- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Why do you assume my entire family is dead? That's not nice.
CAPTCHA: jumentum, is that like momentum?
Admin
Some of these need an "I don't know." I have no idea what color my dad's eyes are, without looking or asking him.
CAPTCHA: ingenium. Whoever wrote these questions should be fired for his ingenium ability.
Admin
Paula - obviously
Admin
Bruce Schneier also wrote about security questions today:
http://www.schneier.com/blog/archives/2011/09/new_lows_in_sec.html (His entire site is 404'd as of this post, but it should come back up eventually)
Admin
Admin
Perfect, then when they actually ask the security question, you can just select "I don't know." and it will let you in, regardless of what answer was originally selected. Its a lot simpler and hardly any less secure than the drop-down boxes.
Admin
It's always good when the answer to the security question is something that changes over time. Almost as good as one that's completely mood dependent. ("What's your favorite kind of food?" hmmm, what sort of food was I in the mood for on the day I set up this account?)
Admin
Now let's not be kidding ourselves. It was the Marketing department who initiated all of this - mandatory servey questions veiled as "Security questions" which everyone knows adds little/no real security.
The order of the questions is by popularity (rankings determined by querying the database of security questions when the page is loaded - for convenience of course)
Admin
I'm really starting to hate online banks. They seem to be the least secure of the sites I regularly use.
One of my banks recently forced me to click "agree" on their latest terms and conditions, which included making me the customer assume all liability for fraudulent transactions. It even said plain as can be "you may lose the entire balance of your account." No distinction between whether my computer was hacked or theirs. No, just automatically assume it was my fault. Never mind that they require me to enable JavaScript to use their site, which means if they have one cross-site-scripting flaw on any page a hacker could take over my session. And of course I can't scan their site to see if their developers are competent, because that would be considered a crime.
Does anyone know of a bank with clue in the USA? Otherwise I think I'm going to have to go back to paper statements and handwritten checks.
But even that won't stop the bank from cheerfully handing over my money to anyone who can guess my back account number. A couple years ago I had someone pay their electric bill that way. Just kept punching random numbers into the electric company's site until they hit on one that worked. Lucky me. And the burden of proof, and of fighting the fraud, was on me.
It is time to stop pretending that the victim of "identity theft" is the account holder. It is the bank that was tricked into giving money to someone who wasn't me. So, the bank lost their money, not mine. I didn't agree to that transaction, so I'm not liable for it.
Screw the banks. I'm done with them as soon as I can work out a viable alternative.
Admin
Admin
This one made me laugh. "My mom's got a black eye"? WTF indeed. Or violet eyes for that matter...
I've seen some really silly "security" questions in other systems, but this one wins in every way. Provides basically the same level of "security" as airport security taking away water bottles.
Admin
Admin
And usually you only need to answer one or two "security questions" to do a password reset, so it would take 10 or maybe 100 tries to guess it. You don't even need automated hacking software for that. The dumbest hacker in the world could get it in a few minutes of trying.
Couldn't they avoid the whole problem by having a dropdown for passwords? Like:
Then they could boast that their system actually FORCES users to create strong passwords. After all, those are the only choices.
Well, maybe a more realistic idea would be a dropdown like this:
Admin
Yeah, I draw the line there. Not withstanding the idiocy of its delivery, I would never do business with a company that requires you to give so much personal - and stupid - information for the sake of "security". It sounds to me like they are simply phishing for your personal information, and disguising it as "security measures". To what end, I have no idea, and I'd probably rather not know.
Admin
All men are my brothers. So I just pick a random name.
Admin
That's an interesting point. That got me thinking of this hypothetical conversation:
Customer: I'd like to deposit $500.
Bank Clerk: Certainly, sir. Let me just bring up your account here ... enter the amount ... Now, where's the money?
Customer: Oh, I don't have it. I was robbed yesterday and the thief stole the money. But I was intending to deposit that $500 here before it was stolen.
Bank Clerk: Oh, okay, then we'll credit your account for the money.
That's how it works, right?
Admin
Why is a website which uses askimet and captcha's where the answer is included in the html, criticizing anyone else for not knowing about security?
Admin
That is such a curious perversion, now isn't it? :: points to the site logo ::
Edit: If you want a RWTF, you should go into the forums and look at the tag cloud. Notice anything perverse about that?
Admin
Whose money is it? If you say it is yours, then you are the victim when it gets stolen. If you say it is the bank's, then you have nothing to complain about as you never had anything to lose.
You seem to have forgotten that the Bank is just holding your money for you, not unlike someone putting it under their mattress on your behalf. If it gets stolen, it is still your money which is being stolen regardless of who was looking after it at the time.
Admin
So how do they "get in"? Doesn't the system email a random password to the registered user? So unless the hacker knows the registered user's email account and connection information (including the user's email account password), or is able to intercept the email in transit, they have nothing.
My understanding is that the secret questions are just there to discourage people from being a nuissance resetting random user's passwords.
Admin
That, or a very good reason not to get any additional speeding tickets.
Admin
"If All Men Were Brothers, Would You Want One To Marry Your Sister?"
Admin
Based on spelling, it's a good thing they didn't ask what was your best subject.
TRWTF is no "Lima Beans" or "Spinach", the two traditional "least favorite vegetables". (Just so happens I like 'em both, but my real least favorite -- "Bell pepper" -- isn't a choice either.)
Admin
Place the following vegetables in order from your least favorite to your most favorite:
(list of 10 or 20 vegetables)
Admin
That's true. Allowing unauthorized persons easy access to your bank account is just an added feature.
Admin
*their
FTFY
Admin
I told my local bank that I didn't want my account to be accessible over the network to me or to anyone else.
Admin
Of course, they're still annoying and don't add much security when used this way, but at least they don't decrease the security.
Admin
Admin
I wonder if these were some of the rejected question/answer candidates:
Q: What is your name? Answers: Tim, Arthur, Lancelot
Q: What is your favorite color? Answers: Blue, Yellow, AHHHHH!!!!!
Q: What is the airspeed velocity of an unladen swallow? Answers: African Swallow?, European Swallow?, I Don't kno...AHHHHH!!!!
Admin
A Rabbi in motion tends to remain in motion...
Admin
Hmm. In my online stock portfolio, the shares are "in street name" - they belong to the brokerage, as a matter of law, which is how the brokerage can let other customers perform short trades. The brokerage owes me an accounting and fiduciary duty, and I suppose I owe them the security agreements we've agreed to. Now I am curious which of these viewpoints really holds.
Admin
No, not exactly. You've made a loan to the bank. They are responsible for returning it under the terms of the loan, typically "on demand" for standard accounts, or on a set date for CDs. In the meantime, they can do what they want with it, and what they do with it is invest it at a profit, for example, by pooling it with other deposits and loaning it to people, like you, who want to buy things they don't have the money for at the moment, like houses.
What the bank does with your money in the meantime is not your affair. You don't profit from their home and business loans, you don't get to decide about them, and you don't lose from them. Likewise, if someone drops a sack of $100 bills in the bank lobby, you don't get a share, and if someone gets money out of the bank without the bank's consent, you are not responsible for any share of it, legally or morally.
So yes, if someone convinces the bank that they're holding a check signed by you and takes away some of your money, you can file a fraud claim and a bunch of paperwork happens, and you will likely get your money back (unless there's an embarrassing glitch in your case, like a signed receipt for merchandise in the amount in question, or something of that nature) And if someone convinces the bank that they're you, and you can prove that that person wasn't you, you can pursue recovery under fraud.
Think about it the other way around: if you borrow $50,000 from the bank to start, say, a lemonade stand, and you manage to lose that money - by theft, misadventure, or a sudden collapse of the lemonade business - you still owe that money to the bank.
This is a nice picture of banking. I'm imagining that in in your world, a bank has a safe with a lot of drawers in it, and each one is labelled "Joe's Money", "Jane's Money", "Jim's Money", and so forth. And when you deposit some money, the teller (remember tellers?) goes back into the safe and puts your money in your drawer, and when you make a withdrawal, they take those bills out of your drawer.
It's a lovely picture - not exactly how it works, of course, but a lovely picture.
Admin
But that is how it works. When I deposit money at the bank, I make sure I've made a note of all the serial numbers on all the bills. And I make a secret mark on all the coins I deposit (a scratch, usually, which you have to look carefully to spot). Then when I ask for my money back again, I can easily make sure it's the same money I gave them. If one of the pennies I get back isn't the same one that I gave to them in the first place, there'll be hell to pay. Judge Judy once granted me $5000 of compensation for pain and suffering through not getting my favourite penny back.
Admin
Go tell Bob that his kid is a SUPER GENIUS. The internet said so.
Admin
I was happy when by credit union finally implemented security that was on par with my battle.net account...
Granted, verisign tokens aren't uncrackable or even as good as SmartCards, but they are leagues ahead of the standard "wish it were" two factor authentication.
Admin
Admin
But if everybody did this, or perhaps say a million people, then there would perhaps be of-the-order-of $234.56 multiplied by 1 million, which would be rather significantly more than the bank is likely to be comfortable with losing the business of, you sarcastic shithead.
Admin
If you don't have a bank that indemnifies you against loss due to fraud (which includes hacking) you really need to get a new bank. There are two reasons:
1.) Why would you choose a bank that doesn't 2.) Any bank that doesn't do that is because even they know their security sucks.
Legit institutions have multiple layers of security and are setup to mitigate any account hacking with reasonable safeguards (e.g. they won't allow you to do thing like withdrawl large amounts of money and send a check just anywhere, change PII or even view most PII).
Admin
UK banks are significantly more secure than US ones, from what I can tell. For my own online banking experience, I have a PINsentry gadget, which works I believe on a similar basis to an RSA key. In short, no transactions can be made on my online account without access a) to my card and b) to my PINsentry.
I suppose it can be hacked if someone manages to break into my house while I'm asleep (not straightforward to do without waking me), find my card (okay, not so difficult, just look in pockets of jacket, I don't tend to hide that away at night) and find the PINsentry. Burglar can then escape on tippy-toe back through the entry that has (silently) been effected.
Having done that, the perpetrator must then log into my bank account, using the various combinations of username, password, secret codeword and yet another password on the way out, none of which he will find it easy to get. (If he were to log in using my computer, then he will find the username is stored on it locally, but first he has to get access to the machine, and for that he needs my finger, and he's not likely to be able to get that without waking me or killing me, and the latter may get a bit messy and so make the perpetrator somewhat easier to apprehend.)
That's a sufficiently high level of security for me. I sleep easy at night.
My advice is: anyone who banks with a company which doesn't have at least that level of security should bank elsewhere. Once the flakes start losing business because their security sucks, they'll either get the message and smarten up, or go out of business.
Which are the safe banks? I recommend the ones in the UK.
Admin
This is why everyone should ditch banks and instead use credit unions if at all possible.
Most decent credit unions work on a non-profit basis and account holders do profit from credit union earnings. Account holders don't get a check cut to them but they do generally get:
1.) Free banking 2.) Free financial advice 3.) Discount loan rates 4.) Often free or reduced price servicing of IRA and other investments. 5.) Higher savings/CD/etc. rates 6.) etc.
I haven't paid for any of this crap in over a decade. I bet if I added up all the money I've saved in that time I'd be see close to 6 figures in savings (primarily from getting an ultra low rate on my mortgage).
The for profit banks don't hold a candle to decently run credit unions.
/credit union soap box
Admin
So if your father was born in Antarctica and your mom was born in an Atlantic island (say, Pitcairn), drove a Charteruse car, played the Xylophone, graduated from high school in 1910, prefer Durian, Trip Hop, Home Ec, you can't bank there ? That really narrows it down.
Admin
I consider mine safe, but only because it's not bottom of the barrel unsafe like several major banks in the U.S.
It's not as good as what you describe, but sufficient to prevent anything but a hacker who's really intent at getting specifically into my account.
Admin
"What's the colour of your first car?"
Gypse nacré. I could explain how it looks like, but that would take significantly longer.
Admin
TRWTF is that they didn't consult anyone remotely similar to me when building the answer lists. I've never had a car or a sibling, my dad was born in England (which, apparently, many Britons will tell you isn't part of Europe), my favourite subject in high school was Computer Science, I listen to heavy metal, and my least favourite vegetable is zucchini. So what the hell am I supposed to pick?
Admin
A different bank, obviously.
Admin
I decided against signing up for online banking when I discovered the bank's website has one of those disable-right-click scripts. That doesn't really scream "secure" to me...
Admin
If you forget your password for online banking, you should be required to visit the bank during business hours and present identification to reset your password.
If you're in the habit of forgetting your password regularly, then you should be ashamed of yourself and stop doing stupid things.
Admin
It gets even worse. On one site, you were given a choice of the security question, and told to provide an answer.
Then when you forgot (whatever) you needed to remember the QUESTION as well as the answer!
Argghhh!
Admin
If your favorite melon is really Durian, you have no business mixing with civilized people.