• profke (unregistered)

    the bank i work for (belgium) will shortly change from a "one+ factor" to "two factor" system.

    in one month from now the system will be the following:

    user receives a "digipass" (about the same device posted above). login to website is by customer number and password the user knows. in a second screen he has to fill in a code,generated by the device. To generate this code, user has to insert his bank-card in to de device, press the "login"key and enter his pin-code. with the now generated code the user can enter the site

    originally, the next piece was : "for every transaction the user wants to do, he repeats the code-generating piece".

    But phishers were on to this. They faked a login-page, let users login using this generated key, and on the background they connected further to the real site using this crudentials. to the users they told: "authentication failed, please try again".

    when user enters a second code, they used that to make a fraudulous transaction with it.

    therefore, the procedure for authenticating a transaction is now:

    user enters into his digipass:

    • the amount of the transaction,
    • followed by the first xx characters of the account where the money will be sent to,
    • followed by the pincode from the bankcard,

    and he then presses on the "SIGN" button, instead of the "LOGIN" button.

    it costs some money, that is correct, and over the last years only 5 fraud-cases have occured, on a 5 year period, while daily about 100 000 users make a total of 500 000 transactions .

    so we can say "pretty secure".

  • incoherent (unregistered) in reply to Nobody
    Nobody:
    I use Bank of America for my checking accounts. Their first attempt at 2 factor authentication was what they call 'SiteKey'. At the initial login screen, you only enter your ID (*1), no password. If you log in from an unknown computer it asks you some of those inane security questions, and if you get them right it marks your computer as 'known' (*2). It then displays an image and a line of text that you selected and entered (respectively) when you set it up. And at that point it asks for your password. This seems to be a fairly good way to avoid phishing sites (at least for people who wouldn't fall for a 'SiteKey is undergoing maintenance, please enter your password' prompt) but does essentially nothing for actual account security.

    Just recently, however, they've rolled out an optional new service called 'SafePass', which is actual 2 factor authentication. Instead of a dedicated security device the second factor (Something you have) is your cell phone. When you try to log in, it sends you a text message with a random code you have to enter. Certainly a step in the right direction. You can choose whether to use SiteKey and/or SafePass (but you have to have at least 1) to sign in.

    My broker on the other hand sent me a SafeWord Platinum, which is an interesting little toy. It's protected by a PIN, and it appears to perform a hash of it's serial number and the challenge code I enter from their website, to produce the response. It's a lot less convenient, but it's only required for account management (ie deposits and withdrawals), not day to day trading.

    -JD

    *1: I got in the online banking program early, when you could pick your own ID, so mine is a random 9 digit number. Newer ones are easier to guess, as they're generated from your name with 3 or 4 digits appended.

    *2: Interestingly, it saves the 'known' status on your PC in both a cookie (which gets nuked regularly), and in a Flash shared object, which apparently never gets cleared by any normal means. Check the "Application Data/Macromedia/Flash Player/#SharedObjects" directory in your user profile, I was amazed how many sites are using these as an alternative to cookies.

    Yeah, I noticed this as well. I seem to recall from the original Wish-It-Was-Two-Factor discussion that the default Bank of America username was for a time your SSN, though, which given how much you can do with just a SSN seems to defeat the purpose of the SiteKey (which requires that you put in your username first).

  • John Doe (unregistered) in reply to henke37
    henke37:
    The on screen keyboard was something to prevent keylogging. Too bad it only took a few days until the botnets knew how to record them properly...
    They also forgot that it is more convenient for someone looking over your shoulder watching you enter the answers.
  • (cs) in reply to Doodie
    Doodie:

    The PINsentry has the keyboard, not the card...

    [image]

    What if you have accounts at more than 1 financial institution?

    Having to carry around multiple PINsentry devices and random number generator keythingies sounds like a real pain in the proverbial

  • Me (last time I looked) (unregistered) in reply to Vombatus
    Vombatus:
    Doodie:

    The PINsentry has the keyboard, not the card...

    [image]

    What if you have accounts at more than 1 financial institution?

    Having to carry around multiple PINsentry devices and random number generator keythingies sounds like a real pain in the proverbial

    No no no, the pinsentry is dumb - all it does is communicate with your card. So any institution that uses the chip-and-pin system should be compatible with the pinsentry.

    The pinsentry is effectively the same as the devices used by every merchant in the UK.

    That's the advantage of having a nationally standard two-factor authentication system.

    At least, that's the way they better have done it.

  • (cs)
  • Stefan W. (unregistered) in reply to Jetts
    Jetts:
    My bank must have something called "Pretend-that-it's Two-Factor"

    ...

    Eventually I got locked out, and the site gave me a toll-free number to call. Called it, put in my account number and immediately was given a new password. If anyone can get to the point of failing my security questions, all they have to do is get the system locked and a friendly service agent will reset my password and tell them what the new one is.

    Wow, thanks for that.

    How did they authentificate you via phone? They didn't - did they?

  • ZaphodsJustThisGuyYKnow (unregistered) in reply to Doug

    Actually, the cards are neat (or can be).

    You can do secure public/private key operations on some of those puppies, with the private key generated on the card and stored only on the card. The cards are cheap too. Like $15.

    Security can be:

    • Your bank challenges you with the information they need to authenticate (e.g. the transaction amount and vendor mentioned in another post)
    • Your PIN is required to activate the private key that is stored only on the card.
    • The card with the active private key is now able to sign the challenge information with the private key.
    • You enter the result (signature) on the bank's web page.
    • The bank uses the card's public key (which they know) to verify the signature.

    So, you can't replicate the code without the private key, which never left the chip on the card. You'd have to be the NSA to snarf the card, figure out the private key stored on it (without knowing the PIN?), and steal the money before the person told their bank: "Oh, umm... I seem to have lost my card. Can you send me a new one?"

    Anyways, they're v. nice. We need U.S. banks that will use them or equivalents.

  • passingthrough (unregistered)

    Timely article. I have recently been in correspondence with the bank where I hold accounts. They have "award-winning online banking" <sneer> When I contacted them to explain why redirects from their home page to their sign-on page (among other things- this was just the first page!) were perhaps problematic, and suggested some reasons and methods for improving it, they responded slowly, but appropriately, of course. They assured me that their site was indeed, secure enough for clients like me, and if I didn't like it, I should bank by phone. I'll withhold my opinion. You can guess what I think.

  • (cs)

    So i want to name my Son "Robert '); DROP TABLE Customers; --"

    Hopefully he likes it. Thanks http://xkcd.com/327/

  • AT (unregistered)

    Very funny! Synergy FCU was my bank when I lived in VA and their first Web site attempts (c. 1999-2000) were pretty comical as well.

  • Qwerty (unregistered) in reply to ptomblin
    ptomblin:
    So Little Bobby Tables obviously isn't a customer there.

    I have to wonder, though, when a site uses Javascript to protect against SQL injection, does that mean they aren't doing any server side protection, or are they just being doubly sure?

    I love this kind of indignation, which conveniently forgets a whole lot of other WTFs we were probably laughing at yesterday. This JavaScript code is USER INTERFACE CODE. This is necessary to present a user-level error message to the unfortunate people like Sue--Ann McNully, who will be prevented from using the service.*

    Exploits like faking an http form submission would be stopped at the server side and probably don't get such a nice, descriptive, error message. J Random Hacker doesn't need an error message when his carefully-crafted SQL injection fails. In fact, detailed error messages at that layer will probably give away important details and compromise security.

    • Preventing people from using the service based on unforseen names is a bug, but doing it with JavaScript is not the WTF.
  • Pen (unregistered)

    Charging for banking services in general seems far more appropriate in the pre-internet era, than post-internet. You've got papers to shuffle, and control can be wielded more readily. They collect shady overdraft fees for a revenue stream, and I think these days hiring many bank employees and throwing a second-rate IT effort for their online services are just signs that the industry is buying time.

  • (cs)

    Fortunately my favorite color is DEADBEEF, but unfortunately my favorite tv show is TRUNCATE TABLE USERS.

  • Zock (unregistered) in reply to JelloGoesWiggle

    Ooh... ooh... I know this! I'll take... I pick "low" and "cost"!

  • Zock (unregistered) in reply to Zock
    Zock:
    Ooh... ooh... I know this! I'll take... I pick "low" and "cost"!

    'Twas in reply to:

    JelloGoesWiggle:
    Here we see the universal security constant at work.

    Pick two: security, usability, low cost.

  • (cs)

    I wish I could be sure that their injection guard polices do extend to the back end. If they don't... the prospect is horrifying.

    In this neck of the woods(Eastern Europe) in Internet banking has always had PROPER two factor auth. There are two levels of security in my bank. Lowest utilizes a small plastic card with 30 random numbers on it. When you log in you get asked a random one in addition to your username and password. If you fail to log in the same one is asked to prevent code fishing. There was a Trojan at some point that did that, after witch bank put up warning notices... This method of auth is limited to transferring relatively small sums of money, enough for a private individual but not suitable for business users.

    On higher level you must use either ID card that has a chip with RSA certificates in it to identify yourself or a pin calculator. And usability does not suffer much. It would suffer much more if I would have to start answering stupid questions...

    All-in-all... I cant believe there are systems out there used in banking that are allowed to pretend this replaces proper two factor auth... Its scary...

  • Eso (unregistered)

    My bank use this scheme:

    To login to ebanking, I need

    • certificate (3kB key file with asymetric cipher on hdd/cd/usb key)
    • password

    But if I want to make any money transfer after login, single-use security code is sent to my cell phone via SMS and I have to enter it to web page to confirm transaction. This code is valid only for this specific session.

    Everyone has cell phone in my country, so it's no problem.

  • erisdiscordia (unregistered)

    While not quite that strict, my bank (a Czech one, and a specialist in e-banking) does offer the option of a cell-phone element to your key. That is, you can choose for your key to be either

    • a modification (I believe) to your SIM card, that is, to the thing that makes your cell phone tick, or
    • a little "calculator" whose output presumably is coordinated with the bank software by way of an internal clock. (It doesn't have an antenna or anything.)
    • a third option called an "internet key", which I've never used and can't describe. I suspect it's the least secure of the three, however.

    e.

  • (cs) in reply to Ubersoldat
    Ubersoldat:
    My Bank implements a double security as it should

    You need your ID Number, Internet Access password and to be able to process any action on your accounts, you have to provide a digital signature (fancy name for another combination of numbers and letters).

    No stupid, what your dog last name questions

    That's still only "Wish it was 2 factor" security.

    The "factor" part is the refers to "knowing", "having" and "being". All the things you mentioned fall into the "knowing" category, so it's only one factor...

  • David Stokar (unregistered)

    Is this a mock up or is this reality?

  • (cs) in reply to ActionMan
    ActionMan:
    Ubersoldat:
    My Bank implements a double security as it should

    You need your ID Number, Internet Access password and to be able to process any action on your accounts, you have to provide a digital signature (fancy name for another combination of numbers and letters).

    No stupid, what your dog last name questions

    That's still only "Wish it was 2 factor" security.

    The "factor" part is the refers to "knowing", "having" and "being". All the things you mentioned fall into the "knowing" category, so it's only one factor...

    The digital signature certificates are usually contained in a physical chip, attached to a credit card sized card, and you need to insert a pin to the card to use them. So it constitutes something you "have".

    That fancy name for a digital signature is fully justified, because its just not a row of numbers. Its a hash of what ever you are signing crypted with your secret key. Anybody can get the hash out of it again to verify it with your public key but only you can make that signature...

  • Bram Stoker (unregistered) in reply to d3matt
    d3matt:
    mallard:
    BST:
    While this scheme seems relatively secure, it is certainly not five-factor:
    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    While I'm not entirely sure how PINsentry works, I assume that it has some kind of cryptographic signature "burned in", which may be unique to the user and therefore could count as a factor.

    if it doesn't that's pretty stupid... also, the PIN and credit/debit card count as only one factor.

    It doesn't have to be, in the Netherlands there are two general systems with such an external device:

    1. A generic device that is the same for all costumers, which have a slot in which you have to put your card to use it. This is nice, because you can bank at a friends place w/o having to carry your device around (assuming he has the same bank). (The 'what you have'-factor is your card.)

    2. A specific per user device with a burned in code, no card required (my bank). I suppose the advantage is that you can bank w/o a card (which costs money). (The 'what you have'-factor is the device.)

    Both methods usually also require a secret number ('what you know'-factor), which usually is different from the number you use for ATM machines.

    I locked up my 'device' by entering the wrong code (the ATM code). Therefore the only thing I can do with it yet is enter the unlock code that I can get from my bank, I cannot use it as a 'what you have' factor anymore. In order to get this 'unlock code' my bank falls back to a 2nd what-you-have factor, my phone. They will call me on my mobile to give the unlock code. However, I didn't give them my number. (I never give my phone number to commercial institutions w/o knowing what they will use it for which they didn't tell in advance). So now they fell back to the 3th 'what-you-have' factor, my house, and send me forms to ask for my phone number. (I suppose I could do everything by mail, but I gave them my phone nr. anyway.) The fact that I tried to use my card in all kind of east European countries could have tightened their security because it might look like it was stolen.

  • (cs) in reply to Jamie
    Jamie:
    I was pleased to note that recently my Bank in the UK implemented proper Two-Factor security.

    I have to give something I know (a 10-digit membership number) and my surname, then I must use something I have (my Bank Card) to generate an 8 digit number using a whizzy-bangy-calculator-like-implement and my regular PIN number.

    It takes 15 minutes to login, but at least its secure :D

    No seriously, I can login in seconds and I do actually feel like my online banking is more secure.

    ABN Amro (Netherlands) has had this for a few years. Very convenient to use (as long as you've got the calculator - I have one at work/travel and one at home).

    But I should point out that the 'thing that you know' is not the account number (at least in my case, it's printed on the card) - it's the PIN.

    The calculator just lets you make use of the PIN (to generate the response to the random challenge) without divulging it.

  • Cope with IT (unregistered) in reply to Crayne
    Crayne:
    I love that they've also gone ahead and disabled rightclicking so us bastards can't look at the source code. Except. And that it only checks for Netscape and IE.
    And even on IE you can use the menu to view the source code...
  • Cope with IT (unregistered) in reply to Fedaykin
    Fedaykin:
    No, that's a huge WTF. A project I took over did this, and guess what half the questions where:

    "My password is rover123".

    Then, the previous developer decided to not allow questions with the password in it, so the questions became:

    "My password is my my dog's name with 123 after it"

    or

    "My password is rover12*3.

    Wow, that's brillant. I laughed and I laughed and I laughed.

    Users are so ... unbelievably creative.

  • (cs) in reply to EvanED

    BTW, it is possible to make fingerprints check if the finger is actually attached to its "owner".

  • tinfoil hats are the minority (unregistered)

    Reality: Most bank customers in the US rank convenience higher than security in habit. we are lazy unlike most commenters here

    More security = less convenience

    So any bank increasing security/decreasing convenience out of step with competition will lose customers to the competition or at least upset customers. This happened with 2-factorish rollouts when some banks didn't implement 2 factor. Customers left banks trying to improve security in favor of those who didn't (and who were defying law).

    laws are needed to push security higher in US because banks wont cooperate and exceed laws for the greater good

  • (cs) in reply to sas
    sas:
    Why the hell should I care how stupid they want to be? If I see signs that the bank is being run by complete morons, I'm just going to move my money to a better bank.

    To be a good citizen, and to act like a professional. Yes, we can see how poor it is, because we are computer experts. But most bank customers are not, and the security of their accounts is endangered.

    Secondly, enlightened self interest, because the bad drives out the good. If some banks can hoodwink the many ignorant customers with cheap but crap security, the banks that do a proper job will go out of business or degrade their security measures, and people like yourself will have no choice.

  • (cs)

    In the UK, well my area anyway, there was an important e-mail that circulated while I was doing work with the council, and apparently it is a little known fact, but if you enter your PIN backwards into an ATM it will allow transactions but alert the police. I've never tried it, but have been assured it works.

  • D2oris (unregistered) in reply to joaomc

    Yeah, body heat, heartbeet etc can be detected.

    The bank I have here in The Netherlands is pretty secure, and even a bit phishing-proof. (i dont think you can be theoretically be phisingproof)

    You need your electric doo-hickey, enter your card, pinnumber and authentication code from the site. It returns an login ID. So that's two-factor.

    Then after every transaction (or set of transactions), you do the same thing. The auth. code is generated from your transactions, and larger transactions require you to enter the total transaction amount on your electric doohicky together with the rest. This way phishers can only withdraw as much as you withdraw.

    The only way that they can get more, is if they create a ruse that tells you "they changed the system and you have to fill in 100000 as second number now" But hey it's a nice try. As nice as it is gonna get without you manually doing all your business a second time on the electrick doohicky.

  • Lady Nocturne (unregistered)

    My credit union uses this system. HATE it. LOVE my CR, but hate the new system.

    However, they've so generously left their old login option still available... they've taken the links off of their website for it, but I kept the same bookmark, so I just use that. Supposedly the old login was going to be disabled last April... it's now October. I'm not going to complain. :-)

  • csharp4me (unregistered)

    I'm working for a small bank and we are starting to implement multifactor but have thought of using this product: https://myvidoop.com/

    You select picture categories as your password. Different pictures are displayed and you simply choose the ones in your category.

    The 2 factor part is that they can call you or text your mobile with a passcode.

    We are debating about a 2 phase approach where we use the above now and later on give users the ability to choose if they would prefer to use a token authentication instead.

    Thought I would throw myself to the wolves and see what happens.

  • JonC (unregistered) in reply to Shakje

    Surely as an experienced internet user you know to check things like that on Snopes?

    http://www.snopes.com/business/bank/pinalert.asp

  • (cs) in reply to BST
    BST:
    mallard:
    Even better, my bank is implementing this: http://www.barclays.co.uk/pinsentry/

    In other words, to use online banking, you will need:

    1. Membership no.
    2. Surname
    3. PINsentry device
    4. Credit/Debit card
    5. PIN no.

    So that'll be five factor authentication, with no "What is your favourite colour" in sight...

    While this scheme seems relatively secure, it is certainly not five-factor:

    1. Membership number is not a factor because while it is something you know, it is not confidential information known only by you.
    2. Surname is not a factor for the same reason.
    3. PINsentry device is not a factor because all users have the same device and it is not specific to you.
    4. The credit/debit card IS a factor.
    5. The PIN IS a factor.

    So this is a two-factor scheme.

    It looks like the PINsentry device uses both the information stored on the credit card and the pin to generate a random key each time you log into the website.

    I assume this works similarly to the RSA SecurID token I use for work in that it must be synchronized with the authentication server to work. In this case, there must be an internal random seed that is either incremented or time-based. If the seed is incremented each time you enter your pin (I once had a different type of RSA token that did this), then the seed would be synchronized with the server. With any other token, you would not be able to obtain a valid pin... hence the token itself is probably a factor. I don't know if PINsentry is as good as my RSA SecurID, but without my specific token, I cannot log into the intranet from outside the workplace, which requires a passphrase and the pin from the token display (two factor).

    Requiring the bank card, entry of a pin number, and a specifically assigned PINsentry token seems like 3-factor to me. I could be wrong.

  • one in a hundred (unregistered) in reply to Shakje
    Shakje:
    In the UK, well my area anyway, there was an important e-mail that circulated while I was doing work with the council, and apparently it is a little known fact, but if you enter your PIN backwards into an ATM it will allow transactions but alert the police. I've never tried it, but have been assured it works.

    Ah that explains the white van in front of every building I visit! My PIN used to be a palindrome (and the bank had chosen it, couldn't change it myself). Guess this is a one in a hundred chance, or slightly less if they disallow '0000' and such. I do not live in the UK though.

  • NeoMojo (unregistered) in reply to JelloGoesWiggle
    JelloGoesWiggle:
    Here we see the universal security constant at work.

    Pick two: security, usability, low cost.

    If I pick low cost and low cost does that make it free, effectively proving you can't get security or usability for free?

  • div (unregistered)

    Hmm. Aside from the potential client side/server side problem (we don't know what checks are actually performed on the server side), and the issue of blocking legitimate responses which happen to contain those combinations of letters, the javascript doesn't even filter INSERTs effectively. An error is raised if the input contains both INSERT and INTO.

    But: INTO is a noise word under several databases and is not necessary. "INSERT table1 (col1) VALUES ("boo!")" works fine, and won't be caught.

  • NIghtCactus (unregistered) in reply to Eso

    Everyone has cell phone in my country, so it's no problem. No, it's not that everyone has a cell phone. It is that banks only care for customers who have cell phones, because if you do not have cell phone, you likely do not have enough money for the bank to bother having you as a customer.

    And of course cell phone password has its own security issues.

    But mostly I'm amazed how everyone touts complex 2-factor schemes. It is a huge blow to usability and a real WTF indeed.

    Just look how the problem was solved with credit card transactions in US: limit customer liability to $50 by law. Now credit card fraud becomes merchant and bank problem. Bank security should be bank problem. Users should not have to suffer. This includes not having to jump through the hoops to access your account online. Remind me: was online banking supposed to be about convinience? Why, let's shut down online banking and ATMs and conduct all transactions in person in your home branch through a personal banker who knows you. 19 century was so much more secure.

  • First (unregistered)

    Here's a line i found on my Credit Union's "Security" page..

    After talking about SSL and account lockouts and such, the last line on the page says this:

    There's More, But... Of course,that's not all the security features PC Branch provides, but we won't describe them all to you. Secrecy about security measures is part of what makes them so secure.

  • (cs) in reply to First
    First:
    Here's a line i found on my Credit Union's "Security" page..

    After talking about SSL and account lockouts and such, the last line on the page says this:

    There's More, But... Of course,that's not all the security features PC Branch provides, but we won't describe them all to you. Secrecy about security measures is part of what makes them so secure.

    Ah, the whole "security by obscurity" arguement. Riiiight... So, if I leave my front door unlocked, but don't tell anybody, is it any more secure than if I did tell people? Of course not! Would my house be more likely to be robbed if I told everybody that my house was unlocked? Probably.

    This is where people get confused about security. There is security with respect to reducing the probability of attack, and then there is security that reduces the probability of an attack being successful. Finally, there is security that reduces the damage from a successful attack.

    Given the environment of the Internet, one should assume that attacks will occur, so the first layer of security is merely window dressing.

  • liltim (unregistered)

    I'm gonna suggest that my, uh, "friend" open an account there. What with the CAPTCHA, the JavaScript SQL validation, and the five "security" questions, it's no doubt that my, uh, "friend's" money is secure.

    Although my, uh, "friend's" favorite cartoon character is Ren. Oh, well. Stimpy will do.

    Of course, the account will get locked out when you can't remember what the hell you wrote, so you call 'em up, get the new password, and guess what? The money's gone. Why? Cuz some 15-year-old in a basement in BFE hacked the nothing out of it.

    P.S. Firefox not recommended?! Brillant. Just brillant.

  • Threner (unregistered) in reply to Zygo

    They have extra security in place because all tables are named with only 8 characters, so they just assigned random numbers to them.

    And who would possibly guess what these random numbers are?

  • (cs) in reply to Shakje
    Shakje:
    In the UK, well my area anyway, there was an important e-mail that circulated while I was doing work with the council, and apparently it is a little known fact, but if you enter your PIN backwards into an ATM it will allow transactions but alert the police. I've never tried it, but have been assured it works.

    Sure, it's little-known: it's false.

    My first thought on reading this was "it sounds like an urban legend" and my second thought was "the police can't possibly get to an ATM location fast enough for this to do ANY good at all."

    See http://www.truthorfiction.com/rumors/a/atm-911.htm

    Enter your ATM Pin Number Backwards to Summon Police-Fiction!

    Summary of the eRumor:
    An alert that if you ever find yourself in a scary situation at a banking ATM machine, such as a thief forcing you to withdraw cash, just enter your personal identification number (PIN) backwards. That will automatically send a message to the police that you are in trouble and they will respond to the machine. The eRumor says that most people don't know about this.

    The Truth:
    The eRumor is false because there isn't anywhere that we could find where this emergency procedure at ATM machines is actually being used.

    There is a seed of truth to it, however, in that the idea has been floating around for a while. One of the biggest proponents has been in Illinois attorney named Joseph Zingher. He says the notion came to him when he was a law student at the University of Illinois and one evening was withdrawing money from an ATM in a scary part of town. He patented his concept in 1998 and has been trying to talk banks into using it ever since.

    Under Zingher's system, every ATM account would have two PIN numbers---the normal PIN used to withdraw money and what he calls the "ATM SafetyPIN" to alert police that something bad was happening at the ATM. It has also come to be popularly called the "Panic PIN." The SafetyPIN would typically be the reverse of the normal PIN number or some other variation that would be easy to remember. Legislation was passed in Illinois that would allow banks to adopt the system, but did not mandate it.

    So far, no banks or financial institutions have done so. Zingher has offered to let Illinois-based banks to use it for free but some of them have said they think it would be too expensive and that ATM crime is not frequent enough. Zingher says that ATM crime is much higher than believed because not all crime reporting reflects whether it has taken place in connection with an ATM or forced withdrawal of cash.

  • Jesuit (unregistered)

    Can someone help me out here. My bank has like umpteem security questions, my credit card processor makes me change my password like every 2 weeks,

    both offer without resistance to E-Mail the necessary information to my rinky dink email account, which my credit card processor conveniently accepts as my user name.... sigh.

    Isn't their some security system that requires the user to upload a digital picture of some sort with each login? That sounds like fun.

  • Franz Kafka (unregistered) in reply to Cope with IT
    incoherent:
    Yeah, I noticed this as well. I seem to recall from the original Wish-It-Was-Two-Factor discussion that the default Bank of America username was for a time your SSN, though, which given how much you can do with just a SSN seems to defeat the purpose of the SiteKey (which requires that you put in your username first).

    It seems they've discontinued that. BoA is sort of annoying, but the picture id stuff is at least effective.

    Cope with IT:
    Fedaykin:
    No, that's a huge WTF. A project I took over did this, and guess what half the questions where:

    "My password is rover123".

    Then, the previous developer decided to not allow questions with the password in it, so the questions became:

    "My password is my my dog's name with 123 after it"

    or

    "My password is rover12*3.

    Wow, that's brillant. I laughed and I laughed and I laughed.

    Users are so ... unbelievably creative.

    that's what I'd do. I have no interest in memorizing another password. I also do things like setting all the answers to the name of the institution - it's not really adding anything, so I might as well make it easy for me.

  • w00t (unregistered) in reply to csharp4me
    csharp4me:
    I'm working for a small bank and we are starting to implement multifactor but have thought of using this product: https://myvidoop.com/

    You select picture categories as your password. Different pictures are displayed and you simply choose the ones in your category.

    The 2 factor part is that they can call you or text your mobile with a passcode.

    I wouldn't bother with myvidoop.

    If you want proper 2-factor auth, use a token, and one with a keypad, so that the what-you-know (PIN) is entered on the token, and the token can just belt out a response to an on-screen challenge.

    Bonus points for making sure the amount and destination-account-number has to be entered into the device to authenticate transaction.

    The device my bank uses is from vasco.com - they also have a device similar to the pinsentry one (that one's by gemalto) which complies with EMV-CAP - a fairly big deal if you were a European bank, if any one else is reading this...

    (It's sad to see a manufacturer like vasco promoting some weaker authentication schemes as well. At least they should clearly indicate the suckiness of the cheaper schemes)

    If you do go the mobile phone route, make sure the amount and destination-account-number are included in the text message. And take note that the 'what-you-know' is now entered on a PC keyboard, and easily intercepted by malware. So better make sure those texts don't get intercepted!

  • Leslie (unregistered)

    The problem with two factor authentication is that it costs the bank money that is difficult to recover from consumers. So in NZ they have a cunning plan.

    1. Make sure your high fee paying business customers have two factor authentication so they don't come back to litigate against you.
    2. For your lower fee paying, lower net worth ordinary customers simply get your Industry Code of practice updated to deal with online fraud by saying that if a customer accesses the bank using an "insecure system" then they are liable for 100% of the losses. Don't worry about making your security any better, just make up a new rule that says its the customers fault.

    Problem solved.

  • (cs) in reply to d3matt
    d3matt:
    if it doesn't that's pretty stupid... also, the PIN and credit/debit card count as only one factor.

    Um, what the hell? A card and a PIN number is classic two-factor authentication, as seen on ATM machines (where you have no other factors).

  • (cs) in reply to Doug
    Doug:
    So how do we have the software verify that we HAVE something. odds are no matter what we have it just produces a code that then gets transmitted. Can't that just always be replicated some how?

    I am not sure how we enable two-factor authentication ever.

    And a physical key is still "something you know" because you can memorize the shape and make another one - the point is to make it non-trivially difficult to duplicate the physical factor. Without that, the equivalence of matter and energy (or the possibility of writing down your PIN number, turning it into "something you have") invalidates the whole concept.

Leave a comment on “Banking So Advanced”

Log In or post as a guest

Replying to comment #:

« Return to Article