- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
FYI, the RSA keyfobs seem to be running around $60. I sure wish I could use one of those for my bank site.
Admin
I'm not sure how long that security measure will be non-pointless... I see no reason why the phisher couldn't basically proxy your request (you go to http://www.evil.com and that server sends your username/password/etc. to http://www.good.com and take the image it gets from www.good.com and resends it and send it back to you) but on the other hand, given that most of the phishing email I get have obvious typos, I'm probably given phishers too much credit.
Weird... captcha popped up... either there's a bug in the code or I had the same captcha the last time I posted
Admin
Wow. US Online Bank security is really that crappy? Wow.
In Germany, the standard is single-factor for login and a printed list of one-time random passwords that's sent via mail and of which you have to enter one for each transaction that actually moves money. Since that's too vulnerable to phishing, they're phasing it out in favor of a system where the one-time passwords are numbered and the banking app randomly chooses one that you have to enter. Defeats phishing but not man-in-the-middle attacks, so some banks are introducing a system where you're sent the password as a text message (including amount and recipient) to your cell phone.
Admin
The good news is that I can remember the name of my first pet.
The bad news is that the pet in question was named PJ, and two-letter answers weren't allowed by this institution.
And how am I going to remember later whether I typed P.J. or PeeJay or some other variation? Particularly when there's no indication of the character limit on the page where you're asked to authenticate?
Admin
That works if you trust the browser or whatever software is running on the machine you plugged the USB key into; otherwise, it's still vulnerable to someone replacing your browser software with a trojan that connects the USB key to the nearest phishermen and drains money from your account as fast as possible while showing you your balances.
This is the same problem that faces systems with TPM devices using remote attestation--you can get strong authentication of the state of the other guy's computer, and the other guy can get strong authentication of the state of your computer, but you have no way to determine if your own computer can be trusted, because the only data you have to make such a determination is what your own computer is programmed to tell you (and unlike a TPM device, a USB keyfob can't reliably examine the contents of the host computer's RAM). You need a second computer to verify the first one is secure...then a third computer to verify the second...
If the browser sends a transaction request to the USB key, then the browser gets a signed version of the request, then the browser sends the signed request to the bank, then the bank sends a signed confirmation response to the browser, then the browser sends the signed response to the USB key, then the USB key uses an integrated display to show transaction details from the bank's confirmation message, then the USB key has a button or PIN pad on the device that the user presses to provide final transaction approval, which causes the USB key to provide the browser with a signed confirmation message, then the browser sends the confirmation message to the bank, then the bank completes the transaction...whew...then the user can verify that the software on the host computer is behaving appropriately with respect to transactions (a trojan browser could prevent the transactions from being completed, but not change payees or amounts, create fake transactions without the user's cooperation, or replay old transactions). The host might still be spreading confidental data all over the network, but at least they can't grab your money and run with this data (at least not directly).
The security device would probably end up with a form factor more like an iPod Nano. It would be secure--unless you lost it or someone stole it, in which case a password of some sort is a reasonably effective way to prevent the thief from using it. But then the device plus a password is two-factor authentication...
On the other hand...I already have a bulging wallet full of plastic cards. I'm not sure that a bulging keychain full of RSA keyfobs with USB connectors, PIN keypads, and integrated displays is better.
Admin
Online security is so dumb it's amazing. Banks have physical locations. If you're physically going to a bank and they can physically give you printed passwords, keyfobs, whatever, then they can just as easily SIGN KEYS IN PERSON. But the whole way browsers and secure sites are set up relies on highly flawed CAs and basically drops the authentication half of otherwise secure protocols. The best you get is something saying a third party (Verisign) believes that the party claiming online to be your bank is the party that you interact with at a physical location - but Verisign could be wrong, and even worse, the whole thing is useless if you don't carefully inspect your certs, which people can't even do correctly unless they are technically proficient enough to understand the difference between bank.com, 1.2.3.4/bank.com, and [email protected]. I really couldn't care less if I'm connecting to bank.com or crazyurl.net; all I care about is that the server belongs to the people I did business with in person. Sending texts to your phone doesn't fix the problem, it just makes it less easy to exploit (the phishers need to know your phone number - not exactly confidential information). Algorithmically, this is a solved problem (RSA), but its use in practice is utterly braindead.
Admin
I'm not a big fan of the retina scan myself, I am much more in favour of the more personal, intimate, rectal scan.
See, the problem with scanning the eye is someone can take your eye, just see what Tom did in Minority Report? But I defy anyone to attempt to remove the ol' back door....
Admin
Blah blah blahblah BLAH blah blah...
Or just put a secure web browser preconfigured with the bank's URL, SSL certificates, etc. on the USB device itself, complete with display and keyboard. No phishing possible because you can't connect to any other site from the device. The only thing it needs to be an ATM terminal is an Internet connection and the +5V USB power supply, both of which come from the host PC (some kind of proxy application for shlepping packets from the USB port to the bank's Internet site required on the host machine).
If the user wants a lower level of security in exchange for a bigger display or accessibility features, the host PC could launch a remote desktop session to the USB device.
Oh, wait, someone already did that...can't find the URL at the moment.
Admin
Lol, until people start puting in:
"My Password is 'SECRET'".
Sure, you can try to matter match to avoid, which means user's will switch to:
"My password is 'SECRET'"
capcha: muhahaha
Admin
The question I hate most is "What city were you born in?" Okay, sure, I was born in St. Paul. Or was it Saint Paul? Or maybe it was St Paul. I can never be sure.
I'm not too concerned with random internet strangers knowing this, though, because I never use my city for my question. Mainly because it's incredibly unsecure, but also for the reason above.
Admin
[quote user="Zygo"][quote user="DF"]The security device would probably end up with a form factor more like an iPod Nano. It would be secure--unless you lost it or someone stole it, in which case a password of some sort is a reasonably effective way to prevent the thief from using it. But then the device plus a password is two-factor authentication...[/quote]
You're quite right that trusted computing is a whole different problem on top of reliable identification protocols, and the current state of trusted computing environments is pretty sad. I don't think a solution needs to be so cumbersome, though; you can get interactive authentication tokens with a display that are about the size of two credit cards stacked, and it's probably possible to make credit-card sized ones or smaller, and cheap, with technology available today.
Then again, there are different levels of security, and a trojaned browser is currently much less of a threat than phishing (and it's not all just those stupid emails; there have been actual cases of CAs certifying phishers who used deceptive domain names). I would be much happier with the CA out of the picture, whether I trust my browser or not - and even with an untrusted browser, proper identification would make things like DNS pinning irrelevant, and only leave you vulnerable to someone actually changing binaries on your machine.
Admin
I have a problem with the 'mother's maiden's name' too. My mother has been married, to my dad, but they're now divorced, and she kept her last name L. during their marriage.
So her current name should be her maiden's name? Not quite...
She was always called Nanna, but she was baptized to Cecilia, she changed name to Nanna in her teens.
Also, she was called Holm as a kid, her dad changed last name to his grandfather's (on his mother's side) when she was 10 or so... and she and her siblings (and mom) followed suit...
So even if I disregard the divorce, I can either consider her maiden's name to be Nanna L., Nanna Holm (since she was called that by her family from very early age), Cecilia L., or even Cecilia Holm, which was her name at birth :|
Admin
Put it into perspective. That's 30 characters. On top of 62 (alphanumeric), that's 1.5 bits extra bits. Random alphanumeric characters are worth about 6 bits each. So, all you have to do is add one extra character to the password for every ten. So, if you normally use ten characters that are alpha+numeric+all those symbols, you only have to use eleven alphanumeric chars for the same strength.
Admin
My bank doesn't just have numerous personal questions, it also has a picture that you choose during signup and then must identify when logging in. If it shows the wrong picture, you know that you're at a phishing site instead of the actual bank site.
This method is useful, but there is one big problem: people who already had accounts and haven't been switched over to the new system yet could still go to a phishing site that doesn't ask for image recognition, and since they haven't seen the new feature, the change doesn't do them any good.
Admin
I hate webpages that give me shit about password requirements.
Who, in all hell, would want to steal a del.icio.us account from a bored guy? Yet, they bullshitted me when I tried to create an account with a password which was similar to my login name (e.g. login name is foo.bar, password is foobar123)
Who would want to steal my NickServ password on IRC, since I am not an op in any important channel, nor a network admin?
When a site starts giving me this, I sometimes end up by finding another option.
Admin
I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11. 12 alphanumeric charactes will give you similar strength.
CAPTCHA ninjas... Talk Like a Pirate Day has passed. Tell your co-workers every other day is STFU Like a Ninja Day.
Admin
1: Do you like baked beans? 2: Do you like George Wendt? 3: Would you like to see George Wendt in a bean eating movie?
Admin
Wacky fact. First off I work for a Financial Institution that isn't a bank. We use network solutions for our registrar/ssl needs.
For wildcard certs, their "verification process" is to look up your address on superpages.com and verify that the registration info you gave (not on your cert, but on the submission itself) matches what they see on superpages.com
Of course, unless you've gone in and added a superpages.com account, any old random schmo can go in and edit/update/create your business address info.
SSL CA security is hogwash.
What I want institutions to do (and what my bank does) is have a system where the bank reveals information that only THEY know... a "bank password" to prove that the site you just logged into is really your bank.
Admin
I would use this as my question:
I'm hard yet soft, I'm coloured yet clear, I am fruity and sweet, I am jelly, what am I?
Admin
;DROP DATABASE is a reasonably strong password...
Admin
That's where the real two-factor comes in. you have to both know something (i.e. your great-grandmother's maiden name) and [em]have[/em] something (i.e. a key file of some sort). the problem is that the banks and other groups that should use two-factor haven't been able to financially justify it (it's cheaper to deal wiith identity theft than to give everyone a USB key). The problem is that financial institutions don't think of an individual's security, they think of the relative cost of a specific security implementation versus a more secure alternative.
Admin
Some banks get it right when it comes to anti-phishing techniques. Both the Royal Bank of Scotland and Cahoot ask you for a random subset of your password when you log in (Cahoot also ask you to select numbers and letters from drop-down boxes to defeat keyloggers), and warn users that any site asking for the entire password is a phishing site and not to be trusted.
As for security questions, "Name of first pet" is pretty good, as is "Name of first school". "Memorable year" is excellent, as it's pretty difficult to mis-type (it's almost certainly a 4 digit number).
Mother's maiden name is rubbish, though. I know people who give a different response to each bank, on general principle.
Admin
If you want true security, allow the USER to make up both question and answer, then it can be tailored specifically to the Users background. Something like "Where was the Rifle Club?" means nothing to a stranger, but is instantly recognisable to me.
Admin
Admin
Oh yeah... and the real WTF is claiming that no one has a favorite color, and only one grandfather.
Admin
<sarcasm>I think we all know the only true form of identity verification is by barcode tatooed to your forehead at birth, perhaps with logos similar to bank money to make it shiney and attractive. :)</sarcasm>
Admin
Writing your own questions also provides opportunities for subversion and humor. Especially if you lock yourself out of the account, and have to phone support.
Q: Is this secure?
A: Hell, no!
Q: Does this bank's security suck?
A: Certainly
Q: What's the captcha?
A: bathe
Admin
I didn't ever have a pet.
My first school used not to have a name (only a number). Then they added a name, but the way things are, I could either:
Most years of my life were memorable in one way or another.
Basically, the questions are too generic, and unless I remember exactly what I had typed, I'm screwed. Yes, banks screw us, the customers. But I'm sure that the CIOs feel very proud of what they peddle as "security".
I wouldn't hire your average bank's CIO, not even if all he had to do was wash toilets.
Two factor security is cheap, a physical one-time pin generator can be a $5 device to make in small production runs, and $0.50 if made in reasonable volume. How anyone on this list, or at the bank, would think that it's "expensive" is beyond me. They must be out of their mind. $60? That's how much it costs to make a palmtop these days. With built-in wireless to boost. Or a very nice portable video/music player.
Cheers!
Admin
As for the topic... I got so pissed off with my bank when they started this. Not only did they make me think of 2 questions that I'd actually remember the answers for, but they have clear text boxes to type them into when required, so anyone in the room (or watching over VNC or similar) can read my answers.
On the other hand, this is much nicer than the Westpac system... Fixed length user ID numbers, fixed length case insensitive passwords (which require a number to make them more secure). Secured by using an onscreen keyboard (yeah... that'll stop "hackers").
Admin
The onscreen keyboard isn't meant to stop "hackers", it's meant to defeat keyloggers trying to capture your password. It's better than the stupid "secret(lol) questions" but would be more effective if they introduced some randomization into it's appearance (position, scale, padding) so that the buttons aren't quite in the same position each time and the mouse clicks can't be logged and replayed...
If sites are going to play ridiculous little games like "Secret Questions!" they should at least let you use your own question, instead of things that most of your friends, family and employers know, or which complete strangers can look up on the electoral roll.
Admin
Anyone else notice that that would lead to actual (though horribly crappy) two-factor authentication?
Something you have (the paper with the question answers). Something you know (a password).
I wonder if that's how banks are getting around implementing any sort of effective two factor auth? Anyone know if these things tend to instruct you to write down the question answers when you sign up?
Admin
Nope, they're not testing that you have a piece of paper with the question answers. They're testing that you have knowledge of the answers (which you happen to have recorded on a piece of paper).
It's easy to prove this. Write your question answers on an etch-a-sketch and destroy/eat the piece of paper. You can still authenticate, even without the piece of paper. Real two-factor sorta requires that the item you posess is not trivially easy to duplicate or spoof.
Previous captcha: ewww, current captcha: yummy. I shit ye not.
Admin
Is this somehow supposed to make me feel better?
Admin
I don't know what security they use for this but apparently WAMU now allows people to sign up for bank accounts online without paperwork which to me means no signature or identity verification.
Admin
When a woman (or man) gets drunk, it changes as well.
Admin
Ha! And you just got denied access. Intentional typoes FTW!
Admin
I sent this same type of e-mail a few months ago. Credit card asks for three different e-mail addresses, but more than half the questions are about a spouse or relationship, neither of which I've had (sadly). I found it hard to find answers to various questions.
In fact, looking at the e-mail, this could have been the same one.
Admin
My employer has the most "didn't-really-get-it" system for dealing with forgotten passwords in the world. When I click the "Forgotten Password" link on the corporate homepage, I am first asked to enter just my user-ID (which is fair enough). Then it takes me to a page where, in order to reset my password, I have to enter TWO different passphrases. There's no "secret question" or anything, just two password boxes I have to fill in. The reasoning is that the passphrases, while long, are not required to contain upper/lowercase, special characters etc, and are therefore easier to remember. The whole thing is so flawed it's beyond belief, especially since we are a large, well-known IT service provider.
Admin
One of my accounts (Egg) makes me type in my mother´s maiden name and my password IN FULL every time. OK, it´s over SSL, but what about the risk of keystroke grabbers or just the "looking over the shouder" method"?
And another thing: my mother died earlier this year, so typing her name isn´t exactly as neutral a thing as they might imagine.
Admin
If they wanted to make it more secure, using REAL passwords would be better... Variable length for starters, and case sensitivity. And allow non-alphanumeric characters.
Admin
Um... no. It's actually a fair bit SMALLER. The wonders of exponential growth and all that...
Admin
But the whole keysigning thing would only be marginally safer than the current practice as well. I don't remember hearing of any identity theft cases that were based on fake certificates. They're either based on social engineering (phishing) or taking over the user's system via a trojan. Signed certificates won't protect you against either of these.
Also, I think the point of having a Verisign-signed certificate is not so much that you can inspect the certificate to see whom Versigin believes it belongs to, but that IF something fishy happens, it can be traced back to the people who paid for the certificate and the domain it belongs to.
Admin
Actually, my birth certificate lists a hospital in the Essex, UK, but doesn't mention the town... as my family moved by the time I was one, er....
Still, you're right, bank security is the least of my problems ;-)
Admin
One day they will allow us to choose second factor. Of course, if you are armless twin with degenerative eye disease, you are still screwed.
Admin
I have two online banking accounts. Here's the security they use: One: Name, Online Banking ID (~15 digit), Online Banking PIN code (5 digit), and a random 3 letters from a custom password, entered using drop-down boxes. Two: A customer number (10 digits), a "memorable data" (11 characters max), and 3 random digits from you pin code (dropdown boxes). Guess which one used to ask for "customer number", pin and one of these dodgy questions? Even better, you used to have to apply for a seperate online banking account for every bank account you had with them, and couldn't move money between accounts, making it little more than an online statement.
Admin
My bank (firstdirect) changed from needing username/password on logging in, to username/password/secret question. I made the secret question "what's the password?". I thought it would be rejected, but no....
Re: RSA keyfobs... I was given one of those when I worked for a leading multi-national biotech company. The IT trainer showing me how to use it said, with a completely straight face, that it receives a new secret number every minute from a satellite. I almost LOLed until I realised she was serious.
Admin
abbey business banking asks
"what is your secret question?"
!!!
Admin
My bank has a proper two phase auth. To perform balance checks etc. only a login and password are needed. To transfer money, create recipients etc. a code is sent to your email or cell phone when you log in, and this code must be entered when doing the transaction. Something you know, and something you have.
Admin
It's smaller, but not by much- 1.5^10 is 50-something, so in security terms, they're the same.
Admin
ABN Amro actually uses something called an E-dentifier. A small device in which you slide in your bankcard. Then you logon to their website, enter your bank# and card#, and get a random 6-digit number. You enter this number on your E-dentifier, then your pincode, and get back a 6-digit number, generated based upon the number you entered and information located on your bankcard.
Basically it verifies you have your bankcard, and knowledge of your pincode, just like an ATM would. All-in-all much better than the third world country solutions running around in the USA.