- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I'm suddenly inspired to learn sql and go wardriving through brooklyn with a wireless card I paid cash for on craigslist.
Admin
You are already wearing them.
Admin
Actually the sad fact is that you'll ultimately be bidding against them, rather than working against them. That's a whole lot more annoying.
Admin
I'd leave out the WHERE clause myself...
Admin
I hate "security questions". I consider all sites that use them more insecure. It is far easier to guess someone's "security question" about their pet or mom than to guess their password.
I think we've all had to resort to answering with made up stuff, and then treating that made up stuff like a password.
Admin
Here we see the universal security constant at work.
Pick two: security, usability, low cost.
Admin
I realize I don't always think the same way as the mainstream security industry (to their credit, they usually figure out where they were wrong eventually ;-)...but to me biometrics are strictly a "what you have" factor. "Who you are" is quite difficult to prove for humans, let alone machines.
Biometric authenticators can be stolen or copied just like any other authentication token you might possess. An iris scanner merely checks to ensure that whoever is using your account has one of your eyes handy. The scanner doesn't ensure that the user of the account is actually you--the rest of you (including your other eye) might be bleeding to death in a ditch somewhere. Biometrics also don't ensure that you are authorizing the transaction voluntarily (you could have a gun pointed at your head while you go through all of the authenticating factors). (*)
Biometric authenticators like eyes, fingerprints, and so on have to tolerate a lot of variation within the same subject (they all change slightly over time). They are made out of fairly common ingredients (protein, sugar, color) and in some cases the information content of these materials are spread throughout the environments where we live (especially fingerprints). I think an authentication mechanism that relies on the secrecy of information that gets transmitted every time I touch something with ungloved hands is just plain silly. (**)
Resistance to forgery really comes down to a function of how much effort the scanner vendor puts into making a device that can detect forgeries, and how much effort the local fraudster puts into making the forgeries. This is true whether the token is a picture of your iris or a computer chip embedded in a card. Sometimes there's just not a whole lot of effort on the vendor side for biometrics, and the failures can be spectacular, e.g. $4000 fingerprint scanning door locks that can be defeated by a simple photocopy of an authorized fingerprint taken from the doorknob.
(*) Home security systems have "duress" codes, which apparently disarm the system but also send a silent alarm to the monitoring station. They are designed to cope with burglars who attack people as they are coming home and force them to disarm the security system. Banks could learn from this--have a second PIN or password that completes the current transaction (so your mugger will go away with the cash and leave you alone), but automatically shuts down the card and starts a criminal investigation. Maybe even fire an image from the ABM security camera to a human operator who can notify local law enforcement.
(**) I assume that once we have DNA sequencers that retail for $80 and plug into a USB port, we'll see security snake oil salesmen authenticating users with their skin cells. This is about the only biometric authenticator I can think of that's actually more stupid than fingerprint authentication.
Admin
"alarm": my captcha, and also what I felt a rising sense of when I read this:
...I have visions of users who can log in, then edit the URL to change a field value from "1736" to "1737", then compare their bank balances with those of other customers and correct any unsatisfactory differences...
Admin
So how do we have the software verify that we HAVE something. odds are no matter what we have it just produces a code that then gets transmitted. Can't that just always be replicated some how?
I am not sure how we enable two-factor authentication ever.
Admin
I signed up for a new credit card and we got it in the mail yesterday. The first thing I did when I got to work today was login to their site to register my account. It requires my credit card number the CVC number (3 digit security code on the back) and my "secret word" to register. The good thing about this "secret word" is that it's so secure I never even set one up. So now I can't register.
Apparently my secret word might be my mother's maiden name or the city I was born. But it isn't!
Admin
OK, the real WTF is asking us to write letters to the VP of this 2-bit institution. Why the hell should I care how stupid they want to be? If I see signs that the bank is being run by complete morons, I'm just going to move my money to a better bank.
Besides, as a rule nobody ever takes unsolicited advice.
Admin
Admin
Mr. df, I work for a data processor for credit unions--not for a credit union. I don't qualify to be a member of any of our clients--therefore I don't have an account with any of our clients.
Admin
Of course it can be replicated. You just have to have the device in order to clone it. Or you could hope you're really really really good at guessing.
We have 2FA now. Just not in this podunk backwater called the USA.
Admin
Unless you're a good little hacker and know how to bypass the Javascript validation (pretty elementary stuff, but not very user friendly).
Admin
The PINsentry has the keyboard, not the card...
[image]Admin
Used to write software in the banking industry.
You would be amazed how lax security is in your smaller to medium banks. We (as outside developers) could pretty much access any of our customer's (i.e. bank's) databases, with confidential information, any time we wanted. If we requested a snapshot of the DB, nobody ever scrubbed the data or otherwise obfuscated the aforementioned confidential data.
Worked with Harland before, integrating our products for a large multinational bank. Their (Harland's) grasp of security was not so good, though the people I dealt with didn't seem as silly as those recounted in this WTF. But silly enough.
My credit union does use this product. Yeah, I'm going to have to complain.
Admin
and I suppose intercepting it is difficult because it SHOULD be encrypted.
my problem is that it still comes down to bits and if you know the code on the card you could still run it through a device emulator and get the correct code. I assume all that is on the card is another 'random unique' number that the device reads and runs through another process to generate yet another unique number.
I'm just saying that this is not a perfect system. Yes it is better than what we've got though.
Admin
so every user of the online bank has one of these devices?
Admin
Admin
Jeez, I'm really looking forward to keeping around such devices for all my financial institutions. That's crazy, man.
Admin
Yeah most of the banking site is a WTF but one of the things they do right (from the screen caps) is the letting people create their own security question.
I loathe security questions because different sites have different choices, and trying to choose one that I can both remember and which isn't information in the public domain (e.g. what city was I born in, or mother's maiden name) is difficult.
Being able to write my own question and answer lets me pick something meaningful only to me that only a telepath or keystroke logger will figure out.
Admin
Feel good "security" at its finest. Is the company that made this application at all associated with TSA?
Admin
To log on to one of my banks, I need to do the following:
The other bank goes something like this:
Both requires something I know (PIN/password) and something I have, ie. the generator.
My wife and I each have our own code-generators, and they give different results. I believe they are set up to provide random results with a specific seed. If one types the wrong PIN more than three times, it will lock up, and customer service needs to be contacted. I figure this gives pretty good certainty that I HAVE the item, and KNOW the PIN.
The SSN (or "personnumber" as it accurately translates) is not sensitive information, and can be guessed/found relatively easily.
Admin
Admin
No, that's a huge WTF. A project I took over did this, and guess what half the questions where:
"My password is rover123".
Then, the previous developer decided to not allow questions with the password in it, so the questions became:
"My password is my my dog's name with 123 after it"
or
"My password is rover12*3.
Admin
I just put in 'ass' for all my security questions. Might have to pick a longer oath for this place.
Admin
Admin
No, that's a huge WTF. A project I took over did this, and guess what half the questions where:
"My password is rover123".
Then, the previous developer decided to not allow questions with the password in it, so the questions became:
"My password is my my dog's name with 123 after it"
or
"My password is rover12*3.
Admin
Down here in Brazil, we are known for having very advanced banking technology. My bank, for instance, uses a three step authentication process, which I consider very secure.
After that, you can access all of your banking information, see your cash-flow and everything else. but if you want to do a transaction (ie pay a bill or make a cash transfer) you have to enter an transaction unlock PIN. This transaction unlock PIN is auto-generated by an PIN generator, which is an external hardware that each and every customer receives. it's as small as you could attach to your keychain, and has only one button on it, that when pressed will generate an 8 characters UNIQUE PIN. As the algorithm to generate the PIN is unique for every customer, there's no way to generate the numbers, even if you have another customer PIN generator.
After getting the PIN and inputing it, you are allowed to enter the transaction you want to perform, but the transaction is completed only when you enter your "digital signature", another password that you have to memorize, that has to have at least 6 characteres, mixing numbers and letters and special characters (this digital signature is also inputed using an onscreen keyboard).
That seems pretty secure to me. you can only make transactions if you have your access PIN, is in possession of your PIN generator and you know the digital signature. I know that Citibank in the USA uses something like that, but I've heard that they exported this techonology from Brazilian security companies and implemented in the US.
Admin
I can only imagine how tough it must be in the 6th grade to not have a RED bike. Poor Dick.
Admin
"digital signature", another password that you have to memorize
How about an actual digital signature? Then we wouldn't need all this crap.
Admin
It is well known that banks in the US are behind in security measures; that is because, we are honest here, and do not steal. It is only because we allow foreigners access to our banks, that we must adopt the foreigners' precautions.
Admin
Sure thing! I'm pretty sure americans doesn't steal.. okay. So I believe that all the executives in Enron, PSInet and so on were all foreigners, right? And that the U.S. Treasury Secretary, which was arrested in germany, is also a foreigner, right?
Don't come with this crap to me, allright?
Admin
Here's something you need to read:
http://en.wikipedia.org/wiki/Sarcasm
Admin
In some sense, yes, you're right.
OTOH, it's substantially different enough from the other sense of "what you have" that calling it a separate factor is really fine. You can't leave your eye behind in the checkout lane; someone can't break into your house while you're on vacation and steal your finger.
If someone authenticates with a secure biometric (e.g. iris scan), they either have you, in which case almost nothing will save you because they have all the factors they need, or you have much more worrysome things to deal with than someone breaking into your bank account. And because of this, it's still markedly different from a PINcard or something like that.
(The fact that some biometrics, like fingerprints, aren't secure is a separate matter. That's because of other flaws, not because it's not a separate factor from "what you have".)
Admin
Ok this makes some sense to me. Seems to work like encryption. The bank gives you a number. it then knows that your device will take this number and should turn it into another number. if the number you enter doesn't match then you must not be right.
Simple example. Bank gives you input of 1234. you put that in your machine. it spits out 2345. you type this in. the bank knows your machine just adds 1111 to the number so it expects that number. Sorry for super simple example, just want to make sure I am getting it right.
Admin
The Paulson arrest story? You've gotta be kidding. Dude, you can't believe everything you see on the internet.
Admin
My bank must have something called "Pretend-that-it's Two-Factor"
After months of successfully guessing the random ways I found to enter the pseudo security questions on my online banking, i finally got stumped yesterday. I had no idea how I had typed in the name of my university.
UofA, uofa, Ualberta, university of alberta, University of Alberta, UoFa?
I couldn't figure it out, although in trying these I found that even though 3 wrong guesses locks your account, 2 wrong guesses followed by reloading the site and logging in again gives me 3 more guesses. That sounds secure.
Eventually I got locked out, and the site gave me a toll-free number to call. Called it, put in my account number and immediately was given a new password. If anyone can get to the point of failing my security questions, all they have to do is get the system locked and a friendly service agent will reset my password and tell them what the new one is.
Wow, thanks for that.
Admin
So with the colour question a fraudster (I love that word by the way) would almost have a 20% - 25% chance of getting it right. I wouldn't let these guys secure my bicycle.
Admin
I wouldn't trust any business website that has to copy-paste Javascript - even if it's from "the #1 place on the net to obtain free, original DHTML & Javascripts".
One would think developers implementing a top security site would be able to catch a few Javascript events without the help of "Disable right click script III- By Renigade"
Admin
Up until 6 months ago my bank allowed Netscape 4.7 but not Firefox.
Admin
I have an account with Citibank in the USA, and I don't use anything close to that. Simply username and password(online) or card and PIN (at ATM or teller)
Admin
I work tech support for a company that develops customizable software, and I would love to see my bank use the same security as one of our largest clients does (said client is a large oil company that is borderline paranoid about security).
In order for the developers here to access the client's system for upgrades etc, the user needs to supply a username (which is a combination of the firstname, lastname, and random numbers) and a password that is composed of 8 generated digits followed by a 4 digit pin. The 8 digits change every minute or so, and the older versions of the device were the size of a credit card, only 4 times as thick; the newer devices that are smaller than the keyfob with the buttons that unlock your car.
It’s a wonderful system that requires 2 things you know and one thing that you have (it also requires that your IP address be from our Class C, but banks can’t really do that). I would also be willing to pay a single fee, up to $20, for the number generating keyfob.
Admin
Maybe give them a warning that it's going to happen on the next login, so they'll be prepared if they bother to read it.
Can't speak for him, but sorry, interest rate, checking costs, perks, customer service are all more important than web interface security. If it's bad enough I'll just never sign up for it. (Or, at one of my credit unions, so badly managed that it never sent an email confirmation and never let me in after confirming over the phone. Fat chance of a thief getting in there.)Admin
This reminds me that I need to bitch about the unprofessionalism of card processing sites like ezcardinfo.com: They look like a cheap 90's scam site, they don't link back to testimonials from real bank sites, and of course they use wish-it-was-twofactor:
"Effective December 16, 2006, we upgraded your cardholder services with a new Advanced Authentication security feature. If you haven't logged on since the upgrade, upon your first logon, you'll be prompted to choose an image, a caption and four challenge questions to establish your personalized security settings."
Admin
why would you ever do FT searches on a 'security question'? Just load the answers into the session and use setring comparisons. You already know which rows you want to look at.
Admin
National ID? Wouldn't work too well over here, what with the power split between the feds and states, although some sanity over how secret the SSN is would be nice - perhaps a move to explicitly publish everybody's ssn with about a year's warning...
Admin
That looks to be right. The concern is that it looks like it generates the return number based on the card plugged into it-- so if a thief stole your card, would they be able to log in with their own keypad at home? (I guess they still wouldn't know the password, so you'd still be ok.)
Admin
I use Bank of America for my checking accounts. Their first attempt at 2 factor authentication was what they call 'SiteKey'. At the initial login screen, you only enter your ID (*1), no password. If you log in from an unknown computer it asks you some of those inane security questions, and if you get them right it marks your computer as 'known' (*2). It then displays an image and a line of text that you selected and entered (respectively) when you set it up. And at that point it asks for your password. This seems to be a fairly good way to avoid phishing sites (at least for people who wouldn't fall for a 'SiteKey is undergoing maintenance, please enter your password' prompt) but does essentially nothing for actual account security.
Just recently, however, they've rolled out an optional new service called 'SafePass', which is actual 2 factor authentication. Instead of a dedicated security device the second factor (Something you have) is your cell phone. When you try to log in, it sends you a text message with a random code you have to enter. Certainly a step in the right direction. You can choose whether to use SiteKey and/or SafePass (but you have to have at least 1) to sign in.
My broker on the other hand sent me a SafeWord Platinum, which is an interesting little toy. It's protected by a PIN, and it appears to perform a hash of it's serial number and the challenge code I enter from their website, to produce the response. It's a lot less convenient, but it's only required for account management (ie deposits and withdrawals), not day to day trading.
-JD
*1: I got in the online banking program early, when you could pick your own ID, so mine is a random 9 digit number. Newer ones are easier to guess, as they're generated from your name with 3 or 4 digits appended.
*2: Interestingly, it saves the 'known' status on your PC in both a cookie (which gets nuked regularly), and in a Flash shared object, which apparently never gets cleared by any normal means. Check the "Application Data/Macromedia/Flash Player/#SharedObjects" directory in your user profile, I was amazed how many sites are using these as an alternative to cookies.