- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Student-run branches? More like student-designed security systems. And...1st? Oh wait it's not valid... so frist :-p
Admin
Red... I mean... Frist
Admin
Well since "DELETE [whatever]" is just as valid of a SQL statement as "DELETE FROM [whatever]" they can still be Little Bobby Tables'd.
Now if you'll excuse me, I need to go back to coding via my onscreen keyboard.
Admin
Sorry, I won't be joining your little cause...
...or any of those banks.
Admin
"What is your favorite color?"
"RED .. no, Blue AAAAAAAAAAAAAAAAAAAGH!"
Admin
Seriously? That's got to suck.
Admin
The credit union where my account is at with actually uses this system. I can assure you this is a complete disaster!
Admin
They really need to hire someone who understand a bit of computer security... If my bank had such a system, they'd have one less customer.
Admin
I've had the misfortune to deal with this software before.
The good thing about the security question is that you can write your own.
That way you can choose a password like, for example (never use this btw) "password". Enter something like "Whats with asdf?" and the answer is "passwordasdf".
Yeah, it's a kludgy hack, but then again so was the question thing in the first place.
And regarding the virtual keyboard, if you look at the form field it types into with Firebug, it doesn't even use the correct ASCII characters, it uses a substitution cypher.
You know, in case anybody's sniffing your HTTPS connection.
Or if the bank in question didn't use HTTPS, that would be a genuine WTF.
Admin
Exactly why I keep my money in a mayonnaise jar. But don't worry, I have authentication for my jar. Currently it is located in a secure spot (under ground in yard). My authentication is as such: a doberman will attack anyone who approaches the spot in the yard. I monitor their screams. If they sound familiar (wife, children, etc) I perform a visual confirmation to ensure their identity and allow them access (BAM! Two-factor). If I do not recognize their scream after 15 seconds, my band of wild ninjas swoops down carried by 47 crows to kill the intruder. Their weapons, of course, are blank CDs and tupperware lids (both sharpened), a bottle of 409, a 9-iron, and a spoon.
I am currently marketing this service to all financial institutions. Doberman's not your style or looking to cut down costs? I offer a wide selection including (but not limited to) miniature donkeys, lemars, sharks (yes, with lasers), dogs, and Bobby Brown.
Admin
Poor Allan Drophy and Anullia Harris.
Admin
Now THIS is a true classic. The sort of classic that makes you wince a bit as you read the next little nugget of insanity. The sort of classic that makes you fear for the security of your financial data. The sort of classic that makes you withdraw all your money from the bank and put it into a fire-safe box under your bed. BRB, got some banking to do.
PS: Fire-safe box. I cannot stress that enough to anyone who keeps large amounts of money around the house. Always use a fire-safe box. Decent ones can be quite expensive but it will pay for itself 10 times over the first time you have a fire.
Admin
Having witnessed Harland's software at a former job (where we had a bank) I would prefer software written by Harland Sanders, better know as the KFC founder and icon.
Admin
I see the obvious flaw in your system. Your buried treasure will attract pirates and as we all know pirates >>> ninjas (even wild ones). Not only is your booty as risk, but I suspect your wife and children aren't going to be save either.
Admin
Well I tried to account for that; maybe my understanding of pirates is flawed. I thought simply by not putting an X on the spot where my jar is pirates would not locate the jar.
As for the wife and children...unfortunately we don't have to worry about that anymore. While writing my last reply they strayed too close to the booty....nuff said.
Admin
Admin
Admin
No X? Damn your eyes you devious land lubber. I slice your gizzard with me cutlass and feed your innards to your dog.
Admin
Well, obviously Chuck Norris could take on a whole galleon of pirates, but he will probably also take your money. After all, are you going to stop him?
Admin
Why "RED" it is not allowed? Because it has less than four freaking letters!!! Duh!
Admin
I can't decide which is more lazy: re-running an old article, or not being able to click the "Random Article" link in the top-left corner.
Captcha: saepius -- The Chinese prius
Admin
Tis triumphantly the tautology thought through to transcendence.
Alliteration FTW
Admin
Favorite Team? A
Favorite TV Show? V
hmm ... I guess I gotta start watching other shows ... :)
Admin
Eh, that sanitation isn't so bad. My credit union does this:
...wait, scratch that, Akismet thinks the code snippet is spam. So, let me explain: My credit union creates a variable called ctn and sets it to zero. They then run a for loop using a new variable, i, which they use to step through the user input, character by character, checking indexOf(';'). If they find that tf.elements[i].value.indexOf)(';') > -1, they do "cnt = cnt + 1." After the for loop is done, they check to see if cnt > 0, and if it is, they tell you not to use any semicolons.
No, seriously.
Admin
Admin
GENIUS!
Admin
A few months back a recruiter contacted me about a coding position at Harlan. After reading this, I'm glad they weren't interested in me.
Admin
The article misses the point of not allowing 'red'.
Allowing one's password to be 'red' is a valid security concern. Haven't you ever heard of a 'red-side' network interface, or a 'red-side' host? It means NOT SECURE! Contrast this with a black-side, where security is present. Everyone's password should be BLACK -- now that would be secure.
Admin
Admin
At the very least it's an NCUA-insured institution (NCUA = FDIC for credit unions), so if your money gets stolen it's not ultimately your loss. I still find it baffling that financial institutions find systems like this a good risk-reward tradeoff.
Incidentally, has anybody else noticed how hard it is to set strong passwords at financial institutions? There's one major mutual fund company that uses an eight-character-max alphanumeric (no symbols allowed) password, and validates your username on a separate screen (and throws an error if it isn't valid). Come on...that's practically asking to be hacked.
Admin
TRWTF is wanting to use red in the first place. Aside from the Ohio State in me wanting to try scarlet, every one of us should know to actually use #FF0000.
Admin
Better DEAD than RED, I always say.
Admin
If only I could keep all my money safe with Blizzard... I've found it long hilarious that my WoW account (complete with actual 2-factor authentication!) is now orders of magnitude more secure than my bank account (which, hilariously (if I weren't forced to use it) doesn't even allow alphanumeric characters in the password, let alone special characters: passwords are entirely numeric. Isn't that just great? No, I won't tell you what I use. :p)
Admin
HSBC still uses an on-screen keyboard as part of sign-on. It's so annoying and tedious.
Admin
But "wish it was two factor authentication" fits right in with all the other banking industry standards: "wish our web programmers could write secure code" "wish our javascript kludges didn't suck" and "wish our customers were as stupid as we are".
Really, it is quite discouraging, and a little frightening, how most bank / brokerage / financial sites have the WORST security when they should be the most rigorously developed.
Oh, yeah, and "wish the taxpayers would bail us out again so we don't have to fail and make room for someone with clue."
Admin
So you need a numeric password that doesn't contain any alphanumeric characters? That's a neat trick. (Hint: alphanumeric includes the numbers)
Admin
The joy of banks. If they're not outright crooks (like Chase), they're downright incompetent. You're better off banking with Tony Soprano.
Admin
One of my most memorable IT class was when the instructor was teaching about pointers, and wanted to explain that you need to have valid references to all objects that can be followed from a known point. At which point he said, "Don't bury the treasure map with the treasure."
Admin
Admin
My bank in Portugal uses a 7 number password to login (but they only ask for three numbers from random positions, so keylogging one authentication is useless), but the nice part is they send you a SMS with a random code for every actual transaction, so any attacker will have to get your phone too (and use it before you alert the bank).
It's OK, I'd say.
Admin
Security instructions:
Your password must be at least eight characters, including at least one upper case letter, one lower, a digit, and a special character. Do not use any personal information, like your spouse's name, birth date, or city where you were born, as a hacker might be able to find out such information about you. Do not use any ordinary English words, especially common ones like names of colors or foods, as a hacker could try common English words. Your password should be a meaningless stream of characters.
It is true that this may make your password difficult to remember. In the event that you forget your password, we will provide a "security question", the answer to which is essentially an alternate password that can be used to access your data just like your real password. The answer to the security question will be some personal information about you, like your spouse's name, birth date, or the city where you were born; or it could be some ordinary English word that is easy to remember, like your favorite color or favorite food.
Of course, with a password, if you were permitted to use some insecure text like your city of birth or favorite color, a hacker would not have any way to know just what personal information or common word you used, but he could try many many possibilities until he found the right one. To make the security question extra secure against this sort of brute force attack, we will tell the hacker exactly what personal information or common word is being used.
Admin
Chuck Norris can execute an infinite loop in 12 seconds.
Captcha: "jumentum": mass times velocity times Semitic factor
Admin
Using favorite color as a security key is clearly sexist: It will be much easier to hack into men's accounts then into women's. Most men only know the names of about eight colors, but women have hundreds, like "periwinkle" and "chartreuse" and so on.
Admin
Favorite Programming Language? C
Favorite Tommy Lee Jones character? K
Favorite Bird? T
Admin
American Funds? I wince every time I log in.
Admin
And fair enough, I should've said that it doesn't accept all alphanumeric passwords, not that it doesn't accept alphanumeric characters (obviously, it accepts some of them.)
Admin
Admin
The US Treasury site does this.
They ask you for a complex password, and then they send you a little access card of random junk in the mail. You need both to get into your account.
Unfortunately, you also need to know the answers to the four security questions they asked you -- two weeks ago, before the card arrived in the mail.
And I don't know the answers. I don't have a favorite movie, I never had a childhood pet, etc. So I can't get into my account. Fantastic.
Go on, try it: https://www.treasurydirect.gov/RS/BPDLogin?application=rscreate
Admin
Admin