Last month, I wrote about US financial institutions, their failure to implement two-factor authentication, and the absurdity that has become Wish-It-Was Two Factor authentication. I thought that'd be the last I'd write about the topic, but when Steven King pointed me towards his bank, Synergy One. I couldn't resist a follow-up.

First and foremost, Synergy One seems to be a great, local institution. They invest in their community. They offer college scholarships. Heck, they even have student-run branches to encourage saving money while in high school. And this is exactly why it's such a shame that they've fallen prey to the Wish-It-Was Two-Factor placebo.

Being such a small institution, Synergy One does not develop their own banking software. They rely on Harland Financial Solutions, who provides "strength and industry leadership within each product" and boasts "over 7,000 clients" to make them "the number one choice for many financial institutions." With a reputation like that, it's no wonder so many banks look to Harland for their technology solutions.

Unfortunately, Harland's online banking product - Cavion® Internet Banking - is woefully inadequate. It does, however, sport several impressive-looking "multi-factor" authentication and security methods.

The first of these - that Synergy One and other unfortunate Harland end-users face - is the almighty CAPTCHA. A technology barely able to curb comment spam on blogs, Cavion® utilizes CAPTCHA as a "Security Code," claiming that it's an "extra security measure used to eliminate fraudsters from randomly selecting account numbers".

I suppose that makes sense. Surely, any fraudster bent on electronic bank fraud would be thwarted by a barely scrambled image that required off-the-shelf optical character recognition software to decode. On the bright side, the system did provide an audio CAPTCHA for accessibility. Granted, the text-to-speech engine sounds like it came from the early-90's, but hey, it's a start!

On the off chance someone might defeat that first bastion of security, Cavion® employs another fool-proof barrier: JavaScript. For those of you who missed their Code SOD today, following is the code that is used to fend off a SQL Injection (as seen on the Enrollment Page):

function isValidValue(stg,name) 
{
    var error="";
    var rtn="";
    stg = stg.toUpperCase();
    if (stg.indexOf("DROP")>-1 || stg.indexOf("..")>-1 
            || stg.indexOf("NULL")>-1 || stg.indexOf("--")>-1) {
        error = true; }
    if (stg.indexOf("SELECT")>-1 || stg.indexOf("DELETE")>-1) {
        if (stg.indexOf("FROM")>-1) {
            error = true; }
    }
    if (stg.indexOf("UPDATE")>-1) {
        if (stg.indexOf("SET")>-1) {
            error = true; }
    }
    if (stg.indexOf("INSERT")>-1) {
        if (stg.indexOf("INTO")>-1) {
            error = true; }
    }
    if (error == true) {
        rtn="You have entered invalid data in your "+name+" \n 
	     Please do not use any of the following characters or words: 
	     'SELECT FROM' 'DELETE FROM' 'UPDATE SET' 'INSERT INTO' 
	     DROP NULL .. -- \n "; }
        
    return rtn;
}

If those two security "factors" weren't enough, Cavion® even mandates that you use an onscreen keyboard to type in certain fields:

That's right! You fraudsters have no chance of getting in-- Oh, wait...

... gee, I can't imagine how any would find that difficult to use!

Unfortunately, things go a bit downhill from there.

When you sign up as a customer and enroll in their online banking (something which I think I'll have to pass on), you're required to select and answer a few of those ridiculous "security" questions. Curiously, one of the questions had a rather odd disclaimer:

Steven, who shared these screenshots with me, thought nothing of it. Green was more to his taste, anyway. But when it came time to selecting another question, it became pretty clear why RED was not a valid option.

I guess you're just out of luck if you grew up on 9th, love pie, and just can't get enough CSI (or, god forbid, ER). Your money will be so secure that you won't even be able to figure out what answers you need to type in to access it.

Sadly, Synergy One is one of many that subscribed to this preposterous online banking system. Several others -- San Antonio City Employees FCU, Hudson Valley FCU, Missoula FCU, SRP FCU, and so many more -- have been suckered into Cavion® and its related products. And it just keeps spreading.

So what can we, as security conscious IT professionals, do about this growing Wish-It-Was-Two-Factor Authentication dilemma? Complain. Loudly. A sincere letter sent to a bank Vice President that uses Harland’s - or any other embarrassingly deficient banking software - will certainly plant the seeds of doubt that their system isn't as advanced as they were told. And maybe, just maybe, it will make them wonder, how exactly is preventing "RED" more secure?!