- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
My bank account doesn't implement this, but recently it will not accept a password that is shorter than 6 characters, longer than 8, or contains anything other than letters and numbers. I sent a complaint in via an online form because the bank forced me to change my password from something fairly secure to something with these ridiculous guidelines. Over a year later not much has been changed security wise.
Admin
Quote from https://verifyme.synergyonefcu.org/auth/Authorize?fiid=1
Y2K’s calling, they want to know if it’s safe to disable JavaScript on their website, or if it’s going to cause stars to fall from heavens.
Admin
Favorite Color: Tan
Would that be a valid option...I wonder.
CAPTCHA: similis Doctor: You have Similis! Patient: Don't tell my wife..I must have ..uh.. caught it from a dirty toilet seat!
Admin
Not including transparency? You got something against ghosts?
Admin
It's obvious. These banks don't like President Obama (b. 8/4/1961 - a Leo)
Admin
It's good that they disallow the color "Red", after all that prevents brute-force guessing of the color choice question in a reasonable number of guesses. After all we know that real crooks brute force the color by trying "a", "b"..."aa", "ab"...
Admin
But these are small banks. They can't afford good security... Time for another stimulus!
Admin
Admin
My favorite color is dun.
Admin
All of this isn't really that surprising if you consider that "synergyonefcu" must stand for "Synergy One Failure Credit Union", right?
CAPTCHA: iusto -- iusto know my password, but I forgot, so I had to answer a security question.
Admin
Seriously, the first thing I wondered was "no case-sensitivity?" Apparently it's perfectly fine to 'drop table' but not to 'DROP TABLE'
Admin
Admin
But if I find that I actually can't, I would just take my money to another bank.
Admin
I dunno. It's a fun meme to talk about, but I'm only aware of one time when it was actually tested. A while back, a bunch of Somali pirates hijacked an American ship and took hostages. The US Navy responded by sending a team of SEALs to deal with the situation. The SEALs moved in under cover of darkness and remained unseen until they could get into position. When the right moment came, with no warning, they took them down and rescued the hostages with no casualties among the good guys.
That looks a whole lot like "Ninjas:3, Pirates: 0" to me...
Admin
LAST!!!!!!!!11111111111111!#!!ONEONEONELEVEN!1!
Admin
Admin
Admin
#FFFUUU-
Admin
Or in xhtml, #f00.
(OSU class of 1988)
Admin
You forgot to mention that they Parachuted onto the ship, then sniped the pirates when they got too menacing to their prisoner. They were on one boat, the pirates were in another boat, both bobbing up and down on the ocean, and they sniped 3 pirates, one of whom was using the Captain of a cargo ship as a human shield.
captcha: suscipere
the feeling that a suspicion will appear
Admin
Is 'duct tape' a colour?
Admin
Mikloth, www.wxtmc.com producer gas generator Locke, bring us: a character, force, a kind of spirit.
Admin
I seem to be ok - my favourite colour has always been Red_underscore
Admin
Samir: Hmm... well, why don't you just go by Steve instead of Steven? Steven King:No way! Why should I change? He's the one who sucks.
Admin
BZZZT! Wrong!
That should be
Admin
Admin
Admin
Admin
I dunno, those weren't real pirates (no parrot = not pirate, no cutlass = not pirate, no peg-leg = not pirate) and those weren't real ninja (high power sniper rifle = not ninja). Black beard would (and did, but those were 17th century muskets) have shrugged off a volley of sniper fire without flinching. Black beard kept fighting until they cut his head off, and even then they tied it to the bowsprit just to be on the "safe side". They didn't want to leave it rolling around on the deck where it might bite somebody.
Admin
Only if you keep ten times as much money in it as you paid.
Admin
I used to work for Harland, I left in 2006. They had just started rolling out some of the early 2-factor pieces, and it was because of industry mandates. I pleaded with them to find a better solution because all of their ideas provided no real security. This was one of the reasons I left, I just couldn't bear to work for such idiots.
Admin
I just showed this article to a co-worker (he wasn't here yesterday) who's currently tasked to produce a customer area on our website for us (we're a finance company).
His reaction? "Cool, I like that on-screen keyboard!"
I had to re-iterate the fact that this was a demonstration of how not to do this type of facility...
Admin
What a bunch of cnts.
captcha "immitto" - I'm imitto-tating someoneelse's work
Admin
Admin
Favorite Malcolm? X
Favorite Star Trek Villain? Q
Favorite Secret Agent? M
Favorite Former President? W
Favorite Preparation? H
Admin
You DO know that this is a rehash from 3 years ago, right? Pretty lame that the original comments weren't included as I think they addressed how the original blog entry got it wrong in the first place. Original post and comments at:
http://thedailywtf.com/Comments/Banking-So-Advanced.aspx
Admin
Yeah, we know. We like to comment anyway. What the hell are you smoking, BTW? I didn't see one compelling argument stating the article was incorrect. If you are going to dispute the validity of the criticism, please cite actual comments (hint: they have their own URL), or better yet, make your own argument.
Admin
Admin
There are several comments debunking this in the four pages of comments. In the entire post, no proof is ever given. All that is provided are some screen shots and "sample code" that is given without context, without understanding, and without testing.
@frits: I don't smoke, but I at least read the previous comments before posting. (hint: reading is looking at the words in a sentence and understanding them.)
As far as citing a comment, how about this one?:
QUOTING: Re: Banking So Advanced 2007-10-29 09:29 • by Security Pro As a security professional who happened to come across this post, I felt the need to reply and correct many of the misconceptions presented by you and brought out in some of the replies. Seems pretty unprofessional to me to be commenting on a system based on screen shots and comments sent in by a reader. Is this how you would review software, or a car, or a movie?
Security is always a compromise between protection and usability. There is no way to have perfect security. It's all about raising the bar. A single security measure is foolish, no matter how strong. The ideal is "defense in depth" which means employing multiple layers of protection so that penetrating one layer only gets you to the next layer and not all the way in to a system.
(BTW- Security Now is to computer security as "Entertainment Tonight" is to news. Take it with a grain of salt. Gibson has his points, but frequently misses the boat. There are many podcasts that are about real security if you look, and I suggest you guys do.)
Here are some clarifications:
On screen keyboards attempt to address keylogging programs. As noted, there already exist keylogging programs that take screen shots of where the mouse is when the mouse button is pushed, thus capturing the image of the"key" entered. Nevertheless, not all malware does this so it will protect against some keylogging, particularly the physical PS/2 or USB keyloggers that go inline with the keyboard. This is just one layer of protection.
A captcha exists to discourage automated attacks. It is trivial to write a script to run a password list through a web logon (assuming you don't get locked out) but exponentially harder if a captcha is used. Yes, it is often possible to utilize OCR to determine the characters in the captcha graphic, but this significantly raises the bar. The truth is, the will "weed" out the vast majority of automated attempts. Most systems have parameters controlling how "scrambled" the captcha graphic is. The compromise becomes readability for the users versus readability for an OCR attack. Readability for the users must always win out. (Since your site's comment post utilizes a captcha I'm surprised you don't seem to understand what it's used for.)
Checks for SQL injection on the client side are probably just an added measure. Unless you have knowledge that the server is vulnerable, you shouldn't go making any claims. Further, if you did find this to be the case, the responsible thing to do would be to disclose it to the vendor and, if they did nothing, to the financial institutions involved. Posting it here is simply a thumping of your chest. If you found something real then practice responsible disclosure. If you're building a fanbase for your ego I would suggest you do it on something you know more about (or at least learn more about security.)
If you'd look at the screenshot of the security questions you posted, you'd see that the user has the option of creating his or her own questions. In practice, this works pretty well as the questions and answers can be information that would be difficult or impossible for an identity thief to ever find. My experience is that if you create your own questions and don't make them obvious, this will provide added protection for accessing your account. Combination locks frequently come with the initial code of 1-2-3-4 but most people are intelligent enough to realize that that's not a design flaw, you must set your own combination for the lock to offer any protection.
Most financial institutions have implemented "1 1/2 factor" authentication. The truth is, this generally works pretty well, but is yet another compromise between security and usability. True two factor, such as also using a security token, currently doesn't scale well. For example, what if you have three financial institutions? That means you'll need three security tokens. And if you lose one or have a spouse that needs to access your account, too? The devices typically go for $25-$50 apiece and only last a few years. They are expensive to support. Many people find these too difficult to use. Also, people have been tricked out of their current secureid token code over the phone by savvy hackers. No solution is good if users don't understand it or know enough to keep it safe. Ideally, institutions will offer secure tokens to users that want them, but not force them to everyone. (Better yet would be an open standard that all financial institutions supported that allowed you to carry a single token that worked for all your accounts.) However, not using them doesn't mean the institution isn't safe.
You have neither proven nor disproven security of this vendor's product or of its customer's sites. You have merely proven that you're not afraid to launch into slander without testing a claim yourself or really understanding security at all. You must be so proud.
You say: "So what can we, as security conscious IT professionals, do..."
Please do us the favor of taking a beginning security course at SANS or CSI before getting back up on your pedestal.
Admin
Favorite Doctor? J
Favorite haul? U
Favorite ray, factor, or file? X
Favorite bracket? L
Favorite blood type? B
Favorite fense? D
Favorite pluribus unum? E
Favorite troop? F
Favorite spot? G
Favorite beam? I
Favorite th degree? N
Favorite trap? P
Favorite tard? R
Favorite type of turn? S
Favorite chromosome? Y
Favorite Nissan 280? Z
Now stop it.
Admin
So damn true. I have no idea why anyone still uses the secret question / answer system.
One time over here we were tasked with improving our security to pass certification from some security consultant company. Two of the criteria were (paraphrased):
Basically the combination of factors made it so that the only way to pass their test was to make a password reset system where entering the answer to the secret question let you set the password to whatever you liked. It'd be a much better idea to just randomise the user's password and email it to their registered email address when they answered the question, but the ban on emailing passwords prevented this.
I don't know how a company that based themselves around security certification could have such a ridiculous security hole in their requirements. I'm actually glad to see someone else acknowledge how stupid an idea the secret question/answer system is because for the longest time I've felt like I was the only one who understood why it was a bad idea. I felt like I was taking CRAZY PILLS or something.
Admin
Thanks for reposting this classic troll, mysterious-stranger-who-doesn't-work-for-Harland.
I especially love the bit about client side checks for SQL injection being an "added measure". And the implication that scanning user input for a bunch of SQL keywords is any kind of SQL injection measure at all.
Admin
You know, it's things like this that make me want to develop a better product that offers more functionality and security for double the cost. Why double? Because if you sell it for half, the idiots that run <bank in question> assume that your solution is inferior based upon the price. If you sell for triple they won't buy your product due to it being expensive. If you sell it for DOUBLE then they think...it MUST be good!........
idiots.
and i thought MY workplace was bad.
Admin
I enjoy that too and it makes me wonder...(though i won't try it) if they are vulnerable to sql injection attacks.
Captcha: Praesent....Do i really need a definition for this one?
Admin
Worse still: proper 2-factor is "something you know/have AND something you have/are".
What they implemented was "something you know OR something else you (and, perhaps, everyone else) knows".
Couldn't password reset result in an email to the registered address containing a one-time-use secure URL (using a cryptographically secure hash or whatever). When the user receives the email and clicks the link, then they can enter their desired new password. Meets the constraints, and doesn't allow attackers to take over an account as soon as they successfully guess a secret question.
Admin
Using my bank services online I need an account number and a pin code to log in. If I want to check more than just the balance of my accounts I'm asked a security code from a key/value list with 100 values printed on a piece of plastic the size of a credit card. If I wish for more security I can choose to receive verification codes to cell phone as well.
Nearly every bank offers their authentication (which is pretty much everywhere) to online stores, government services etc so you can confirm you are who you say you are and pay your purchases directly. Most places in this country where you can pay online or where your real identity is required use it because the yearly fee is quite low and pretty much everyone uses banks online.
At any point when I'm logged in an authenticated I can order a new security code card that'll arrive in mail and I can register the new card to my account after I've authenticated myself twice using the old card.
If I lose the security code card there are no security questions. I have to visit the bank in person, show some ID and get a new one.
Admin
Admin
Assuming you have 10*the cost of the safe in cash.
Admin
The layout breaks in Chrome. The site is woefully non 508 compliant. Not that I'd expect otherwise.