Brown.

Poor Allan Drophy and Anullia Harris.

Now THIS is a true classic. The sort of classic that makes you wince a bit as you read the next little nugget of insanity. The sort of classic that makes you fear for the security of your financial data. The sort of classic that makes you withdraw all your money from the bank and put it into a fire-safe box under your bed. BRB, got some banking to do.

PS: Fire-safe box. I cannot stress that enough to anyone who keeps large amounts of money around the house. Always use a fire-safe box. Decent ones can be quite expensive but it will pay for itself 10 times over the first time you have a fire.

Having witnessed Harland's software at a former job (where we had a bank) I would prefer software written by Harland Sanders, better know as the KFC founder and icon.

Pigeon:

If I do not recognize their scream after 15 seconds, my band of wild ninjas swoops down carried by 47 crows to kill the intruder. Their weapons, of course, are blank CDs and tupperware lids (both sharpened), a bottle of 409, a 9-iron, and a spoon.

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

Anon:

Pigeon:

If I do not recognize their scream after 15 seconds, my band of wild ninjas swoops down carried by 47 crows to kill the intruder. Their weapons, of course, are blank CDs and tupperware lids (both sharpened), a bottle of 409, a 9-iron, and a spoon.

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

Well I tried to account for that; maybe my understanding of pirates is flawed. I thought simply by not putting an X on the spot where my jar is pirates would not locate the jar.

As for the wife and children...unfortunately we don't have to worry about that anymore. While writing my last reply they strayed too close to the booty....nuff said.

Anon:

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

What if we use Chuck Norris instead of a Doberman?

My Name Is Missing:

Having witnessed Harland's software at a former job (where we had a bank) I would prefer software written by Harland Sanders, better know as the KFC founder and icon.

Well at least then the program would come in "Original Edition", "Extra Crispy Edition", and the new delicious "Grilled Edition".

Pigeon:

Anon:

Pigeon:

If I do not recognize their scream after 15 seconds, my band of wild ninjas swoops down carried by 47 crows to kill the intruder. Their weapons, of course, are blank CDs and tupperware lids (both sharpened), a bottle of 409, a 9-iron, and a spoon.

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

Well I tried to account for that; maybe my understanding of pirates is flawed. I thought simply by not putting an X on the spot where my jar is pirates would not locate the jar.

As for the wife and children...unfortunately we don't have to worry about that anymore. While writing my last reply they strayed too close to the booty....nuff said.

No X? Damn your eyes you devious land lubber. I slice your gizzard with me cutlass and feed your innards to your dog.

Red:

Anon:

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

What if we use Chuck Norris instead of a Doberman?

Well, obviously Chuck Norris could take on a whole galleon of pirates, but he will probably also take your money. After all, are you going to stop him?

Why "RED" it is not allowed?
Because it has less than four freaking letters!!!
Duh!

I can't decide which is more lazy: re-running an old article, or not being able to click the "Random Article" link in the top-left corner.

Captcha: saepius -- The Chinese prius

Lucio:

Why "RED" it is not allowed?
Because it has less than four freaking letters!!!
Duh!

Tis triumphantly the tautology thought through to transcendence.


Alliteration FTW

Favorite Team?
A

Favorite TV Show?
V

hmm ... I guess I gotta start watching other shows ... :)

Eh, that sanitation isn't so bad. My credit union does this:

...wait, scratch that, Akismet thinks the code snippet is spam. So, let me explain: My credit union creates a variable called ctn and sets it to zero. They then run a for loop using a new variable, i, which they use to step through the user input, character by character, checking indexOf(';'). If they find that tf.elements[i].value.indexOf)(';') > -1, they do "cnt = cnt + 1." After the for loop is done, they check to see if cnt > 0, and if it is, they tell you not to use any semicolons.

No, seriously.

Lucio:

Why "RED" it is not allowed?
Because it has less than four freaking letters!!!
Duh!

This was explained in the article so what's your point?

jdw:

After the for loop is done, they check to see if cnt > 0, and if it is, they tell you not to use any semicolons.

No, seriously.

GENIUS!

A few months back a recruiter contacted me about a coding position at Harlan. After reading this, I'm glad they weren't interested in me.

The article misses the point of not allowing 'red'.

Allowing one's password to be 'red' is a valid security concern. Haven't you ever heard of a 'red-side' network interface, or a 'red-side' host? It means NOT SECURE! Contrast this with a black-side, where security is present. Everyone's password should be BLACK -- now that would be secure.

PeriSoft:

The Article:

Steven King

Seriously? That's got to suck.

That's how he started writing horror stories ...

At the very least it's an NCUA-insured institution (NCUA = FDIC for credit unions), so if your money gets stolen it's not ultimately your loss. I still find it baffling that financial institutions find systems like this a good risk-reward tradeoff.

Incidentally, has anybody else noticed how hard it is to set strong passwords at financial institutions? There's one major mutual fund company that uses an eight-character-max alphanumeric (no symbols allowed) password, and validates your username on a separate screen (and throws an error if it isn't valid). Come on...that's practically asking to be hacked.

TRWTF is wanting to use red in the first place. Aside from the Ohio State in me wanting to try scarlet, every one of us should know to actually use #FF0000.

Better DEAD than RED, I always say.

If only I could keep all my money safe with Blizzard... I've found it long hilarious that my WoW account (complete with actual 2-factor authentication!) is now orders of magnitude more secure than my bank account (which, hilariously (if I weren't forced to use it) doesn't even allow alphanumeric characters in the password, let alone special characters: passwords are entirely numeric. Isn't that just great? No, I won't tell you what I use. :p)

HSBC still uses an on-screen keyboard as part of sign-on. It's so annoying and tedious.

But "wish it was two factor authentication" fits right in with all the other banking industry standards: "wish our web programmers could write secure code" "wish our javascript kludges didn't suck" and "wish our customers were as stupid as we are".

Really, it is quite discouraging, and a little frightening, how most bank / brokerage / financial sites have the WORST security when they should be the most rigorously developed.

Oh, yeah, and "wish the taxpayers would bail us out again so we don't have to fail and make room for someone with clue."

neminem:

If only I could keep all my money safe with Blizzard... I've found it long hilarious that my WoW account (complete with actual 2-factor authentication!) is now orders of magnitude more secure than my bank account (which, hilariously (if I weren't forced to use it) doesn't even allow alphanumeric characters in the password, let alone special characters: passwords are entirely numeric. Isn't that just great? No, I won't tell you what I use. :p)

So you need a numeric password that doesn't contain any alphanumeric characters? That's a neat trick.
(Hint: alphanumeric includes the numbers)

The joy of banks. If they're not outright crooks (like Chase), they're downright incompetent. You're better off banking with Tony Soprano.

Pigeon:

I thought simply by not putting an X on the spot where my jar is pirates would not locate the jar.

One of my most memorable IT class was when the instructor was teaching about pointers, and wanted to explain that you need to have valid references to all objects that can be followed from a known point. At which point he said, "Don't bury the treasure map with the treasure."

Anon:

So you need a numeric password that doesn't contain any alphanumeric characters? That's a neat trick.
(Hint: alphanumeric includes the numbers)

Use Roman Numerals. The letters are the numbers. FTW!

My bank in Portugal uses a 7 number password to login (but they only ask for three numbers from random positions, so keylogging one authentication is useless), but the nice part is they send you a SMS with a random code for every actual transaction, so any attacker will have to get your phone too (and use it before you alert the bank).

It's OK, I'd say.

Security instructions:

Your password must be at least eight characters, including at least one upper case letter, one lower, a digit, and a special character. Do not use any personal information, like your spouse's name, birth date, or city where you were born, as a hacker might be able to find out such information about you. Do not use any ordinary English words, especially common ones like names of colors or foods, as a hacker could try common English words. Your password should be a meaningless stream of characters.

It is true that this may make your password difficult to remember. In the event that you forget your password, we will provide a "security question", the answer to which is essentially an alternate password that can be used to access your data just like your real password. The answer to the security question will be some personal information about you, like your spouse's name, birth date, or the city where you were born; or it could be some ordinary English word that is easy to remember, like your favorite color or favorite food.

Of course, with a password, if you were permitted to use some insecure text like your city of birth or favorite color, a hacker would not have any way to know just what personal information or common word you used, but he could try many many possibilities until he found the right one. To make the security question extra secure against this sort of brute force attack, we will tell the hacker exactly what personal information or common word is being used.

Red:

Anon:

I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones).
Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.

What if we use Chuck Norris instead of a Doberman?

Chuck Norris can execute an infinite loop in 12 seconds.

Captcha: "jumentum": mass times velocity times Semitic factor

Using favorite color as a security key is clearly sexist: It will be much easier to hack into men's accounts then into women's. Most men only know the names of about eight colors, but women have hundreds, like "periwinkle" and "chartreuse" and so on.

Ditto:

Favorite Team?
A

Favorite TV Show?
V

Favorite Programming Language?
C

Favorite Tommy Lee Jones character?
K

Favorite Bird?
T

zblongladder:

At the very least it's an NCUA-insured institution (NCUA = FDIC for credit unions), so if your money gets stolen it's not ultimately your loss. I still find it baffling that financial institutions find systems like this a good risk-reward tradeoff.

Incidentally, has anybody else noticed how hard it is to set strong passwords at financial institutions? There's one major mutual fund company that uses an eight-character-max alphanumeric (no symbols allowed) password, and validates your username on a separate screen (and throws an error if it isn't valid). Come on...that's practically asking to be hacked.

American Funds? I wince every time I log in.

Jay:

Using favorite color as a security key is clearly sexist

More importantly, discriminatory against colorblind people - is their favorite color "black", or "white"? Hm...

And fair enough, I should've said that it doesn't accept all alphanumeric passwords, not that it doesn't accept alphanumeric characters (obviously, it accepts some of them.)

Jay:

Security instructions:

Your password must be at least eight characters, including at least one upper case letter, one lower, a digit, and a special character. Do not use any personal information, like your spouse's name, birth date, or city where you were born, as a hacker might be able to find out such information about you. Do not use any ordinary English words, especially common ones like names of colors or foods, as a hacker could try common English words. Your password should be a meaningless stream of characters.

It is true that this may make your password difficult to remember. In the event that you forget your password, we will provide a "security question", the answer to which is essentially an alternate password that can be used to access your data just like your real password. The answer to the security question will be some personal information about you, like your spouse's name, birth date, or the city where you were born; or it could be some ordinary English word that is easy to remember, like your favorite color or favorite food.

Of course, with a password, if you were permitted to use some insecure text like your city of birth or favorite color, a hacker would not have any way to know just what personal information or common word you used, but he could try many many possibilities until he found the right one. To make the security question extra secure against this sort of brute force attack, we will tell the hacker exactly what personal information or common word is being used.

QFT. It sounds so stupid when you read it like that, so how come this exact thing is so common? Surely it sounded just as stupid when it was provided to someone as a spec to implement?

The US Treasury site does this.

They ask you for a complex password, and then they send you a little access card of random junk in the mail. You need both to get into your account.

Unfortunately, you also need to know the answers to the four security questions they asked you -- two weeks ago, before the card arrived in the mail.

And I don't know the answers. I don't have a favorite movie, I never had a childhood pet, etc. So I can't get into my account. Fantastic.

Go on, try it: https://www.treasurydirect.gov/RS/BPDLogin?application=rscreate

Jay:

Using favorite color as a security key is clearly sexist: It will be much easier to hack into men's accounts then into women's. Most men only know the names of about eight colors, but women have hundreds, like "periwinkle" and "chartreuse" and so on.

I'm a man, and I know the names of exactly 16777216 colors (not including transparency).

Anonymous:

Jay:

Security instructions:

Your password must be at least eight characters, including at least one upper case letter, one lower, a digit, and a special character. Do not use any personal information, like your spouse's name, birth date, or city where you were born, as a hacker might be able to find out such information about you. Do not use any ordinary English words, especially common ones like names of colors or foods, as a hacker could try common English words. Your password should be a meaningless stream of characters.

It is true that this may make your password difficult to remember. In the event that you forget your password, we will provide a "security question", the answer to which is essentially an alternate password that can be used to access your data just like your real password. The answer to the security question will be some personal information about you, like your spouse's name, birth date, or the city where you were born; or it could be some ordinary English word that is easy to remember, like your favorite color or favorite food.

Of course, with a password, if you were permitted to use some insecure text like your city of birth or favorite color, a hacker would not have any way to know just what personal information or common word you used, but he could try many many possibilities until he found the right one. To make the security question extra secure against this sort of brute force attack, we will tell the hacker exactly what personal information or common word is being used.

QFT.

Absolutely.

Anonymous:

It sounds so stupid when you read it like that, so how come this exact thing is so common? Surely it sounded just as stupid when it was provided to someone as a spec to implement?

AFAIK, it started when two-factor authentication was mandated, meaning two different things out of something you know (e.g. passwords), something you have (e.g. tokens) and something you are (biometrics). But sometime during implementation the "different" bit got lost, and they did what was easiest and cheapest -- and least secure.