• henke37 (cs)

    The on screen keyboard was something to prevent keylogging. Too bad it only took a few days until the botnets knew how to record them properly...

  • gabba (unregistered)

    I like how the on-screen keyboard has helpfully provided upper and lower characters, but no shift key.

  • dlikhten (cs)

    Awww I'm a Leo, Red is my favorite color, and my birthday is on the 7th...

    Darn it!

  • vt_mruhlin (cs)

    I always listen to the Security Now podcast, and think of how cool it would be to be a security expert. Than I start thinking about how I'd have to go back to grad school and get some kind of formal training in security, and I get discouraged.

    Then I read stuff like this and realize that goal might not be too far from my intellectual abilities.

    But then I realize that I'd have to work with the people who come up with this kind of stuff...

  • Blah (unregistered)
    Comment held for moderation.
  • Dvoid (unregistered)

    Yeah, this would be funnier if my credit union didn't use the exact same system. Except, oddly enough, it has no audio CAPTCHA for accessibility.

  • Kinglink (unregistered)

    Ouch! That makes my brain hurt.

    Captcha: Ewww, which sums up my first emotion.

    Seriously what the hell is wrong with some security "professionals". Security should be help secure your money not make it harder to get access. And using "security questions" is a joke. It just makes a brute force attack less likely but I can call up people pretend to do a funny phone interview and easily get "security question" answers in less time than even getting a password.

  • Erick (cs)

    Sad times when a dream vacation can't be DC or LA, favorite team can't be the (Oakland) A's, favorite song can't be AC/DC's "TNT", favorite cartoon character can't be Ren (of Ren & Stimpy) or Tom (of Tom & Jerry), and your favorite teacher can't be someone named Bob.

  • Jamie (unregistered)

    I was pleased to note that recently my Bank in the UK implemented proper Two-Factor security.

    I have to give something I know (a 10-digit membership number) and my surname, then I must use something I have (my Bank Card) to generate an 8 digit number using a whizzy-bangy-calculator-like-implement and my regular PIN number.

    It takes 15 minutes to login, but at least its secure :D

    No seriously, I can login in seconds and I do actually feel like my online banking is more secure.

  • Crayne (cs)

    I love that they've also gone ahead and disabled rightclicking so us bastards can't look at the source code. Except.

    And that it only checks for Netscape and IE.

    Teehee.

    I am beginning to appreciate the Dutch implementation of electronic banking all the more as these things roll past. ;)

  • It's a Feature (cs)

    Crap--my credit union uses Cavion as well. Noticed this copyright, though, at the bottom of the page: Copyright ? 1998-2004 Cavion, LLC. All Rights Reserved.

    I guess they're not sure...:)

    The company I work for (not Harland) does Online Banking for a number of credit unions. Personally, I think the 2nd factor is really kind of silly--does more to annoy the customers that to add security--but it's a federal mandate (the financial institutions really don't have a choice). We've given our clients 2 choices for the 2nd factor--one that gives the user a series of faces to remember (which really seems to annoy the hell out of their users) and the other which sets up challenge questions and checks the IP address for where the user is coming from, blocking them from some countries like Nigeria and Iraq (military is not affected). 2nd choice seems to work pretty well, but it was hell to implement. But if the user sticks to using the same computer all the time they never see the challenge question, so they don't get too annoyed, until they go on vacation and try to access their account, then have to try to remember what answer they gave a year ago. :)

  • mallard (cs) in reply to Jamie
    Jamie:
    I was pleased to note that recently my Bank in the UK implemented proper Two-Factor security.

    I have to give something I know (a 10-digit membership number) and my surname, then I must use something I have (my Bank Card) to generate an 8 digit number using a whizzy-bangy-calculator-like-implement and my regular PIN number.

    It takes 15 minutes to login, but at least its secure :D

    No seriously, I can login in seconds and I do actually feel like my online banking is more secure.

    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

  • Dave Grant-Wilkie (unregistered)

    Security questions are only a problem if you use the real answers. I just make up a fictitious answer that no-one will guess and use that. To help me remember what I used, I just write them on a post-it and stick it on the monitor. It's no less secure!

  • Anonymous Coward (unregistered) in reply to henke37

    ...on the client side? BRILLIANT.

  • Jamie (unregistered) in reply to mallard
    Comment held for moderation.
  • scav (unregistered) in reply to Anonymous Coward

    And as well as checking client-side for SQL, are they only checking for SQL keyword in CAPS? But SQL isn't case-sensitive...

  • Ubersoldat (unregistered)

    My Bank implements a double security as it should

    You need your ID Number, Internet Access password and to be able to process any action on your accounts, you have to provide a digital signature (fancy name for another combination of numbers and letters).

    No stupid, what your dog last name questions

  • Todd (unregistered)

    Quote from a site using this tool: "NOTE: Recommended browsers include: Netscape Navigator 4.75 or higher; Internet Explorer 5.0 or 6.0; and AOL 6, 7, or 8."

    Netscape v4.75? - are you nuts! Internet Explorer v<6 - are you mental?

    Any application supporting these browsers for their "high security" applications should be slapped with a wet trout!

    OMG, where are those damn goggles!

  • Richard Asscock, III (unregistered) in reply to It's a Feature
    It's a Feature:
    Crap--my credit union uses Cavion as well. Noticed this copyright, though, at the bottom of the page: Copyright ? 1998-2004 Cavion, LLC. All Rights Reserved.

    I guess they're not sure...:)

    The company I work for (not Harland) does Online Banking for a number of credit unions.

    Wait a minute...Your company creates online banking software, but your bank does not use it. Geez, ever think about supporting your own product? I never understood those employees when I worked for a soy protein company. They'd say our products taste nasty and wouldn't buy them. Later, they'd complain that we never get bonuses. Like it or not, you gotta be a cheerleader for the comp'ny to get ahead (and getz yo shiit paid, du').

    Peace out, Dick Asscock

  • 18Rabbit (unregistered)

    Our credit union moved to one of these systems over a year ago and just recently removed it and went back to the standard account/password system because they had to field so many customer service calls and complaints about it.

  • MattHuntington (cs) in reply to scav
    scav:
    And as well as checking client-side for SQL, are they only checking for SQL keyword in CAPS? But SQL isn't case-sensitive...

    "stg = stg.toUpperCase();"

    They are doing the to upper first so it's not case sensitive. At least they have that going for them.

  • Richard Asscock, III (unregistered)

    Geez, can we move beyond the "that makes my brain hurt" comment? Man, take the time to come up with your own comment.

    For mine, I will say that my favorite color is TAN. It's the same answer I give when some 5th grader asks me what color my bike is.

    Word. Dick Asscock

  • Jesse (unregistered)

    My bank installed the same crappy software a few months ago...

    I've already started the process of moving to a new bank because it sucks so bad.

  • sakasune (unregistered) in reply to Todd
    Todd:
    OMG, where are those damn goggles!

    Doesn't matter. The goggles, they do nothing.

    Captcha: burned, oh yeah!

  • Insaint (unregistered)

    Why is preventing "red" more secure? Red is the colour of communists and communists are terrorists. Duh.

    headdesk

  • BST (unregistered) in reply to mallard
    Comment held for moderation.
  • my name is missing (unregistered)

    I worked for a financial services company that had a bank, and although it used another piece of crap for the bank front end, we did use a Harland product for checking account origination. Gets my vote as one of the most pathetic applications in history. We called it HardyHarHarland.

  • my name is missing (unregistered)

    Oh, and don't forget red is the color of the stapler! Selecting red burns down your bank.

  • mallard (cs) in reply to BST
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    While I'm not entirely sure how PINsentry works, I assume that it has some kind of cryptographic signature "burned in", which may be unique to the user and therefore could count as a factor.

  • Mr. Truncate (unregistered)

    I for one am glad they have the foresight to guard against that pesky problem of SQL injections. I'm going to sign up right now!

    -- truncate

  • d3matt (cs) in reply to mallard
    mallard:
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    While I'm not entirely sure how PINsentry works, I assume that it has some kind of cryptographic signature "burned in", which may be unique to the user and therefore could count as a factor.

    if it doesn't that's pretty stupid... also, the PIN and credit/debit card count as only one factor.

  • Troy Mclure (unregistered) in reply to henke37

    Apparently my answer to the Dream Vacation wouldnt fly

    Drop pants; insert into my_girlfriend values(my_penis);

  • AssimilatedByBorg (cs) in reply to BST
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    Quoted for (at least close to the) truth.

    "What you know", "What you have", and "Who you are" (biometrics) are factors. Asking multiple "What you know" questions may increase security somewhat, but it's still only one factor. Which is really Alex's whole point.

    The credit/debit card would only be a factor if there were some device/method to verify that you actually have it in your possession. The number on it can't count -- it's far too widely available with all the merchants I've used. The 3 or 4-digit security code printed, but not embossed, on it likely doesn't count either. Far too easy to memorize/copy down, since it doesn't change except when (presumably - I hope!) I get issued a new card.

    Unless you UK-ians have some cool new thing on your cards that I haven't seen yet :-)

  • sf (unregistered) in reply to Todd
    Todd:
    Quote from a site using this tool: ... OMG, where are those damn goggles!
    Forget about 'em. I've tried them and they do nothing.
  • purge (cs)

    Everyone one on this site should be ashamed of what you have done. I hope you get sued by the company that makes the software and by all of the credit unions who use it. You have just made their software less secure by openly discussing the details of how it works. Now anyone who reads this article will know how to hack into peoples' bank accounts online. That's why I will NEVER post anything of mine on this site, because the more you talk about a site's security, the less secure it gets. I hope you all get arrested and convicted of internet hacking for viewing that website's source code, and I hope you get hacked yourselves.

    </sarcasm>
  • mallard (cs) in reply to AssimilatedByBorg
    AssimilatedByBorg:
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    Quoted for (at least close to the) truth.

    "What you know", "What you have", and "Who you are" (biometrics) are factors. Asking multiple "What you know" questions may increase security somewhat, but it's still only one factor. Which is really Alex's whole point.

    The credit/debit card would only be a factor if there were some device/method to verify that you actually have it in your possession. The number on it can't count -- it's far too widely available with all the merchants I've used. The 3 or 4-digit security code printed, but not embossed, on it likely doesn't count either. Far too easy to memorize/copy down, since it doesn't change except when (presumably - I hope!) I get issued a new card.

    Unless you UK-ians have some cool new thing on your cards that I haven't seen yet :-)

    Yes, we do have something that you are obviously not aware of; our cards have chips in them. This "PINsentry" device involves the website giving you a "challenge" code and the chip on the card (and maybe also the PINsentry device) will then, using cryptographic signatures, sign the code and generate a "response" code which the user then enters on the website, thus proving that the user has the card (and possibly also the specific PINsentry).

  • ptomblin (cs)

    So Little Bobby Tables obviously isn't a customer there.

    I have to wonder, though, when a site uses Javascript to protect against SQL injection, does that mean they aren't doing any server side protection, or are they just being doubly sure?

  • Steve Bush (unregistered)
    Comment held for moderation.
  • Shamus (unregistered)

    The code checking for SQL insertion will prevent anyone named WALDROP or MCNULLY from doing online banking.

  • sf (unregistered) in reply to mallard
    mallard:
    ... Yes, we do have something that you are obviously not aware of; our cards have chips in them. This "PINsentry" device involves the website giving you a "challenge" code and the chip on the card (and maybe also the PINsentry device) will then, using cryptographic signatures, sign the code and generate a "response" code which the user then enters on the website, thus proving that the user has the card (and possibly also the specific PINsentry).
    Interesting. Just curious though, is the card you are talking about with the chip in it an ATM kind of card? If so, how does the card get the challenge code it needs to sign? Or is the card you are talking about a device with a keyboard on it?
  • Zylon (cs)

    THEREALWTF is that Alex is apparently now deleting posts that poke fun at his Wish-It-Was attempts at humor.

  • etr (unregistered) in reply to AssimilatedByBorg
    Comment held for moderation.
  • el jaybird (unregistered)

    Sounds like something out of a Stephen King horror novel.

    Er... wait...

  • MichaelWojcik (cs) in reply to vt_mruhlin
    vt_mruhlin:
    I always listen to the Security Now podcast, and think of how cool it would be to be a security expert. Than I start thinking about how I'd have to go back to grad school and get some kind of formal training in security, and I get discouraged.
    That's certainly one option (there are some grad programs in computer security that look pretty good), but there are plenty of good security books available.

    Just reading, say, 19 Deadly Sins of Software Security would make you a better security "expert" than the people who produce this sort of crap.

    vt_mruhlin:
    But then I realize that I'd have to work with the people who come up with this kind of stuff...
    No, no, no. You'd be working against the people who come up with this kind of stuff. As should we all.
  • grkvlt (cs) in reply to etr
    AssimilatedByBorg:
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    Quoted for (at least close to the) truth.

    "What you know", "What you have", and "Who you are" (biometrics) are factors. Asking multiple "What you know" questions may increase security somewhat, but it's still only one factor. Which is really Alex's whole point.

    The credit/debit card would only be a factor if there were some device/method to verify that you actually have it in your possession. The number on it can't count -- it's far too widely available with all the merchants I've used. The 3 or 4-digit security code printed, but not embossed, on it likely doesn't count either. Far too easy to memorize/copy down, since it doesn't change except when (presumably - I hope!) I get issued a new card.

    Unless you UK-ians have some cool new thing on your cards that I haven't seen yet :-)

    the uk has smartcard based 'chip and pin' credit/debit cards now, so the pinsentry will read the chip on the card.

    http://en.wikipedia.org/wiki/Chip_and_PIN

    from what i remember, it does some cryptographic computation based on your PIN, the card's stored unique identity and some internal symmetric key it shares with the bank, and then hashes that down to a series of digits you type into a form. bank compares that with the results of it's computations, if equal you can log in.

    adk.

  • AdT (unregistered) in reply to Anonymous Coward
    Anonymous Coward:
    ...on the *client* side? BRILLIANT.

    This page loads fine even though I have NoScript installed... I guess NoScript wasn't invented yet during the days of Netscape 4.75.

    And surely no evil hacker will know how to fake a FORM POST.

    The entire "validation" code is a sick joke. "isValidValue" doesn't actually check whether a value is valid, i.e. "ïĈэڙ⅔☼ ®¶" is considered a valid member number.

  • Jan I (unregistered)
    Comment held for moderation.
  • origin (cs)

    Assuming they have no server side protection against SQL injection, and I'm sure they don't, otherwise they wouldn't include such an asinine javascript code. You could easily update your security questions if you forget them, just bypass the javascript,

    UPDATE the_customers_table_named_something_stupid SET security_question = 'Who is the greatest person of all?', answer = 'Me!' WHERE customer_id = your_credit_card_number_duh AND question_id = 1;

    If you don't know the tables and fields, SQL also has ways to get those, so really that all-powerful javascript can't keep you from wanting to know all you wish about their database.

  • KattMan (cs) in reply to etr
    etr:
    The PIN and the security code are two different things. At least they are for my cards.

    Right, but they are both in the "What you know" category so even though it is two items, it is still single factor.

  • happy_online_banking_user (unregistered)

    Really funny to see American banks messing around like this with security methods.

    In Germany two factor authentication (PIN/TAN) is accepted standard for many many years. It was introduced way before internet when online banking meant text screens via modem connections.

    Currently most banks upgraded to technics called iTAN (the banking portal tells you which TAN it wants right now) or mTAN (temporary valid TANs sent on request on your mobile) to make phished TANs less useful.

    For business even more secure HBCI/FinTS is quite common, which can utilize seperate physical devices for PK encryption. Unfortunately these devices still cost around $80, which prevents broad usage.

    So it is economincally feasible, if people won't accept window-dressing as security and therefor avoid online banking at all.

Leave a comment on “Banking So Advanced”

Log In or post as a guest

Replying to comment #:

« Return to Article