• T $ (cs)

    ---- ---------------- should be hired to do security for the next system!

  • bradfoje (cs)

    Just put a post-it on the monitor!! DUH!

  • Corey (unregistered)

    I have a password safe program, so forgetting passwords isn't a problem (until I forget the master password, or lose my backups...)

    When confronted with such free-form questions, I typically just make the answers the same as my password. This is probably infinitesimally more secure than one-factor.

    A couple of sites prevented me from doing that, so I generated a second random password for the answer, put that in the safe too. (1+1/3-factor auth?)

    My bank had a notice up that they'd be re-designing their online banking site, and we might get a survey. I used mine (and emailed them as well) to beg them to not do this, and instead either just stay 1-factor or go with the printed-out-list-of-random-numbers approach. Of course, they're going to roll out with "security questions"...

  • Ryan (unregistered)

    It's funny because just this morning I locked myself out of my bank account because I couldn't remember what street my office was on at the time I created the account, and whether I had entered "james" or "jimmy" or "jim" for my sibling's name.

  • anymous because i'm scared (unregistered)

    This rise of phony "two factor" auth is even worse than you may think. This is a clear cut case of one or more private companies using the power of government corruption to hurt their competitors.

    The first big bank to implement one of these schemes was Bank of America. They did theirs BEFORE it was an official "guidance". They then strongarmed the FFIEC into making it required for all banks. All of a sudden, Bank of America is way ahead of all their competitors, can brag about being the first to implement the new regulations, etc. Also, they can sit on their piles on money and the small regional banks and credit unions bottom lines get hit by rushing to implement all this shit.

    Meanwhile, the actual consumer, the person whose security is supposed to be protected, is still screwed.

    captcha: darwin

  • unklegwar (cs)

    Add in the point that anyone who even remotely knows me will be able to provide the answers to these questions.

    They can guess my work address, year I graduated, might even know pet names and mascot names if we ever had even a polite chat.

    Thumbprint scans are out (is there a web protocol for these?) as they can be defeated with photocopies and silly putty.

    I guess DNA or retinal scans, then.

  • blade (unregistered)

    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

  • Benji (unregistered) in reply to unklegwar

    No retinal scans. When a woman gets pregnant it changes her retinal pattern.

  • Jessica (unregistered) in reply to blade

    I especially prefer the sites that let you write in your own question because it lets me avoid stuff that is almost trivial for someone else to find out such as the city I was born on my mother's maiden name.

  • TheRubyWarlock (cs)

    This is something I can sympathize with. Bank of America takes it one step further: They tie your account to the computer you access it on - so as long as you always use the same machine (and never upgrade/reformat it) you only have to provide a user ID and passcode. Upgrade/get a virus/new computer, and then you have to jump through all these hoops answering all three of these nonsense questions or they lock your account and you need to call them up to unlock it.

  • SysKoll (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    The village where I was born was a suburb of a large neighboring city. The city has grown and now encompasses the village, which became just a quarter of the city and doesn't officially exist as an incorporated entity anymore.

    So when I answer that "where were you born" question, I often have to give the city name since maginary birthplaces don't cut it for a lot of purposes. Hence two possible answers -- and which one did I type in that site again?

  • Andrew (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    I don't know the answer to that. My parent's never told me, and they've both died by now.

    Commonweath of Pennsylvania birth certificates only specify the county and date, not the city. I'm sure many governemnts do not require a city of birth.

  • Andrew (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    I don't know the answer to that. My parent's never told me, and they've both died by now.

    Commonweath of Pennsylvania birth certificates only specify the county and date, not the city. I'm sure many governemnts do not require a city of birth.

  • Zylon (cs)

    Where the hell the did the godawful term "Wish-It-Was Two-Factor" come from? Googling for it turns up exactly two hits-- this site, and a site linking to this site.

  • Herohtar (unregistered) in reply to Ryan

    Lol, I've done that with my online bank access too... in fact, I think I'm still locked out because I never bothered to call my bank and have them reset it for me.

    I don't give real answers to the "security" questions; I just type some random sentence that no one will ever guess. If I forget my password, I'll never get back in, but oh well. I haven't forgotten any passwords yet. <.<

    captcha: kungfu - what I want to use on the people who came up with the idea for security questions

  • Josh (unregistered) in reply to Zylon

    Um, it came from this site. It's a joke, This site contains humor.

  • gilleain (cs)

    I got irritated with halifax's (sorry, HBOS) WIWTF authentication when it wouldn't accept my secret question.

    I kept entering shorter and shorter questions, all of which were rejected as "unsuitable" until I tried just :

    "?"

    And it got rejected. So I entered a question /without/ a question mark, and it worked. Presumably someone had coded the application not to accept anything with puctuation, or something.

    Idiots.

  • vt_mruhlin (cs)

    My company made me take an online training class on how to keep confidential information secure. One of the scenarios they posed was a guy trying to email some docs to a client. His friend, the security guru, advises him to encrypt the doc using the company's encryption program, then send the file to the guy in an email, and follow it up with another email telling him the password. That sure is secure there Lou.

  • SomeCoder (unregistered) in reply to TheRubyWarlock
    TheRubyWarlock:
    This is something I can sympathize with. Bank of America takes it one step further: They tie your account to the computer you access it on - so as long as you always use the same machine (and never upgrade/reformat it) you only have to provide a user ID and passcode. Upgrade/get a virus/new computer, and then you have to jump through all these hoops answering all three of these nonsense questions or they lock your account and you need to call them up to unlock it.

    Pretty much all banks do this now. Also, it's not for security purposes per se, it's actually to help people know that they aren't at a phishing site (at least the way I've seen it implemented).

    My bank has been doing this for a while. From my limited knowledge of hacking and phishing, it seems like the way they do it would be pretty effective as long as you generally use the same computer all the time for bank transactions.

  • GrandmasterB (unregistered)

    One large, multi-state national bank recently put this nonsense in. You have to hop through a bunch of hoops like the personal questions and picking a verification picture so you can tell if you're on a phishing site.

    BUT CUSTOMER LOG IN ID IS THE ATM CARD NUMBER.

    You know, the ones that are valid credit card numbers. The beauty is that you have to type that in FIRST and submit it before you get to the 'anti-phishing' and personal question page. So if you're on a phishing page... you've already given them your credit card number before you see the pretty anti-phising picture.

  • Rich (unregistered)

    A whole meta discussion could come up talking about identity. What is identity? Who are you and prove it.

    DNA? hope your identical twin doesn't rip you off. I'm sure you heard of the identical twin who got nailed in a paternity suit essentially because of a coin flip over whether it was him or his brother.

    Retinal scan? hope you don't get a degenerative eye disease.

    Fingerprints? Can be faked. I had a friend of mine who lost both hands in an industrial accident. Does he exist?

    Questions? most assume uniqueness. What if you never knew your mom, do you exist because you don't have a mother's maiden name? Do you use your birth mom's, your adopted mom, or your step mom? Do you lose your right to your bank account if you have amnesia?

    Though i kind of agree that this is an example of bad identity and authentication, there really isn't a good one.

  • Anon (unregistered) in reply to blade

    What if you were an orphan, abandoned somewhere with no idea where you were born?

  • jmichal (unregistered)

    My favourite answers to all these idiotic questions is a negative one: "na" Since the answers are the same, the questions do not matter. Favourite pet? "na". Favourite Colour? "na". Or "not available", if 2 characters are not enough.

  • D. T. North (unregistered)

    My bank let us write in our own questions to ask. I'm not very creative, so my questions were things like "What version of Linux do you use?" and "Where do you work?".

    My wife is a lot more creative. Her questions (she had to type three):

    1. How do you spell 'stuff'? (answer: stuff)
    2. Do you think these questions are dumb? (answer: yes)
    3. Do you like wine? (answer: yes)

    So far...the bank hasn't discovered or challenged her questions.

  • Zylon (cs) in reply to Josh
    Josh:
    Um, it came from this site. It's a joke, This site contains humor.

    Except when it's trying to be funny.

  • Feasoron (unregistered) in reply to Zylon

    Well, that means it came from here!

  • AdT (unregistered) in reply to SysKoll
    SysKoll:
    Hence two possible answers -- and which one did I type in that site again?

    So true... I had the same problem just recently - I couldn't remember whether I had typed

    (city name)

    or

    (city name) (city district name)

    or just

    (city district name)

    This (place of birth) was the first question I was asked to answer. The second question was "What are the last four digits of the number on your ID?". I thought that this one was easy until I noticed my ID had two long numbers on it.

    So this meant there were at least six different combinations and I had three attempts to get it right. Fortune was not on my side, so now I'll probably have to use snail mail to resolve the issue. headdesk

  • Anonymous (unregistered) in reply to Zylon
    Zylon:
    Where the hell the did the godawful term "Wish-It-Was Two-Factor" come from? Googling for it turns up exactly two hits-- this site, and a site linking to this site.

    I'm not sure if that's sarcasm or not, but its an attempt to shoehorn "Two-Factor authentication" into the Whiskey Tango Foxtrot pattern.

    Not that I can think of anything better

  • Jason DeFontes (unregistered)

    When you write down your answers then the post-it becomes "something you have". Brilliant!

  • Test_subj (unregistered)

    With the kind where you write your own questions i usually go with something along the lines of "Q:What are you wearing? A:nothing but a cockring" that way when i have to call in, the CSR has to ask me and i have to answer them.

    of course if i'm not alone and i have to call in my coworkers give me funny looks,

  • JNeumann (unregistered) in reply to Benji
    Benji:
    No retinal scans. When a woman gets pregnant it changes her retinal pattern.

    Even better. That way she can't pull out money during the mood swing period.

  • stupid old me (unregistered)

    My banks questions were:

    1. What is your name?
    2. What is your quest?
    3. What is your favorite color?

    If you get it wrong, the consequences are pretty bad. I use the Monty Python National Bank...

  • Terry Austin (unregistered)

    Will they let you use the same answer for all the possible questions? Just answer them all "Never give guns to ducks" and see what happens.

  • Remy Lebeau (unregistered) in reply to Ryan

    I have several security questions set up in my bank account (a different one is asked randomly each time I login). But when I logged in last night, I was asked a question that is not in my list of questions! It was a question that USED TO BE in my list of questions a long time ago but no longer is. I couldn't remember the answer, of course. Fortunately, my bank gave me a second chance to login, and one of my current questions was asked that time.

  • Brandon (unregistered)

    Q. What is your middle name? A. Ray Error: Your secret answer must be at least 5 letters.

    Doh! I guess I'll choose another question.

    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Doh! I guess I'll choose another question.

    I have to pick 3 and you only gave me four choices? I guess my money can go somewhere else.

    Captcha: pirates

  • Kelly (unregistered) in reply to GrandmasterB
    GrandmasterB:
    One large, multi-state national bank recently put this nonsense in. You have to hop through a bunch of hoops like the personal questions and picking a verification picture so you can tell if you're on a phishing site.

    BUT CUSTOMER LOG IN ID IS THE ATM CARD NUMBER.

    You know, the ones that are valid credit card numbers. The beauty is that you have to type that in FIRST and submit it before you get to the 'anti-phishing' and personal question page. So if you're on a phishing page... you've already given them your credit card number before you see the pretty anti-phising picture.

    Bank of America does this, but you only have to give them your username first. It seems like one of the few non-pointless security measures, IMO. I appreciate it more now that I've recently been the victim of identity theft - good times!

    Captcha: ewww

  • blade (unregistered)

    Where were you born?

    A hospital. duh. or a car

  • awg (unregistered)

    My personal favorites are the ones that ask for your mother's maiden name. Since my mother's maiden name is her last name, and half of my last name, having to answer that question makes me feel like whatever I'm logging into is ultra-secure.

  • BlogReader (unregistered) in reply to TheRubyWarlock
    TheRubyWarlock:
    They tie your account to the computer you access it on - so as long as you always use the same machine (and never upgrade/reformat it) you only have to provide a user ID and passcode. Upgrade/get a virus/new computer, and then you have to jump through all these hoops answering all three of these nonsense questions or they lock your account and you need to call them up to unlock it.

    Chase does this, but they send you either an email or an SMS asking you to enter in a temporary one time password. I actually like it, shows that they are ahead of the curve in protecting my account.

  • DF (unregistered) in reply to Rich

    Though i kind of agree that this is an example of bad identity and authentication, there really isn't a good one.

    Security doesn't depend on verifying that Joe Shmoe is opening a checking account. Banks mostly need to verify that when someone claiming to be Joe Shmoe logs in online, they are the same person claiming to be Joe Shmoe who opened the account. You could have them create their login credentials at the branch when they open the account, or you could give them a physical token they use to log in, or both.

    TFA is a bit of a strawman anyway. TFA can help prevent phishing, if done correctly, but it is typically still vulnerable to man in the middle. If banks followed proper authentication procedures, though, you could use single factor authentication and solve both problems. The bank simply does something like give the customer a USB key with a root cert identifying the bank, or some other authentication key or fingerprint. If you open an SSL connection to the wrong entity, you know, and if you open it to the right entity, nobody can sniff your password. We essentially already have this, with trusted CAs, except that people are ignorant of how it works and don't check certificates; but if the bank gives you its own cert at a physical branch, you (1) aren't susceptible to phishing.com/bankofamerica giving you a (real, CA-signed) cert for phishing.com and you not checking and thinking it's for bankofamerica, and (2) eliminate the problem of due diligence (and lack thereof) on the part of the CA in verifying that the owners of trademarked domains are legitimate.

  • j005u (unregistered)

    Suddenly I don't feel so bad about living in an eastern european country anymore.

    Every single bank here has had manufactured (hard plastic, given to you by random) code cards from the day they started their online existence (which was around 1993/4, when the soviet union finally collapsed) Recently they've been starting to phase that out in favor of RSA pin calculators and smart card identification (the smart card is also the preffered official ID in my country. hell, we can even participate in our parlimentary elections online using them).

    As a matter of fact, about a year ago, banks blocked all pre-printed card access for businesses, only allowing one of the two methods (combined with a normal username and password of course).

  • etr (unregistered) in reply to Brandon
    Brandon:
    Q. What is your middle name? A. Ray Error: Your secret answer must be at least 5 letters.

    Doh! I guess I'll choose another question.

    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Doh! I guess I'll choose another question.

    I have to pick 3 and you only gave me four choices? I guess my money can go somewhere else.

    Captcha: pirates

    I ran into the same problems setting this up for our credit union when they decided to implement this bs. How can anyone put a four or five letter limit on first names? Idiots...

  • grrr (cs)

    Banks should start by accepting the special characters !@#$%^&*()-=[]{}|'";:,<.>?/`~ as part of the password.

    I am sick of having to neuter my strong passwords into weak ones.

  • TwelveBaud (unregistered) in reply to grrr

    grrr:

    It's to prevent SQL/FS injection attacks. They don't hash your passwords.

  • Grant (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    The question is Paula. The answer is Brilliant!

  • chuck (unregistered)

    THANK YOU THANK YOU for doing something on this. This is the most annoying, stupid, useless bullshit ever invented. Favorite color? Favorite food? What are we, seven years old? "What street did you grow up on?" Um... what if my family moved a few times while I was a kid?

    The financial institution that my wife and I use recently went to this idiotic model, and we did what probably a lot of people end up doing something similar to: just giving the last word of the question as the answer.

    BTW the captcha is "xevious" which is awesome.

  • Harrow (unregistered) in reply to jmichal
    jmichal:
    My favourite answers to all these idiotic questions is a negative one: "na" Since the answers are the same, the questions do not matter. Favourite pet? "na". Favourite Colour? "na". Or "not available", if 2 characters are not enough.
    Strangely enough, "na" was not in my attack dictionary.

    ...Is now, tho.

    -Harrow.

  • Bob (unregistered)

    I gave up on using my old bank's online access. First they made me change my login and password, with the usual alphanumeric requirements we all hate. Then they made me add the security questions. And THEN, they want me to pick an anti-phishing picture. And after all that their site is still 1997 ugly.

    I'm back to checking my balance on the phone (and opened new accounts at WAMU).

  • Jeltz (unregistered) in reply to chuck

    Seriously is this true. I can hardly believe it?

    My bank (Nordea) is well-known for having the crappiest security in Sweden and it beats these American banks in security by far. I am pretty sure that the kind of security you describe would be illegal here. These questions are just ordinary passwords that are even more vulnerable to dictionary attacks than your average one.

    If it is combined with some form of real security it would just be a case of bad UI design.

    Nordea's competitors use interesting form of security like two-ways SSL certification effectively killing the man in the middle attack, or forcing people to with an external device verify all amounts of transactions so the phishers can not steal much money. I believe some even force you to verify the destinations but this sounds like too annoying.

  • B. McAninch (unregistered)

    This is commonly referred to as "cognitive" or "mnemonic" authentication. Who sold it as two-factor?!? It's nothing more than multiple single factor (what you know).

    The purpose is to make authentication credentials easier to remember, with the intent of reducing/eliminating the need for password resets. Ultimately, this reduces social engineering attacks and overall support costs.

    Whether or not remembering your passwords is actually easier is subject to debate - the point is this is not nor does it attempt to be two-factor.

Leave a comment on “Wish-It-Was Two-Factor ”

Log In or post as a guest

Replying to comment #:

« Return to Article