- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
the bank i work for (belgium) will shortly change from a "one+ factor" to "two factor" system.
in one month from now the system will be the following:
user receives a "digipass" (about the same device posted above). login to website is by customer number and password the user knows. in a second screen he has to fill in a code,generated by the device. To generate this code, user has to insert his bank-card in to de device, press the "login"key and enter his pin-code. with the now generated code the user can enter the site
originally, the next piece was : "for every transaction the user wants to do, he repeats the code-generating piece".
But phishers were on to this. They faked a login-page, let users login using this generated key, and on the background they connected further to the real site using this crudentials. to the users they told: "authentication failed, please try again".
when user enters a second code, they used that to make a fraudulous transaction with it.
therefore, the procedure for authenticating a transaction is now:
user enters into his digipass:
and he then presses on the "SIGN" button, instead of the "LOGIN" button.
it costs some money, that is correct, and over the last years only 5 fraud-cases have occured, on a 5 year period, while daily about 100 000 users make a total of 500 000 transactions .
so we can say "pretty secure".
Admin
Admin
Admin
What if you have accounts at more than 1 financial institution?
Having to carry around multiple PINsentry devices and random number generator keythingies sounds like a real pain in the proverbial
Admin
No no no, the pinsentry is dumb - all it does is communicate with your card. So any institution that uses the chip-and-pin system should be compatible with the pinsentry.
The pinsentry is effectively the same as the devices used by every merchant in the UK.
That's the advantage of having a nationally standard two-factor authentication system.
At least, that's the way they better have done it.
Admin
It's not stupid, it's advanced!
Admin
How did they authentificate you via phone? They didn't - did they?
Admin
Actually, the cards are neat (or can be).
You can do secure public/private key operations on some of those puppies, with the private key generated on the card and stored only on the card. The cards are cheap too. Like $15.
Security can be:
So, you can't replicate the code without the private key, which never left the chip on the card. You'd have to be the NSA to snarf the card, figure out the private key stored on it (without knowing the PIN?), and steal the money before the person told their bank: "Oh, umm... I seem to have lost my card. Can you send me a new one?"
Anyways, they're v. nice. We need U.S. banks that will use them or equivalents.
Admin
Timely article. I have recently been in correspondence with the bank where I hold accounts. They have "award-winning online banking" <sneer> When I contacted them to explain why redirects from their home page to their sign-on page (among other things- this was just the first page!) were perhaps problematic, and suggested some reasons and methods for improving it, they responded slowly, but appropriately, of course. They assured me that their site was indeed, secure enough for clients like me, and if I didn't like it, I should bank by phone. I'll withhold my opinion. You can guess what I think.
Admin
So i want to name my Son "Robert '); DROP TABLE Customers; --"
Hopefully he likes it. Thanks http://xkcd.com/327/
Admin
Very funny! Synergy FCU was my bank when I lived in VA and their first Web site attempts (c. 1999-2000) were pretty comical as well.
Admin
I love this kind of indignation, which conveniently forgets a whole lot of other WTFs we were probably laughing at yesterday. This JavaScript code is USER INTERFACE CODE. This is necessary to present a user-level error message to the unfortunate people like Sue--Ann McNully, who will be prevented from using the service.*
Exploits like faking an http form submission would be stopped at the server side and probably don't get such a nice, descriptive, error message. J Random Hacker doesn't need an error message when his carefully-crafted SQL injection fails. In fact, detailed error messages at that layer will probably give away important details and compromise security.
Admin
Charging for banking services in general seems far more appropriate in the pre-internet era, than post-internet. You've got papers to shuffle, and control can be wielded more readily. They collect shady overdraft fees for a revenue stream, and I think these days hiring many bank employees and throwing a second-rate IT effort for their online services are just signs that the industry is buying time.
Admin
Fortunately my favorite color is DEADBEEF, but unfortunately my favorite tv show is TRUNCATE TABLE USERS.
Admin
Ooh... ooh... I know this! I'll take... I pick "low" and "cost"!
Admin
'Twas in reply to:
Admin
I wish I could be sure that their injection guard polices do extend to the back end. If they don't... the prospect is horrifying.
In this neck of the woods(Eastern Europe) in Internet banking has always had PROPER two factor auth. There are two levels of security in my bank. Lowest utilizes a small plastic card with 30 random numbers on it. When you log in you get asked a random one in addition to your username and password. If you fail to log in the same one is asked to prevent code fishing. There was a Trojan at some point that did that, after witch bank put up warning notices... This method of auth is limited to transferring relatively small sums of money, enough for a private individual but not suitable for business users.
On higher level you must use either ID card that has a chip with RSA certificates in it to identify yourself or a pin calculator. And usability does not suffer much. It would suffer much more if I would have to start answering stupid questions...
All-in-all... I cant believe there are systems out there used in banking that are allowed to pretend this replaces proper two factor auth... Its scary...
Admin
My bank use this scheme:
To login to ebanking, I need
But if I want to make any money transfer after login, single-use security code is sent to my cell phone via SMS and I have to enter it to web page to confirm transaction. This code is valid only for this specific session.
Everyone has cell phone in my country, so it's no problem.
Admin
While not quite that strict, my bank (a Czech one, and a specialist in e-banking) does offer the option of a cell-phone element to your key. That is, you can choose for your key to be either
e.
Admin
The "factor" part is the refers to "knowing", "having" and "being". All the things you mentioned fall into the "knowing" category, so it's only one factor...
Admin
Is this a mock up or is this reality?
Admin
The digital signature certificates are usually contained in a physical chip, attached to a credit card sized card, and you need to insert a pin to the card to use them. So it constitutes something you "have".
That fancy name for a digital signature is fully justified, because its just not a row of numbers. Its a hash of what ever you are signing crypted with your secret key. Anybody can get the hash out of it again to verify it with your public key but only you can make that signature...
Admin
It doesn't have to be, in the Netherlands there are two general systems with such an external device:
A generic device that is the same for all costumers, which have a slot in which you have to put your card to use it. This is nice, because you can bank at a friends place w/o having to carry your device around (assuming he has the same bank). (The 'what you have'-factor is your card.)
A specific per user device with a burned in code, no card required (my bank). I suppose the advantage is that you can bank w/o a card (which costs money). (The 'what you have'-factor is the device.)
Both methods usually also require a secret number ('what you know'-factor), which usually is different from the number you use for ATM machines.
I locked up my 'device' by entering the wrong code (the ATM code). Therefore the only thing I can do with it yet is enter the unlock code that I can get from my bank, I cannot use it as a 'what you have' factor anymore. In order to get this 'unlock code' my bank falls back to a 2nd what-you-have factor, my phone. They will call me on my mobile to give the unlock code. However, I didn't give them my number. (I never give my phone number to commercial institutions w/o knowing what they will use it for which they didn't tell in advance). So now they fell back to the 3th 'what-you-have' factor, my house, and send me forms to ask for my phone number. (I suppose I could do everything by mail, but I gave them my phone nr. anyway.) The fact that I tried to use my card in all kind of east European countries could have tightened their security because it might look like it was stolen.
Admin
ABN Amro (Netherlands) has had this for a few years. Very convenient to use (as long as you've got the calculator - I have one at work/travel and one at home).
But I should point out that the 'thing that you know' is not the account number (at least in my case, it's printed on the card) - it's the PIN.
The calculator just lets you make use of the PIN (to generate the response to the random challenge) without divulging it.
Admin
Admin
Users are so ... unbelievably creative.
Admin
BTW, it is possible to make fingerprints check if the finger is actually attached to its "owner".
Admin
Reality: Most bank customers in the US rank convenience higher than security in habit. we are lazy unlike most commenters here
More security = less convenience
So any bank increasing security/decreasing convenience out of step with competition will lose customers to the competition or at least upset customers. This happened with 2-factorish rollouts when some banks didn't implement 2 factor. Customers left banks trying to improve security in favor of those who didn't (and who were defying law).
laws are needed to push security higher in US because banks wont cooperate and exceed laws for the greater good
Admin
To be a good citizen, and to act like a professional. Yes, we can see how poor it is, because we are computer experts. But most bank customers are not, and the security of their accounts is endangered.
Secondly, enlightened self interest, because the bad drives out the good. If some banks can hoodwink the many ignorant customers with cheap but crap security, the banks that do a proper job will go out of business or degrade their security measures, and people like yourself will have no choice.
Admin
In the UK, well my area anyway, there was an important e-mail that circulated while I was doing work with the council, and apparently it is a little known fact, but if you enter your PIN backwards into an ATM it will allow transactions but alert the police. I've never tried it, but have been assured it works.
Admin
Yeah, body heat, heartbeet etc can be detected.
The bank I have here in The Netherlands is pretty secure, and even a bit phishing-proof. (i dont think you can be theoretically be phisingproof)
You need your electric doo-hickey, enter your card, pinnumber and authentication code from the site. It returns an login ID. So that's two-factor.
Then after every transaction (or set of transactions), you do the same thing. The auth. code is generated from your transactions, and larger transactions require you to enter the total transaction amount on your electric doohicky together with the rest. This way phishers can only withdraw as much as you withdraw.
The only way that they can get more, is if they create a ruse that tells you "they changed the system and you have to fill in 100000 as second number now" But hey it's a nice try. As nice as it is gonna get without you manually doing all your business a second time on the electrick doohicky.
Admin
My credit union uses this system. HATE it. LOVE my CR, but hate the new system.
However, they've so generously left their old login option still available... they've taken the links off of their website for it, but I kept the same bookmark, so I just use that. Supposedly the old login was going to be disabled last April... it's now October. I'm not going to complain. :-)
Admin
I'm working for a small bank and we are starting to implement multifactor but have thought of using this product: https://myvidoop.com/
You select picture categories as your password. Different pictures are displayed and you simply choose the ones in your category.
The 2 factor part is that they can call you or text your mobile with a passcode.
We are debating about a 2 phase approach where we use the above now and later on give users the ability to choose if they would prefer to use a token authentication instead.
Thought I would throw myself to the wolves and see what happens.
Admin
Surely as an experienced internet user you know to check things like that on Snopes?
http://www.snopes.com/business/bank/pinalert.asp
Admin
It looks like the PINsentry device uses both the information stored on the credit card and the pin to generate a random key each time you log into the website.
I assume this works similarly to the RSA SecurID token I use for work in that it must be synchronized with the authentication server to work. In this case, there must be an internal random seed that is either incremented or time-based. If the seed is incremented each time you enter your pin (I once had a different type of RSA token that did this), then the seed would be synchronized with the server. With any other token, you would not be able to obtain a valid pin... hence the token itself is probably a factor. I don't know if PINsentry is as good as my RSA SecurID, but without my specific token, I cannot log into the intranet from outside the workplace, which requires a passphrase and the pin from the token display (two factor).
Requiring the bank card, entry of a pin number, and a specifically assigned PINsentry token seems like 3-factor to me. I could be wrong.
Admin
Ah that explains the white van in front of every building I visit! My PIN used to be a palindrome (and the bank had chosen it, couldn't change it myself). Guess this is a one in a hundred chance, or slightly less if they disallow '0000' and such. I do not live in the UK though.
Admin
If I pick low cost and low cost does that make it free, effectively proving you can't get security or usability for free?
Admin
Hmm. Aside from the potential client side/server side problem (we don't know what checks are actually performed on the server side), and the issue of blocking legitimate responses which happen to contain those combinations of letters, the javascript doesn't even filter INSERTs effectively. An error is raised if the input contains both INSERT and INTO.
But: INTO is a noise word under several databases and is not necessary. "INSERT table1 (col1) VALUES ("boo!")" works fine, and won't be caught.
Admin
And of course cell phone password has its own security issues.
But mostly I'm amazed how everyone touts complex 2-factor schemes. It is a huge blow to usability and a real WTF indeed.
Just look how the problem was solved with credit card transactions in US: limit customer liability to $50 by law. Now credit card fraud becomes merchant and bank problem. Bank security should be bank problem. Users should not have to suffer. This includes not having to jump through the hoops to access your account online. Remind me: was online banking supposed to be about convinience? Why, let's shut down online banking and ATMs and conduct all transactions in person in your home branch through a personal banker who knows you. 19 century was so much more secure.
Admin
Here's a line i found on my Credit Union's "Security" page..
After talking about SSL and account lockouts and such, the last line on the page says this:
There's More, But... Of course,that's not all the security features PC Branch provides, but we won't describe them all to you. Secrecy about security measures is part of what makes them so secure.
Admin
Ah, the whole "security by obscurity" arguement. Riiiight... So, if I leave my front door unlocked, but don't tell anybody, is it any more secure than if I did tell people? Of course not! Would my house be more likely to be robbed if I told everybody that my house was unlocked? Probably.
This is where people get confused about security. There is security with respect to reducing the probability of attack, and then there is security that reduces the probability of an attack being successful. Finally, there is security that reduces the damage from a successful attack.
Given the environment of the Internet, one should assume that attacks will occur, so the first layer of security is merely window dressing.
Admin
I'm gonna suggest that my, uh, "friend" open an account there. What with the CAPTCHA, the JavaScript SQL validation, and the five "security" questions, it's no doubt that my, uh, "friend's" money is secure.
Although my, uh, "friend's" favorite cartoon character is Ren. Oh, well. Stimpy will do.
Of course, the account will get locked out when you can't remember what the hell you wrote, so you call 'em up, get the new password, and guess what? The money's gone. Why? Cuz some 15-year-old in a basement in BFE hacked the nothing out of it.
P.S. Firefox not recommended?! Brillant. Just brillant.
Admin
They have extra security in place because all tables are named with only 8 characters, so they just assigned random numbers to them.
And who would possibly guess what these random numbers are?
Admin
Sure, it's little-known: it's false.
My first thought on reading this was "it sounds like an urban legend" and my second thought was "the police can't possibly get to an ATM location fast enough for this to do ANY good at all."
See http://www.truthorfiction.com/rumors/a/atm-911.htm
Enter your ATM Pin Number Backwards to Summon Police-Fiction!
Summary of the eRumor:
An alert that if you ever find yourself in a scary situation at a banking ATM machine, such as a thief forcing you to withdraw cash, just enter your personal identification number (PIN) backwards. That will automatically send a message to the police that you are in trouble and they will respond to the machine. The eRumor says that most people don't know about this.
The Truth:
The eRumor is false because there isn't anywhere that we could find where this emergency procedure at ATM machines is actually being used.
There is a seed of truth to it, however, in that the idea has been floating around for a while. One of the biggest proponents has been in Illinois attorney named Joseph Zingher. He says the notion came to him when he was a law student at the University of Illinois and one evening was withdrawing money from an ATM in a scary part of town. He patented his concept in 1998 and has been trying to talk banks into using it ever since.
Under Zingher's system, every ATM account would have two PIN numbers---the normal PIN used to withdraw money and what he calls the "ATM SafetyPIN" to alert police that something bad was happening at the ATM. It has also come to be popularly called the "Panic PIN." The SafetyPIN would typically be the reverse of the normal PIN number or some other variation that would be easy to remember. Legislation was passed in Illinois that would allow banks to adopt the system, but did not mandate it.
So far, no banks or financial institutions have done so. Zingher has offered to let Illinois-based banks to use it for free but some of them have said they think it would be too expensive and that ATM crime is not frequent enough. Zingher says that ATM crime is much higher than believed because not all crime reporting reflects whether it has taken place in connection with an ATM or forced withdrawal of cash.
Admin
Can someone help me out here. My bank has like umpteem security questions, my credit card processor makes me change my password like every 2 weeks,
both offer without resistance to E-Mail the necessary information to my rinky dink email account, which my credit card processor conveniently accepts as my user name.... sigh.
Isn't their some security system that requires the user to upload a digital picture of some sort with each login? That sounds like fun.
Admin
It seems they've discontinued that. BoA is sort of annoying, but the picture id stuff is at least effective.
that's what I'd do. I have no interest in memorizing another password. I also do things like setting all the answers to the name of the institution - it's not really adding anything, so I might as well make it easy for me.
Admin
I wouldn't bother with myvidoop.
If you want proper 2-factor auth, use a token, and one with a keypad, so that the what-you-know (PIN) is entered on the token, and the token can just belt out a response to an on-screen challenge.
Bonus points for making sure the amount and destination-account-number has to be entered into the device to authenticate transaction.
The device my bank uses is from vasco.com - they also have a device similar to the pinsentry one (that one's by gemalto) which complies with EMV-CAP - a fairly big deal if you were a European bank, if any one else is reading this...
(It's sad to see a manufacturer like vasco promoting some weaker authentication schemes as well. At least they should clearly indicate the suckiness of the cheaper schemes)
If you do go the mobile phone route, make sure the amount and destination-account-number are included in the text message. And take note that the 'what-you-know' is now entered on a PC keyboard, and easily intercepted by malware. So better make sure those texts don't get intercepted!
Admin
The problem with two factor authentication is that it costs the bank money that is difficult to recover from consumers. So in NZ they have a cunning plan.
Problem solved.
Admin
Um, what the hell? A card and a PIN number is classic two-factor authentication, as seen on ATM machines (where you have no other factors).
Admin
And a physical key is still "something you know" because you can memorize the shape and make another one - the point is to make it non-trivially difficult to duplicate the physical factor. Without that, the equivalence of matter and energy (or the possibility of writing down your PIN number, turning it into "something you have") invalidates the whole concept.