- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The on screen keyboard was something to prevent keylogging. Too bad it only took a few days until the botnets knew how to record them properly...
Admin
I like how the on-screen keyboard has helpfully provided upper and lower characters, but no shift key.
Admin
Awww I'm a Leo, Red is my favorite color, and my birthday is on the 7th...
Darn it!
Admin
I always listen to the Security Now podcast, and think of how cool it would be to be a security expert. Than I start thinking about how I'd have to go back to grad school and get some kind of formal training in security, and I get discouraged.
Then I read stuff like this and realize that goal might not be too far from my intellectual abilities.
But then I realize that I'd have to work with the people who come up with this kind of stuff...
Admin
New message on https://verifyme.synergyonefcu.org/auth/Authorize?fiid=1 now:
IMPORTANT! System Maintenance We will be performing maintenance to upgrade our system. Some applications will be unavailable Saturday 10/20/2007 between the hours of 11:45pm until approximately 3:00am. Again, we apologize for any inconvenience this may cause.
Admin
Yeah, this would be funnier if my credit union didn't use the exact same system. Except, oddly enough, it has no audio CAPTCHA for accessibility.
Admin
Ouch! That makes my brain hurt.
Captcha: Ewww, which sums up my first emotion.
Seriously what the hell is wrong with some security "professionals". Security should be help secure your money not make it harder to get access. And using "security questions" is a joke. It just makes a brute force attack less likely but I can call up people pretend to do a funny phone interview and easily get "security question" answers in less time than even getting a password.
Admin
Sad times when a dream vacation can't be DC or LA, favorite team can't be the (Oakland) A's, favorite song can't be AC/DC's "TNT", favorite cartoon character can't be Ren (of Ren & Stimpy) or Tom (of Tom & Jerry), and your favorite teacher can't be someone named Bob.
Admin
I was pleased to note that recently my Bank in the UK implemented proper Two-Factor security.
I have to give something I know (a 10-digit membership number) and my surname, then I must use something I have (my Bank Card) to generate an 8 digit number using a whizzy-bangy-calculator-like-implement and my regular PIN number.
It takes 15 minutes to login, but at least its secure :D
No seriously, I can login in seconds and I do actually feel like my online banking is more secure.
Admin
I love that they've also gone ahead and disabled rightclicking so us bastards can't look at the source code. Except.
And that it only checks for Netscape and IE.
Teehee.
I am beginning to appreciate the Dutch implementation of electronic banking all the more as these things roll past. ;)
Admin
Crap--my credit union uses Cavion as well. Noticed this copyright, though, at the bottom of the page: Copyright ? 1998-2004 Cavion, LLC. All Rights Reserved.
I guess they're not sure...:)
The company I work for (not Harland) does Online Banking for a number of credit unions. Personally, I think the 2nd factor is really kind of silly--does more to annoy the customers that to add security--but it's a federal mandate (the financial institutions really don't have a choice). We've given our clients 2 choices for the 2nd factor--one that gives the user a series of faces to remember (which really seems to annoy the hell out of their users) and the other which sets up challenge questions and checks the IP address for where the user is coming from, blocking them from some countries like Nigeria and Iraq (military is not affected). 2nd choice seems to work pretty well, but it was hell to implement. But if the user sticks to using the same computer all the time they never see the challenge question, so they don't get too annoyed, until they go on vacation and try to access their account, then have to try to remember what answer they gave a year ago. :)
Admin
Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/
In other words, to use online banking, you will need:
So that'll be five factor authentication, with no "What is your favourite colour" in sight...
Admin
Security questions are only a problem if you use the real answers. I just make up a fictitious answer that no-one will guess and use that. To help me remember what I used, I just write them on a post-it and stick it on the monitor. It's no less secure!
Admin
...on the client side? BRILLIANT.
Admin
Thats exactly the bank im talking about!
Admin
And as well as checking client-side for SQL, are they only checking for SQL keyword in CAPS? But SQL isn't case-sensitive...
Admin
My Bank implements a double security as it should
You need your ID Number, Internet Access password and to be able to process any action on your accounts, you have to provide a digital signature (fancy name for another combination of numbers and letters).
No stupid, what your dog last name questions
Admin
Quote from a site using this tool: "NOTE: Recommended browsers include: Netscape Navigator 4.75 or higher; Internet Explorer 5.0 or 6.0; and AOL 6, 7, or 8."
Netscape v4.75? - are you nuts! Internet Explorer v<6 - are you mental?
Any application supporting these browsers for their "high security" applications should be slapped with a wet trout!
OMG, where are those damn goggles!
Admin
Wait a minute...Your company creates online banking software, but your bank does not use it. Geez, ever think about supporting your own product? I never understood those employees when I worked for a soy protein company. They'd say our products taste nasty and wouldn't buy them. Later, they'd complain that we never get bonuses. Like it or not, you gotta be a cheerleader for the comp'ny to get ahead (and getz yo shiit paid, du').
Peace out, Dick Asscock
Admin
Our credit union moved to one of these systems over a year ago and just recently removed it and went back to the standard account/password system because they had to field so many customer service calls and complaints about it.
Admin
"stg = stg.toUpperCase();"
They are doing the to upper first so it's not case sensitive. At least they have that going for them.
Admin
Geez, can we move beyond the "that makes my brain hurt" comment? Man, take the time to come up with your own comment.
For mine, I will say that my favorite color is TAN. It's the same answer I give when some 5th grader asks me what color my bike is.
Word. Dick Asscock
Admin
My bank installed the same crappy software a few months ago...
I've already started the process of moving to a new bank because it sucks so bad.
Admin
Doesn't matter. The goggles, they do nothing.
Captcha: burned, oh yeah!
Admin
Why is preventing "red" more secure? Red is the colour of communists and communists are terrorists. Duh.
headdesk
Admin
So this is a two-factor scheme.
Admin
I worked for a financial services company that had a bank, and although it used another piece of crap for the bank front end, we did use a Harland product for checking account origination. Gets my vote as one of the most pathetic applications in history. We called it HardyHarHarland.
Admin
Oh, and don't forget red is the color of the stapler! Selecting red burns down your bank.
Admin
While I'm not entirely sure how PINsentry works, I assume that it has some kind of cryptographic signature "burned in", which may be unique to the user and therefore could count as a factor.
Admin
I for one am glad they have the foresight to guard against that pesky problem of SQL injections. I'm going to sign up right now!
-- truncate
Admin
Admin
Apparently my answer to the Dream Vacation wouldnt fly
Drop pants; insert into my_girlfriend values(my_penis);
Admin
"What you know", "What you have", and "Who you are" (biometrics) are factors. Asking multiple "What you know" questions may increase security somewhat, but it's still only one factor. Which is really Alex's whole point.
The credit/debit card would only be a factor if there were some device/method to verify that you actually have it in your possession. The number on it can't count -- it's far too widely available with all the merchants I've used. The 3 or 4-digit security code printed, but not embossed, on it likely doesn't count either. Far too easy to memorize/copy down, since it doesn't change except when (presumably - I hope!) I get issued a new card.
Unless you UK-ians have some cool new thing on your cards that I haven't seen yet :-)
Admin
Admin
Everyone one on this site should be ashamed of what you have done. I hope you get sued by the company that makes the software and by all of the credit unions who use it. You have just made their software less secure by openly discussing the details of how it works. Now anyone who reads this article will know how to hack into peoples' bank accounts online. That's why I will NEVER post anything of mine on this site, because the more you talk about a site's security, the less secure it gets. I hope you all get arrested and convicted of internet hacking for viewing that website's source code, and I hope you get hacked yourselves.
</sarcasm>Admin
Yes, we do have something that you are obviously not aware of; our cards have chips in them. This "PINsentry" device involves the website giving you a "challenge" code and the chip on the card (and maybe also the PINsentry device) will then, using cryptographic signatures, sign the code and generate a "response" code which the user then enters on the website, thus proving that the user has the card (and possibly also the specific PINsentry).
Admin
So Little Bobby Tables obviously isn't a customer there.
I have to wonder, though, when a site uses Javascript to protect against SQL injection, does that mean they aren't doing any server side protection, or are they just being doubly sure?
Admin
Maybe banks should issue Little Orphan Annie Secret Decoder Rings: http://www.radioarchives.org/annie/ Be sure to drink your Ovaltine!
Admin
The code checking for SQL insertion will prevent anyone named WALDROP or MCNULLY from doing online banking.
Admin
Admin
THEREALWTF is that Alex is apparently now deleting posts that poke fun at his Wish-It-Was attempts at humor.
Admin
The PIN and the security code are two different things. At least they are for my cards.
Admin
Sounds like something out of a Stephen King horror novel.
Er... wait...
Admin
Just reading, say, 19 Deadly Sins of Software Security would make you a better security "expert" than the people who produce this sort of crap.
No, no, no. You'd be working against the people who come up with this kind of stuff. As should we all.Admin
the uk has smartcard based 'chip and pin' credit/debit cards now, so the pinsentry will read the chip on the card.
http://en.wikipedia.org/wiki/Chip_and_PIN
from what i remember, it does some cryptographic computation based on your PIN, the card's stored unique identity and some internal symmetric key it shares with the bank, and then hashes that down to a series of digits you type into a form. bank compares that with the results of it's computations, if equal you can log in.
adk.
Admin
This page loads fine even though I have NoScript installed... I guess NoScript wasn't invented yet during the days of Netscape 4.75.
And surely no evil hacker will know how to fake a FORM POST.
The entire "validation" code is a sick joke. "isValidValue" doesn't actually check whether a value is valid, i.e. "ïĈэڙ⅔☼ ®¶" is considered a valid member number.
Admin
There is one possible reason why they may have the four-character limitation.
Full text search in MySQL has that limitation by default; searches for one-character, two-character and three-character words will yield no results, unless you've tweaked the configuration.
For performance reasons, you don't want to tweak that too much, perhaps allowing three-character words is okay.
But now the question becomes:
Why on Earth would anyone need to do full-text searches for the answers to these questions?!
Well, it's nice to know that they use MySQL with MyISAM, for your improved data security and transaction stability. };->
Admin
Assuming they have no server side protection against SQL injection, and I'm sure they don't, otherwise they wouldn't include such an asinine javascript code. You could easily update your security questions if you forget them, just bypass the javascript,
UPDATE the_customers_table_named_something_stupid SET security_question = 'Who is the greatest person of all?', answer = 'Me!' WHERE customer_id = your_credit_card_number_duh AND question_id = 1;
If you don't know the tables and fields, SQL also has ways to get those, so really that all-powerful javascript can't keep you from wanting to know all you wish about their database.
Admin
Right, but they are both in the "What you know" category so even though it is two items, it is still single factor.
Admin
Really funny to see American banks messing around like this with security methods.
In Germany two factor authentication (PIN/TAN) is accepted standard for many many years. It was introduced way before internet when online banking meant text screens via modem connections.
Currently most banks upgraded to technics called iTAN (the banking portal tells you which TAN it wants right now) or mTAN (temporary valid TANs sent on request on your mobile) to make phished TANs less useful.
For business even more secure HBCI/FinTS is quite common, which can utilize seperate physical devices for PK encryption. Unfortunately these devices still cost around $80, which prevents broad usage.
So it is economincally feasible, if people won't accept window-dressing as security and therefor avoid online banking at all.