• perisoft (unregistered)

    I'm suddenly inspired to learn sql and go wardriving through brooklyn with a wireless card I paid cash for on craigslist.

  • Zygo (unregistered) in reply to Todd
    Todd:
    OMG, where are those damn goggles!

    You are already wearing them.

  • Zygo (unregistered) in reply to MichaelWojcik
    MichaelWojcik:
    vt_mruhlin:
    But then I realize that I'd have to work with the people who come up with this kind of stuff...
    No, no, no. You'd be working against the people who come up with this kind of stuff. As should we all.

    Actually the sad fact is that you'll ultimately be bidding against them, rather than working against them. That's a whole lot more annoying.

  • Zygo (unregistered) in reply to origin
    origin:
    Assuming they have no server side protection against SQL injection, and I'm sure they don't, otherwise they wouldn't include such an asinine javascript code. You could easily update your security questions if you forget them, just bypass the javascript,

    UPDATE the_customers_table_named_something_stupid SET security_question = 'Who is the greatest person of all?', answer = 'Me!' WHERE customer_id = your_credit_card_number_duh AND question_id = 1;

    I'd leave out the WHERE clause myself...

  • CGomez (unregistered)

    I hate "security questions". I consider all sites that use them more insecure. It is far easier to guess someone's "security question" about their pet or mom than to guess their password.

    I think we've all had to resort to answering with made up stuff, and then treating that made up stuff like a password.

  • JelloGoesWiggle (unregistered)

    Here we see the universal security constant at work.

    Pick two: security, usability, low cost.

  • Zygo (unregistered) in reply to AssimilatedByBorg
    AssimilatedByBorg:
    "What you know", "What you have", and "Who you are" (biometrics) are factors.

    I realize I don't always think the same way as the mainstream security industry (to their credit, they usually figure out where they were wrong eventually ;-)...but to me biometrics are strictly a "what you have" factor. "Who you are" is quite difficult to prove for humans, let alone machines.

    Biometric authenticators can be stolen or copied just like any other authentication token you might possess. An iris scanner merely checks to ensure that whoever is using your account has one of your eyes handy. The scanner doesn't ensure that the user of the account is actually you--the rest of you (including your other eye) might be bleeding to death in a ditch somewhere. Biometrics also don't ensure that you are authorizing the transaction voluntarily (you could have a gun pointed at your head while you go through all of the authenticating factors). (*)

    Biometric authenticators like eyes, fingerprints, and so on have to tolerate a lot of variation within the same subject (they all change slightly over time). They are made out of fairly common ingredients (protein, sugar, color) and in some cases the information content of these materials are spread throughout the environments where we live (especially fingerprints). I think an authentication mechanism that relies on the secrecy of information that gets transmitted every time I touch something with ungloved hands is just plain silly. (**)

    Resistance to forgery really comes down to a function of how much effort the scanner vendor puts into making a device that can detect forgeries, and how much effort the local fraudster puts into making the forgeries. This is true whether the token is a picture of your iris or a computer chip embedded in a card. Sometimes there's just not a whole lot of effort on the vendor side for biometrics, and the failures can be spectacular, e.g. $4000 fingerprint scanning door locks that can be defeated by a simple photocopy of an authorized fingerprint taken from the doorknob.

    (*) Home security systems have "duress" codes, which apparently disarm the system but also send a silent alarm to the monitoring station. They are designed to cope with burglars who attack people as they are coming home and force them to disarm the security system. Banks could learn from this--have a second PIN or password that completes the current transaction (so your mugger will go away with the cash and leave you alone), but automatically shuts down the card and starts a criminal investigation. Maybe even fire an image from the ABM security camera to a human operator who can notify local law enforcement.

    (**) I assume that once we have DNA sequencers that retail for $80 and plug into a USB port, we'll see security snake oil salesmen authenticating users with their skin cells. This is about the only biometric authenticator I can think of that's actually more stupid than fingerprint authentication.

  • Zygo (unregistered)

    "alarm": my captcha, and also what I felt a rising sense of when I read this:

    an "extra security measure used to eliminate fraudsters from randomly selecting account numbers"

    ...I have visions of users who can log in, then edit the URL to change a field value from "1736" to "1737", then compare their bank balances with those of other customers and correct any unsatisfactory differences...

  • Doug (unregistered)

    So how do we have the software verify that we HAVE something. odds are no matter what we have it just produces a code that then gets transmitted. Can't that just always be replicated some how?

    I am not sure how we enable two-factor authentication ever.

  • (cs)

    I signed up for a new credit card and we got it in the mail yesterday. The first thing I did when I got to work today was login to their site to register my account. It requires my credit card number the CVC number (3 digit security code on the back) and my "secret word" to register. The good thing about this "secret word" is that it's so secure I never even set one up. So now I can't register.

    Apparently my secret word might be my mother's maiden name or the city I was born. But it isn't!

  • (cs)

    OK, the real WTF is asking us to write letters to the VP of this 2-bit institution. Why the hell should I care how stupid they want to be? If I see signs that the bank is being run by complete morons, I'm just going to move my money to a better bank.

    Besides, as a rule nobody ever takes unsolicited advice.

  • Andy Goth (unregistered) in reply to dlikhten
    dlikhten:
    Awww I'm a Leo, Red is my favorite color, and my birthday is on the 7th...
    That means your money is extra secure. I'd go so far as to say that it's perfectly safe. No one will be able to spend it. :^)
  • (cs) in reply to Richard Asscock, III
    Wait a minute...Your company creates online banking software, but your bank does not use it. Geez, ever think about supporting your own product?

    Mr. df, I work for a data processor for credit unions--not for a credit union. I don't qualify to be a member of any of our clients--therefore I don't have an account with any of our clients.

  • chuck (unregistered) in reply to Doug
    Doug:
    So how do we have the software verify that we HAVE something. odds are no matter what we have it just produces a code that then gets transmitted. Can't that just always be replicated some how?

    I am not sure how we enable two-factor authentication ever.

    Of course it can be replicated. You just have to have the device in order to clone it. Or you could hope you're really really really good at guessing.

    We have 2FA now. Just not in this podunk backwater called the USA.

  • (cs) in reply to Shamus
    Shamus:
    The code checking for SQL insertion will prevent anyone named WALDROP or MCNULLY from doing online banking.

    Unless you're a good little hacker and know how to bypass the Javascript validation (pretty elementary stuff, but not very user friendly).

  • Doodie (unregistered) in reply to sf
    sf:
    mallard:
    ... Yes, we do have something that you are obviously not aware of; our cards have chips in them. This "PINsentry" device involves the website giving you a "challenge" code and the chip on the card (and maybe also the PINsentry device) will then, using cryptographic signatures, sign the code and generate a "response" code which the user then enters on the website, thus proving that the user has the card (and possibly also the specific PINsentry).
    Interesting. Just curious though, is the card you are talking about with the chip in it an ATM kind of card? If so, how does the card get the challenge code it needs to sign? Or is the card you are talking about a device with a keyboard on it?

    The PINsentry has the keyboard, not the card...

    [image]
  • Zort95 (unregistered)

    Used to write software in the banking industry.

    You would be amazed how lax security is in your smaller to medium banks. We (as outside developers) could pretty much access any of our customer's (i.e. bank's) databases, with confidential information, any time we wanted. If we requested a snapshot of the DB, nobody ever scrubbed the data or otherwise obfuscated the aforementioned confidential data.

    Worked with Harland before, integrating our products for a large multinational bank. Their (Harland's) grasp of security was not so good, though the people I dealt with didn't seem as silly as those recounted in this WTF. But silly enough.

    My credit union does use this product. Yeah, I'm going to have to complain.

  • Doug (unregistered) in reply to chuck

    and I suppose intercepting it is difficult because it SHOULD be encrypted.

    my problem is that it still comes down to bits and if you know the code on the card you could still run it through a device emulator and get the correct code. I assume all that is on the card is another 'random unique' number that the device reads and runs through another process to generate yet another unique number.

    I'm just saying that this is not a perfect system. Yes it is better than what we've got though.

  • Doug (unregistered) in reply to Doodie

    so every user of the online bank has one of these devices?

  • (cs) in reply to Doodie
    Doodie:
    sf:
    mallard:
    ... Yes, we do have something that you are obviously not aware of; our cards have chips in them. This "PINsentry" device involves the website giving you a "challenge" code and the chip on the card (and maybe also the PINsentry device) will then, using cryptographic signatures, sign the code and generate a "response" code which the user then enters on the website, thus proving that the user has the card (and possibly also the specific PINsentry).
    Interesting. Just curious though, is the card you are talking about with the chip in it an ATM kind of card? If so, how does the card get the challenge code it needs to sign? Or is the card you are talking about a device with a keyboard on it?

    The PINsentry has the keyboard, not the card...

    [image]

    My bank just gave me a tatoo that is a unique barcode I use to sign in. The problem is WHERE they placed the tatoo!!!!

  • NIghtCactus (unregistered) in reply to Doug

    Jeez, I'm really looking forward to keeping around such devices for all my financial institutions. That's crazy, man.

  • Jessica (unregistered)

    Yeah most of the banking site is a WTF but one of the things they do right (from the screen caps) is the letting people create their own security question.

    I loathe security questions because different sites have different choices, and trying to choose one that I can both remember and which isn't information in the public domain (e.g. what city was I born in, or mother's maiden name) is difficult.

    Being able to write my own question and answer lets me pick something meaningful only to me that only a telepath or keystroke logger will figure out.

  • Fedaykin (unregistered)

    Feel good "security" at its finest. Is the company that made this application at all associated with TSA?

  • Welcor (unregistered) in reply to Doug
    Doug:
    so every user of the online bank has one of these devices?
    If it is anything like in Norway, then yes, all customers have a code generator.

    To log on to one of my banks, I need to do the following:

    • enter my SSN (not really SSN, but similar number, unique for each person)
    • enter a PIN code on my personal code box (which is similar to the device above, except it does not require my card)
    • from the display on the box, I need to enter the first 6 digits (of 8) on the banks' page
    • I now get a popup, telling me the last two digits, to make sure the device is synchronized. If it isn't, I need to contact customer service.

    The other bank goes something like this:

    • type in SSN
    • press button on personal keygenerator
    • type in 8-digit key
    • type in personal password

    Both requires something I know (PIN/password) and something I have, ie. the generator.

    My wife and I each have our own code-generators, and they give different results. I believe they are set up to provide random results with a specific seed. If one types the wrong PIN more than three times, it will lock up, and customer service needs to be contacted. I figure this gives pretty good certainty that I HAVE the item, and KNOW the PIN.

    The SSN (or "personnumber" as it accurately translates) is not sensitive information, and can be guessed/found relatively easily.

  • (cs) in reply to Doug
    Doug:
    So how do we have the software verify that we HAVE something. odds are no matter what we have it just produces a code that then gets transmitted. Can't that just always be replicated some how?

    I am not sure how we enable two-factor authentication ever.

    A Keyfob of some sort that has a number which changes every 30 seconds... It still doesn't guarantee that the keyfob along with your credit card number haven't been stolen.
  • Fedaykin (unregistered) in reply to Jessica
    Jessica:
    Yeah most of the banking site is a WTF but one of the things they do right (from the screen caps) is the letting people create their own security question.

    No, that's a huge WTF. A project I took over did this, and guess what half the questions where:

    "My password is rover123".

    Then, the previous developer decided to not allow questions with the password in it, so the questions became:

    "My password is my my dog's name with 123 after it"

    or

    "My password is rover12*3.

  • Franz Kafka (unregistered) in reply to Kinglink
    Kinglink:
    Ouch! That makes my brain hurt.

    Captcha: Ewww, which sums up my first emotion.

    Seriously what the hell is wrong with some security "professionals". Security should be help secure your money not make it harder to get access. And using "security questions" is a joke. It just makes a brute force attack less likely but I can call up people pretend to do a funny phone interview and easily get "security question" answers in less time than even getting a password.

    I just put in 'ass' for all my security questions. Might have to pick a longer oath for this place.

  • wtf (unregistered) in reply to It's a Feature
    It's a Feature:
    Personally, I think the 2nd factor is really kind of silly--does more to annoy the customers that to add security--but it's a federal mandate (the financial institutions really don't have a choice).
    Man, you need a cluestick so bad... Proper use of real two-factor auth is mandated, not doing two things over the same channel, which you apparently think somehow is two-factor. And that's despite the whole article and the one before that being about exactly this kind of stupidity! Sigh...
  • Fedaykin (unregistered) in reply to Jessica
    Jessica:
    Yeah most of the banking site is a WTF but one of the things they do right (from the screen caps) is the letting people create their own security question.

    No, that's a huge WTF. A project I took over did this, and guess what half the questions where:

    "My password is rover123".

    Then, the previous developer decided to not allow questions with the password in it, so the questions became:

    "My password is my my dog's name with 123 after it"

    or

    "My password is rover12*3.

  • Igor (unregistered)

    Down here in Brazil, we are known for having very advanced banking technology. My bank, for instance, uses a three step authentication process, which I consider very secure.

    1. After you type-in you account number and branch number, you are ofered an onscreen keyboard to put in your PIN number. But it isn't an ordinary onscreen keyboard - it has only four buttons, and each button can represent up to three characters of your pin (like 1st button is 3, 7 or 9, and so on).

    After that, you can access all of your banking information, see your cash-flow and everything else. but if you want to do a transaction (ie pay a bill or make a cash transfer) you have to enter an transaction unlock PIN. This transaction unlock PIN is auto-generated by an PIN generator, which is an external hardware that each and every customer receives. it's as small as you could attach to your keychain, and has only one button on it, that when pressed will generate an 8 characters UNIQUE PIN. As the algorithm to generate the PIN is unique for every customer, there's no way to generate the numbers, even if you have another customer PIN generator.

    After getting the PIN and inputing it, you are allowed to enter the transaction you want to perform, but the transaction is completed only when you enter your "digital signature", another password that you have to memorize, that has to have at least 6 characteres, mixing numbers and letters and special characters (this digital signature is also inputed using an onscreen keyboard).

    That seems pretty secure to me. you can only make transactions if you have your access PIN, is in possession of your PIN generator and you know the digital signature. I know that Citibank in the USA uses something like that, but I've heard that they exported this techonology from Brazilian security companies and implemented in the US.

  • Flim McBoobie (unregistered) in reply to Richard Asscock, III
    Richard Asscock:
    Geez, can we move beyond the "that makes my brain hurt" comment? Man, take the time to come up with your own comment.

    For mine, I will say that my favorite color is TAN. It's the same answer I give when some 5th grader asks me what color my bike is.

    Word. Dick Asscock

    I can only imagine how tough it must be in the 6th grade to not have a RED bike. Poor Dick.

  • anon (unregistered) in reply to Igor

    "digital signature", another password that you have to memorize

    How about an actual digital signature? Then we wouldn't need all this crap.

  • rumpelstiltskin (unregistered) in reply to Igor
    Igor:
    ...I know that Citibank in the USA uses something like that, but I've heard that they exported this techonology from Brazilian security companies and implemented in the US.

    It is well known that banks in the US are behind in security measures; that is because, we are honest here, and do not steal. It is only because we allow foreigners access to our banks, that we must adopt the foreigners' precautions.

  • Igor (unregistered) in reply to rumpelstiltskin
    rumpelstiltskin:
    It is well known that banks in the US are behind in security measures; that is because, we are honest here, and do not steal. It is only because we allow foreigners access to our banks, that we must adopt the foreigners' precautions.

    Sure thing! I'm pretty sure americans doesn't steal.. okay. So I believe that all the executives in Enron, PSInet and so on were all foreigners, right? And that the U.S. Treasury Secretary, which was arrested in germany, is also a foreigner, right?

    Don't come with this crap to me, allright?

  • Fedaykin (unregistered) in reply to Igor
    Igor:
    rumpelstiltskin:
    It is well known that banks in the US are behind in security measures; that is because, we are honest here, and do not steal. It is only because we allow foreigners access to our banks, that we must adopt the foreigners' precautions.

    Sure thing! I'm pretty sure americans doesn't steal.. okay. So I believe that all the executives in Enron, PSInet and so on were all foreigners, right? And that the U.S. Treasury Secretary, which was arrested in germany, is also a foreigner, right?

    Don't come with this crap to me, allright?

    Here's something you need to read:

    http://en.wikipedia.org/wiki/Sarcasm

  • (cs) in reply to Zygo
    Zygo:
    Biometric authenticators can be stolen or copied just like any other authentication token you might possess. An iris scanner merely checks to ensure that whoever is using your account has one of your eyes handy. The scanner doesn't ensure that the user of the account is actually you--the rest of you (including your other eye) might be bleeding to death in a ditch somewhere. Biometrics also don't ensure that you are authorizing the transaction voluntarily (you could have a gun pointed at your head while you go through all of the authenticating factors).

    In some sense, yes, you're right.

    OTOH, it's substantially different enough from the other sense of "what you have" that calling it a separate factor is really fine. You can't leave your eye behind in the checkout lane; someone can't break into your house while you're on vacation and steal your finger.

    If someone authenticates with a secure biometric (e.g. iris scan), they either have you, in which case almost nothing will save you because they have all the factors they need, or you have much more worrysome things to deal with than someone breaking into your bank account. And because of this, it's still markedly different from a PINcard or something like that.

    (The fact that some biometrics, like fingerprints, aren't secure is a separate matter. That's because of other flaws, not because it's not a separate factor from "what you have".)

  • Doug (unregistered) in reply to Welcor

    Ok this makes some sense to me. Seems to work like encryption. The bank gives you a number. it then knows that your device will take this number and should turn it into another number. if the number you enter doesn't match then you must not be right.

    Simple example. Bank gives you input of 1234. you put that in your machine. it spits out 2345. you type this in. the bank knows your machine just adds 1111 to the number so it expects that number. Sorry for super simple example, just want to make sure I am getting it right.

  • rumpelstiltskin (unregistered) in reply to Igor
    Igor:
    rumpelstiltskin:
    It is well known that banks in the US are behind in security measures; that is because, we are honest here, and do not steal. It is only because we allow foreigners access to our banks, that we must adopt the foreigners' precautions.

    Sure thing! I'm pretty sure americans doesn't steal.. okay. So I believe that all the executives in Enron, PSInet and so on were all foreigners, right? And that the U.S. Treasury Secretary, which was arrested in germany, is also a foreigner, right?

    Don't come with this crap to me, allright?

    The Paulson arrest story? You've gotta be kidding. Dude, you can't believe everything you see on the internet.

  • (cs) in reply to rumpelstiltskin

    My bank must have something called "Pretend-that-it's Two-Factor"

    After months of successfully guessing the random ways I found to enter the pseudo security questions on my online banking, i finally got stumped yesterday. I had no idea how I had typed in the name of my university.

    UofA, uofa, Ualberta, university of alberta, University of Alberta, UoFa?

    I couldn't figure it out, although in trying these I found that even though 3 wrong guesses locks your account, 2 wrong guesses followed by reloading the site and logging in again gives me 3 more guesses. That sounds secure.

    Eventually I got locked out, and the site gave me a toll-free number to call. Called it, put in my account number and immediately was given a new password. If anyone can get to the point of failing my security questions, all they have to do is get the system locked and a friendly service agent will reset my password and tell them what the new one is.

    Wow, thanks for that.

  • AC (unregistered)

    So with the colour question a fraudster (I love that word by the way) would almost have a 20% - 25% chance of getting it right. I wouldn't let these guys secure my bicycle.

  • Petri (unregistered) in reply to Crayne

    I wouldn't trust any business website that has to copy-paste Javascript - even if it's from "the #1 place on the net to obtain free, original DHTML & Javascripts".

    One would think developers implementing a top security site would be able to catch a few Javascript events without the help of "Disable right click script III- By Renigade"

  • Ryan (unregistered) in reply to Todd

    Up until 6 months ago my bank allowed Netscape 4.7 but not Firefox.

  • (cs) in reply to Igor
    Igor:
    I know that Citibank in the USA uses something like that, but I've heard that they exported this techonology from Brazilian security companies and implemented in the US.

    I have an account with Citibank in the USA, and I don't use anything close to that. Simply username and password(online) or card and PIN (at ATM or teller)

  • Squitz (unregistered)

    I work tech support for a company that develops customizable software, and I would love to see my bank use the same security as one of our largest clients does (said client is a large oil company that is borderline paranoid about security).

    In order for the developers here to access the client's system for upgrades etc, the user needs to supply a username (which is a combination of the firstname, lastname, and random numbers) and a password that is composed of 8 generated digits followed by a 4 digit pin. The 8 digits change every minute or so, and the older versions of the device were the size of a credit card, only 4 times as thick; the newer devices that are smaller than the keyfob with the buttons that unlock your car.

    It’s a wonderful system that requires 2 things you know and one thing that you have (it also requires that your IP address be from our Class C, but banks can’t really do that). I would also be willing to pay a single fee, up to $20, for the number generating keyfob.

  • (cs) in reply to It's a Feature
    It's a Feature:
    Crap--my credit union uses Cavion as well. Noticed this copyright, though, at the bottom of the page: Copyright ? 1998-2004 Cavion, LLC. All Rights Reserved.

    I guess they're not sure...:)

    The company I work for (not Harland) does Online Banking for a number of credit unions. Personally, I think the 2nd factor is really kind of silly--does more to annoy the customers that to add security--but it's a federal mandate (the financial institutions really don't have a choice). We've given our clients 2 choices for the 2nd factor--one that gives the user a series of faces to remember (which really seems to annoy the hell out of their users) and the other which sets up challenge questions and checks the IP address for where the user is coming from, blocking them from some countries like Nigeria and Iraq (military is not affected). 2nd choice seems to work pretty well, but it was hell to implement. But if the user sticks to using the same computer all the time they never see the challenge question, so they don't get too annoyed, until they go on vacation and try to access their account, then have to try to remember what answer they gave a year ago. :)

    Why don't you ask the question again once a month or so? That way they can dig it out of their desk (presumably people tend to print out or write down these things) or give the bank a call while they're not stuck in Kazakhstan or something.

    Maybe give them a warning that it's going to happen on the next login, so they'll be prepared if they bother to read it.

    Richard Asscock:
    Wait a minute...Your company creates online banking software, but your bank does not use it. Geez, ever think about supporting your own product? I never understood those employees when I worked for a soy protein company. They'd say our products taste nasty and wouldn't buy them. Later, they'd complain that we never get bonuses. Like it or not, you gotta be a cheerleader for the comp'ny to get ahead (and getz yo shiit paid, du').

    Peace out, Dick Asscock

    Can't speak for him, but sorry, interest rate, checking costs, perks, customer service are all more important than web interface security. If it's bad enough I'll just never sign up for it. (Or, at one of my credit unions, so badly managed that it never sent an email confirmation and never let me in after confirming over the phone. Fat chance of a thief getting in there.)
  • (cs) in reply to foxyshadis

    This reminds me that I need to bitch about the unprofessionalism of card processing sites like ezcardinfo.com: They look like a cheap 90's scam site, they don't link back to testimonials from real bank sites, and of course they use wish-it-was-twofactor:

    "Effective December 16, 2006, we upgraded your cardholder services with a new Advanced Authentication security feature. If you haven't logged on since the upgrade, upon your first logon, you'll be prompted to choose an image, a caption and four challenge questions to establish your personalized security settings."

  • Franz Kafka (unregistered) in reply to Jan I
    Jan I:
    There is one possible reason why they may have the four-character limitation.

    Full text search in MySQL has that limitation by default; searches for one-character, two-character and three-character words will yield no results, unless you've tweaked the configuration.

    For performance reasons, you don't want to tweak that too much, perhaps allowing three-character words is okay.

    But now the question becomes:

    Why on Earth would anyone need to do full-text searches for the answers to these questions?!

    Well, it's nice to know that they use MySQL with MyISAM, for your improved data security and transaction stability. };->

    why would you ever do FT searches on a 'security question'? Just load the answers into the session and use setring comparisons. You already know which rows you want to look at.

  • Franz Kafka (unregistered) in reply to Welcor
    Welcor:
    The SSN (or "personnumber" as it accurately translates) is not sensitive information, and can be guessed/found relatively easily.

    National ID? Wouldn't work too well over here, what with the power split between the feds and states, although some sanity over how secret the SSN is would be nice - perhaps a move to explicitly publish everybody's ssn with about a year's warning...

  • James Schend (unregistered) in reply to Doug
    Doug:
    Ok this makes some sense to me. Seems to work like encryption. The bank gives you a number. it then knows that your device will take this number and should turn it into another number. if the number you enter doesn't match then you must not be right.

    Simple example. Bank gives you input of 1234. you put that in your machine. it spits out 2345. you type this in. the bank knows your machine just adds 1111 to the number so it expects that number. Sorry for super simple example, just want to make sure I am getting it right.

    That looks to be right. The concern is that it looks like it generates the return number based on the card plugged into it-- so if a thief stole your card, would they be able to log in with their own keypad at home? (I guess they still wouldn't know the password, so you'd still be ok.)

  • Nobody (unregistered)

    I use Bank of America for my checking accounts. Their first attempt at 2 factor authentication was what they call 'SiteKey'. At the initial login screen, you only enter your ID (*1), no password. If you log in from an unknown computer it asks you some of those inane security questions, and if you get them right it marks your computer as 'known' (*2). It then displays an image and a line of text that you selected and entered (respectively) when you set it up. And at that point it asks for your password. This seems to be a fairly good way to avoid phishing sites (at least for people who wouldn't fall for a 'SiteKey is undergoing maintenance, please enter your password' prompt) but does essentially nothing for actual account security.

    Just recently, however, they've rolled out an optional new service called 'SafePass', which is actual 2 factor authentication. Instead of a dedicated security device the second factor (Something you have) is your cell phone. When you try to log in, it sends you a text message with a random code you have to enter. Certainly a step in the right direction. You can choose whether to use SiteKey and/or SafePass (but you have to have at least 1) to sign in.

    My broker on the other hand sent me a SafeWord Platinum, which is an interesting little toy. It's protected by a PIN, and it appears to perform a hash of it's serial number and the challenge code I enter from their website, to produce the response. It's a lot less convenient, but it's only required for account management (ie deposits and withdrawals), not day to day trading.

    -JD

    *1: I got in the online banking program early, when you could pick your own ID, so mine is a random 9 digit number. Newer ones are easier to guess, as they're generated from your name with 3 or 4 digits appended.

    *2: Interestingly, it saves the 'known' status on your PC in both a cookie (which gets nuked regularly), and in a Flash shared object, which apparently never gets cleared by any normal means. Check the "Application Data/Macromedia/Flash Player/#SharedObjects" directory in your user profile, I was amazed how many sites are using these as an alternative to cookies.

Leave a comment on “Banking So Advanced”

Log In or post as a guest

Replying to comment #157655:

« Return to Article