• Franz Kafka (unregistered)

    FYI, the RSA keyfobs seem to be running around $60. I sure wish I could use one of those for my bank site.

  • C (unregistered) in reply to Kelly

    I'm not sure how long that security measure will be non-pointless... I see no reason why the phisher couldn't basically proxy your request (you go to http://www.evil.com and that server sends your username/password/etc. to http://www.good.com and take the image it gets from www.good.com and resends it and send it back to you) but on the other hand, given that most of the phishing email I get have obvious typos, I'm probably given phishers too much credit.

    Weird... captcha popped up... either there's a bug in the code or I had the same captcha the last time I posted

  • (cs)

    Wow. US Online Bank security is really that crappy? Wow.

    In Germany, the standard is single-factor for login and a printed list of one-time random passwords that's sent via mail and of which you have to enter one for each transaction that actually moves money. Since that's too vulnerable to phishing, they're phasing it out in favor of a system where the one-time passwords are numbered and the banking app randomly chooses one that you have to enter. Defeats phishing but not man-in-the-middle attacks, so some banks are introducing a system where you're sent the password as a text message (including amount and recipient) to your cell phone.

  • (cs) in reply to Brandon
    Brandon:
    Q. What is your middle name? A. Ray Error: Your secret answer must be at least 5 letters.
    I got hit by that little issue a while ago. One of the questions on some site I had to register for, I can't even remember which one, asked as one of the security questions what the name of your first pet was.

    The good news is that I can remember the name of my first pet.

    The bad news is that the pet in question was named PJ, and two-letter answers weren't allowed by this institution.

    And how am I going to remember later whether I typed P.J. or PeeJay or some other variation? Particularly when there's no indication of the character limit on the page where you're asked to authenticate?

  • Zygo (unregistered) in reply to DF
    DF:
    If banks followed proper authentication procedures, though, you could use single factor authentication and solve both problems. The bank simply does something like give the customer a USB key with a root cert identifying the bank, or some other authentication key or fingerprint. If you open an SSL connection to the wrong entity, you know, and if you open it to the right entity, nobody can sniff your password. We essentially already have this, with trusted CAs, except that people are ignorant of how it works and don't check certificates; but if the bank gives you its own cert at a physical branch, you (1) aren't susceptible to phishing.com/bankofamerica giving you a (real, CA-signed) cert for phishing.com and you not checking and thinking it's for bankofamerica, and (2) eliminate the problem of due diligence (and lack thereof) on the part of the CA in verifying that the owners of trademarked domains are legitimate.

    That works if you trust the browser or whatever software is running on the machine you plugged the USB key into; otherwise, it's still vulnerable to someone replacing your browser software with a trojan that connects the USB key to the nearest phishermen and drains money from your account as fast as possible while showing you your balances.

    This is the same problem that faces systems with TPM devices using remote attestation--you can get strong authentication of the state of the other guy's computer, and the other guy can get strong authentication of the state of your computer, but you have no way to determine if your own computer can be trusted, because the only data you have to make such a determination is what your own computer is programmed to tell you (and unlike a TPM device, a USB keyfob can't reliably examine the contents of the host computer's RAM). You need a second computer to verify the first one is secure...then a third computer to verify the second...

    If the browser sends a transaction request to the USB key, then the browser gets a signed version of the request, then the browser sends the signed request to the bank, then the bank sends a signed confirmation response to the browser, then the browser sends the signed response to the USB key, then the USB key uses an integrated display to show transaction details from the bank's confirmation message, then the USB key has a button or PIN pad on the device that the user presses to provide final transaction approval, which causes the USB key to provide the browser with a signed confirmation message, then the browser sends the confirmation message to the bank, then the bank completes the transaction...whew...then the user can verify that the software on the host computer is behaving appropriately with respect to transactions (a trojan browser could prevent the transactions from being completed, but not change payees or amounts, create fake transactions without the user's cooperation, or replay old transactions). The host might still be spreading confidental data all over the network, but at least they can't grab your money and run with this data (at least not directly).

    The security device would probably end up with a form factor more like an iPod Nano. It would be secure--unless you lost it or someone stole it, in which case a password of some sort is a reasonably effective way to prevent the thief from using it. But then the device plus a password is two-factor authentication...

    On the other hand...I already have a bulging wallet full of plastic cards. I'm not sure that a bulging keychain full of RSA keyfobs with USB connectors, PIN keypads, and integrated displays is better.

  • DF (unregistered) in reply to brazzy
    brazzy:
    Defeats phishing but not man-in-the-middle attacks, so some banks are introducing a system where you're sent the password as a text message (including amount and recipient) to your cell phone.

    Online security is so dumb it's amazing. Banks have physical locations. If you're physically going to a bank and they can physically give you printed passwords, keyfobs, whatever, then they can just as easily SIGN KEYS IN PERSON. But the whole way browsers and secure sites are set up relies on highly flawed CAs and basically drops the authentication half of otherwise secure protocols. The best you get is something saying a third party (Verisign) believes that the party claiming online to be your bank is the party that you interact with at a physical location - but Verisign could be wrong, and even worse, the whole thing is useless if you don't carefully inspect your certs, which people can't even do correctly unless they are technically proficient enough to understand the difference between bank.com, 1.2.3.4/bank.com, and [email protected]. I really couldn't care less if I'm connecting to bank.com or crazyurl.net; all I care about is that the server belongs to the people I did business with in person. Sending texts to your phone doesn't fix the problem, it just makes it less easy to exploit (the phishers need to know your phone number - not exactly confidential information). Algorithmically, this is a solved problem (RSA), but its use in practice is utterly braindead.

  • Stuart (unregistered)

    I'm not a big fan of the retina scan myself, I am much more in favour of the more personal, intimate, rectal scan.

    See, the problem with scanning the eye is someone can take your eye, just see what Tom did in Minority Report? But I defy anyone to attempt to remove the ol' back door....

  • Zygo (unregistered) in reply to Zygo

    Blah blah blahblah BLAH blah blah...

    Or just put a secure web browser preconfigured with the bank's URL, SSL certificates, etc. on the USB device itself, complete with display and keyboard. No phishing possible because you can't connect to any other site from the device. The only thing it needs to be an ATM terminal is an Internet connection and the +5V USB power supply, both of which come from the host PC (some kind of proxy application for shlepping packets from the USB port to the bank's Internet site required on the host machine).

    If the user wants a lower level of security in exchange for a bigger display or accessibility features, the host PC could launch a remote desktop session to the USB device.

    Oh, wait, someone already did that...can't find the URL at the moment.

  • Jer (unregistered) in reply to Jessica

    Lol, until people start puting in:

    "My Password is 'SECRET'".

    Sure, you can try to matter match to avoid, which means user's will switch to:

    "My password is 'SECRET'"

    capcha: muhahaha

  • Wark (unregistered)

    The question I hate most is "What city were you born in?" Okay, sure, I was born in St. Paul. Or was it Saint Paul? Or maybe it was St Paul. I can never be sure.

    I'm not too concerned with random internet strangers knowing this, though, because I never use my city for my question. Mainly because it's incredibly unsecure, but also for the reason above.

  • DF (unregistered) in reply to Zygo

    [quote user="Zygo"][quote user="DF"]The security device would probably end up with a form factor more like an iPod Nano. It would be secure--unless you lost it or someone stole it, in which case a password of some sort is a reasonably effective way to prevent the thief from using it. But then the device plus a password is two-factor authentication...[/quote]

    You're quite right that trusted computing is a whole different problem on top of reliable identification protocols, and the current state of trusted computing environments is pretty sad. I don't think a solution needs to be so cumbersome, though; you can get interactive authentication tokens with a display that are about the size of two credit cards stacked, and it's probably possible to make credit-card sized ones or smaller, and cheap, with technology available today.

    Then again, there are different levels of security, and a trojaned browser is currently much less of a threat than phishing (and it's not all just those stupid emails; there have been actual cases of CAs certifying phishers who used deceptive domain names). I would be much happier with the CA out of the picture, whether I trust my browser or not - and even with an untrusted browser, proper identification would make things like DNS pinning irrelevant, and only leave you vulnerable to someone actually changing binaries on your machine.

  • Petrograd (unregistered)

    I have a problem with the 'mother's maiden's name' too. My mother has been married, to my dad, but they're now divorced, and she kept her last name L. during their marriage.

    So her current name should be her maiden's name? Not quite...

    She was always called Nanna, but she was baptized to Cecilia, she changed name to Nanna in her teens.

    Also, she was called Holm as a kid, her dad changed last name to his grandfather's (on his mother's side) when she was 10 or so... and she and her siblings (and mom) followed suit...

    So even if I disregard the divorce, I can either consider her maiden's name to be Nanna L., Nanna Holm (since she was called that by her family from very early age), Cecilia L., or even Cecilia Holm, which was her name at birth :|

  • (cs) in reply to grrr
    grrr:
    Banks should start by accepting the special characters !@#$%^&*()-=[]{}\|'";:,<.>?/`~ as part of the password.

    I am sick of having to neuter my strong passwords into weak ones.

    Put it into perspective. That's 30 characters. On top of 62 (alphanumeric), that's 1.5 bits extra bits. Random alphanumeric characters are worth about 6 bits each. So, all you have to do is add one extra character to the password for every ten. So, if you normally use ten characters that are alpha+numeric+all those symbols, you only have to use eleven alphanumeric chars for the same strength.

  • Covarr (unregistered)

    My bank doesn't just have numerous personal questions, it also has a picture that you choose during signup and then must identify when logging in. If it shows the wrong picture, you know that you're at a phishing site instead of the actual bank site.

    This method is useful, but there is one big problem: people who already had accounts and haven't been switched over to the new system yet could still go to a phishing site that doesn't ask for image recognition, and since they haven't seen the new feature, the change doesn't do them any good.

  • (cs)

    I hate webpages that give me shit about password requirements.

    Who, in all hell, would want to steal a del.icio.us account from a bored guy? Yet, they bullshitted me when I tried to create an account with a password which was similar to my login name (e.g. login name is foo.bar, password is foobar123)

    Who would want to steal my NickServ password on IRC, since I am not an op in any important channel, nor a network admin?

    When a site starts giving me this, I sometimes end up by finding another option.

  • Captain Spongebath (unregistered) in reply to Random832
    Random832:
    Put it into perspective. That's 30 characters. On top of 62 (alphanumeric), that's 1.5 bits extra bits. Random alphanumeric characters are worth about 6 bits each. So, all you have to do is add one extra character to the password for every ten. So, if you normally use ten characters that are alpha+numeric+all those symbols, you only have to use _eleven_ alphanumeric chars for the same strength.

    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11. 12 alphanumeric charactes will give you similar strength.

    CAPTCHA ninjas... Talk Like a Pirate Day has passed. Tell your co-workers every other day is STFU Like a Ninja Day.

  • Adam Heath (unregistered)

    1: Do you like baked beans? 2: Do you like George Wendt? 3: Would you like to see George Wendt in a bean eating movie?

  • olodumare (unregistered) in reply to DF
    DF:
    (2) eliminate the problem of due diligence (and lack thereof) on the part of the CA in verifying that the owners of trademarked domains are legitimate.

    Wacky fact. First off I work for a Financial Institution that isn't a bank. We use network solutions for our registrar/ssl needs.

    For wildcard certs, their "verification process" is to look up your address on superpages.com and verify that the registration info you gave (not on your cert, but on the submission itself) matches what they see on superpages.com

    Of course, unless you've gone in and added a superpages.com account, any old random schmo can go in and edit/update/create your business address info.

    SSL CA security is hogwash.

    What I want institutions to do (and what my bank does) is have a system where the bank reveals information that only THEY know... a "bank password" to prove that the site you just logged into is really your bank.

  • YellowCat (unregistered)

    I would use this as my question:

    I'm hard yet soft, I'm coloured yet clear, I am fruity and sweet, I am jelly, what am I?

  • Monday Zombie (unregistered) in reply to TwelveBaud

    ;DROP DATABASE is a reasonably strong password...

  • (cs) in reply to unklegwar
    unklegwar:
    Add in the point that anyone who even remotely knows me will be able to provide the answers to these questions.

    They can guess my work address, year I graduated, might even know pet names and mascot names if we ever had even a polite chat.

    Thumbprint scans are out (is there a web protocol for these?) as they can be defeated with photocopies and silly putty.

    I guess DNA or retinal scans, then.

    That's where the real two-factor comes in. you have to both know something (i.e. your great-grandmother's maiden name) and [em]have[/em] something (i.e. a key file of some sort). the problem is that the banks and other groups that should use two-factor haven't been able to financially justify it (it's cheaper to deal wiith identity theft than to give everyone a USB key). The problem is that financial institutions don't think of an individual's security, they think of the relative cost of a specific security implementation versus a more secure alternative.

  • (cs)

    Some banks get it right when it comes to anti-phishing techniques. Both the Royal Bank of Scotland and Cahoot ask you for a random subset of your password when you log in (Cahoot also ask you to select numbers and letters from drop-down boxes to defeat keyloggers), and warn users that any site asking for the entire password is a phishing site and not to be trusted.

    As for security questions, "Name of first pet" is pretty good, as is "Name of first school". "Memorable year" is excellent, as it's pretty difficult to mis-type (it's almost certainly a 4 digit number).

    Mother's maiden name is rubbish, though. I know people who give a different response to each bank, on general principle.

  • Grant Casci (unregistered)

    If you want true security, allow the USER to make up both question and answer, then it can be tailored specifically to the Users background. Something like "Where was the Rifle Club?" means nothing to a stranger, but is instantly recognisable to me.

  • (cs) in reply to Brandon
    Brandon:
    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Doh! I guess I'll choose another question.

    Sounds like RSA Passmark. My company discarded its own solution (no fob, but still better than RSA), developed in-house, for that kludgy abomination.
  • (cs)

    Oh yeah... and the real WTF is claiming that no one has a favorite color, and only one grandfather.

  • Nick (unregistered)

    <sarcasm>I think we all know the only true form of identity verification is by barcode tatooed to your forehead at birth, perhaps with logos similar to bank money to make it shiney and attractive. :)</sarcasm>

  • Some Robot (unregistered) in reply to Jessica

    Writing your own questions also provides opportunities for subversion and humor. Especially if you lock yourself out of the account, and have to phone support.

    Q: Is this secure?

    A: Hell, no!

    Q: Does this bank's security suck?

    A: Certainly

    Q: What's the captcha?

    A: bathe

  • Kuba Ober (unregistered) in reply to skington
    skington:
    Some banks get it right when it comes to anti-phishing techniques. Both the Royal Bank of Scotland and Cahoot ask you for a random subset of your password when you log in (Cahoot also ask you to select numbers and letters from drop-down boxes to defeat keyloggers), and warn users that any site asking for the entire password is a phishing site and not to be trusted.

    As for security questions, "Name of first pet" is pretty good, as is "Name of first school". "Memorable year" is excellent, as it's pretty difficult to mis-type (it's almost certainly a 4 digit number).

    I didn't ever have a pet.

    My first school used not to have a name (only a number). Then they added a name, but the way things are, I could either:

    • submit the full official name of the school, which all of the banking sites known to me reject (it's too long),
    • submit only the last name of the school's patron, which form I may not remember later,
    • etc.

    Most years of my life were memorable in one way or another.

    Basically, the questions are too generic, and unless I remember exactly what I had typed, I'm screwed. Yes, banks screw us, the customers. But I'm sure that the CIOs feel very proud of what they peddle as "security".

    I wouldn't hire your average bank's CIO, not even if all he had to do was wash toilets.

    Two factor security is cheap, a physical one-time pin generator can be a $5 device to make in small production runs, and $0.50 if made in reasonable volume. How anyone on this list, or at the bank, would think that it's "expensive" is beyond me. They must be out of their mind. $60? That's how much it costs to make a palmtop these days. With built-in wireless to boost. Or a very nice portable video/music player.

    Cheers!

  • (cs) in reply to Grant
    Grant:
    The question is Paula. The answer is Brilliant!
    No it's not! The answer is "brillant".. No "I".

    As for the topic... I got so pissed off with my bank when they started this. Not only did they make me think of 2 questions that I'd actually remember the answers for, but they have clear text boxes to type them into when required, so anyone in the room (or watching over VNC or similar) can read my answers.

    On the other hand, this is much nicer than the Westpac system... Fixed length user ID numbers, fixed length case insensitive passwords (which require a number to make them more secure). Secured by using an onscreen keyboard (yeah... that'll stop "hackers").

  • Captain Spongebath (unregistered) in reply to tin
    tin:
    On the other hand, this is much nicer than the Westpac system... Fixed length user ID numbers, fixed length case insensitive passwords (which require a number to make them more secure). Secured by using an onscreen keyboard (yeah... that'll stop "hackers").

    The onscreen keyboard isn't meant to stop "hackers", it's meant to defeat keyloggers trying to capture your password. It's better than the stupid "secret(lol) questions" but would be more effective if they introduced some randomization into it's appearance (position, scale, padding) so that the buttons aren't quite in the same position each time and the mouse clicks can't be logged and replayed...

    If sites are going to play ridiculous little games like "Secret Questions!" they should at least let you use your own question, instead of things that most of your friends, family and employers know, or which complete strangers can look up on the electoral roll.

  • (cs)

    So I’ll have to write them all down, but that doesn’t seem very secure.

    Anyone else notice that that would lead to actual (though horribly crappy) two-factor authentication?

    Something you have (the paper with the question answers). Something you know (a password).

    I wonder if that's how banks are getting around implementing any sort of effective two factor auth? Anyone know if these things tend to instruct you to write down the question answers when you sign up?

  • Miracle Ointment (unregistered) in reply to tiro
    tiro:
    > So I’ll have to write them all down, but that doesn’t seem very secure.

    Anyone else notice that that would lead to actual (though horribly crappy) two-factor authentication?

    Something you have (the paper with the question answers). Something you know (a password).

    Nope, they're not testing that you have a piece of paper with the question answers. They're testing that you have knowledge of the answers (which you happen to have recorded on a piece of paper).

    It's easy to prove this. Write your question answers on an etch-a-sketch and destroy/eat the piece of paper. You can still authenticate, even without the piece of paper. Real two-factor sorta requires that the item you posess is not trivially easy to duplicate or spoof.

    Previous captcha: ewww, current captcha: yummy. I shit ye not.

  • rudedog (unregistered) in reply to TwelveBaud
    Twelvebaud:
    It's to prevent SQL/FS injection attacks. They don't hash your passwords.

    Is this somehow supposed to make me feel better?

  • (cs)

    I don't know what security they use for this but apparently WAMU now allows people to sign up for bank accounts online without paperwork which to me means no signature or identity verification.

  • George Nacht (unregistered) in reply to Benji
    Benji:
    No retinal scans. When a woman gets pregnant it changes her retinal pattern.

    When a woman (or man) gets drunk, it changes as well.

  • Zock (unregistered) in reply to tin
    tin:
    Grant:
    The question is Paula. The answer is Brilliant!
    No it's not! The answer is "brillant".. No "I".

    Ha! And you just got denied access. Intentional typoes FTW!

  • (cs)

    I sent this same type of e-mail a few months ago. Credit card asks for three different e-mail addresses, but more than half the questions are about a spouse or relationship, neither of which I've had (sadly). I found it hard to find answers to various questions.

    In fact, looking at the e-mail, this could have been the same one.

  • Jeroen Bouwens (unregistered)

    My employer has the most "didn't-really-get-it" system for dealing with forgotten passwords in the world. When I click the "Forgotten Password" link on the corporate homepage, I am first asked to enter just my user-ID (which is fair enough). Then it takes me to a page where, in order to reset my password, I have to enter TWO different passphrases. There's no "secret question" or anything, just two password boxes I have to fill in. The reasoning is that the passphrases, while long, are not required to contain upper/lowercase, special characters etc, and are therefore easier to remember. The whole thing is so flawed it's beyond belief, especially since we are a large, well-known IT service provider.

  • awt (unregistered) in reply to skington
    skington:
    Some banks get it right when it comes to anti-phishing techniques. Both the Royal Bank of Scotland and Cahoot ask you for a random subset of your password when you log in (Cahoot also ask you to select numbers and letters from drop-down boxes to defeat keyloggers), and warn users that any site asking for the entire password is a phishing site and not to be trusted.

    As for security questions, "Name of first pet" is pretty good, as is "Name of first school". "Memorable year" is excellent, as it's pretty difficult to mis-type (it's almost certainly a 4 digit number).

    Mother's maiden name is rubbish, though. I know people who give a different response to each bank, on general principle.

    One of my accounts (Egg) makes me type in my mother´s maiden name and my password IN FULL every time. OK, it´s over SSL, but what about the risk of keystroke grabbers or just the "looking over the shouder" method"?

    And another thing: my mother died earlier this year, so typing her name isn´t exactly as neutral a thing as they might imagine.

  • (cs) in reply to Captain Spongebath
    Captain Spongebath:
    tin:
    On the other hand, this is much nicer than the Westpac system... Fixed length user ID numbers, fixed length case insensitive passwords (which require a number to make them more secure). Secured by using an onscreen keyboard (yeah... that'll stop "hackers").

    The onscreen keyboard isn't meant to stop "hackers", it's meant to defeat keyloggers trying to capture your password. It's better than the stupid "secret(lol) questions" but would be more effective if they introduced some randomization into it's appearance (position, scale, padding) so that the buttons aren't quite in the same position each time and the mouse clicks can't be logged and replayed...

    Come on... If you're going to bother logging anything to capture passwords and such these days, you're going to want to capture fairly selectively, or miss the needle in the haystack. So therefore, you'll probably be already planning ahead to capture based on the site's tactics anyway. Randomized locations for onscreen keyboards are the worst thing. I know a bank that does that, and it's horrible to log into.

    If they wanted to make it more secure, using REAL passwords would be better... Variable length for starters, and case sensitivity. And allow non-alphanumeric characters.

  • (cs) in reply to Captain Spongebath
    Captain Spongebath:
    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11.

    Um... no. It's actually a fair bit SMALLER. The wonders of exponential growth and all that...

  • (cs) in reply to DF
    DF:
    brazzy:
    Defeats phishing but not man-in-the-middle attacks, so some banks are introducing a system where you're sent the password as a text message (including amount and recipient) to your cell phone.

    Online security is so dumb it's amazing. Banks have physical locations. If you're physically going to a bank and they can physically give you printed passwords, keyfobs, whatever, then they can just as easily SIGN KEYS IN PERSON. But the whole way browsers and secure sites are set up relies on highly flawed CAs and basically drops the authentication half of otherwise secure protocols. The best you get is something saying a third party (Verisign) believes that the party claiming online to be your bank is the party that you interact with at a physical location - but Verisign could be wrong, and even worse, the whole thing is useless if you don't carefully inspect your certs, which people can't even do correctly unless they are technically proficient enough to understand the difference between bank.com, 1.2.3.4/bank.com, and [email protected]. I really couldn't care less if I'm connecting to bank.com or crazyurl.net; all I care about is that the server belongs to the people I did business with in person. Sending texts to your phone doesn't fix the problem, it just makes it less easy to exploit (the phishers need to know your phone number - not exactly confidential information). Algorithmically, this is a solved problem (RSA), but its use in practice is utterly braindead.

    Ouch. It didn't occur to me that the phone thing is just as vulnerable to a man-in-the-middle attack. Especially since the phone number will quite often be saved as contact data in the online banking app itself...

    But the whole keysigning thing would only be marginally safer than the current practice as well. I don't remember hearing of any identity theft cases that were based on fake certificates. They're either based on social engineering (phishing) or taking over the user's system via a trojan. Signed certificates won't protect you against either of these.

    Also, I think the point of having a Verisign-signed certificate is not so much that you can inspect the certificate to see whom Versigin believes it belongs to, but that IF something fishy happens, it can be traced back to the people who paid for the certificate and the domain it belongs to.

  • Rob G (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    Actually, my birth certificate lists a hospital in the Essex, UK, but doesn't mention the town... as my family moved by the time I was one, er....

    Still, you're right, bank security is the least of my problems ;-)

  • Konstantin Surkov (unregistered) in reply to Rich
    Rich:
    DNA? hope your identical twin doesn't rip you off. I'm sure you heard of the identical twin who got nailed in a paternity suit essentially because of a coin flip over whether it was him or his brother.

    Retinal scan? hope you don't get a degenerative eye disease.

    Fingerprints? Can be faked. I had a friend of mine who lost both hands in an industrial accident. Does he exist?

    One day they will allow us to choose second factor. Of course, if you are armless twin with degenerative eye disease, you are still screwed.

  • (cs)

    I have two online banking accounts. Here's the security they use: One: Name, Online Banking ID (~15 digit), Online Banking PIN code (5 digit), and a random 3 letters from a custom password, entered using drop-down boxes. Two: A customer number (10 digits), a "memorable data" (11 characters max), and 3 random digits from you pin code (dropdown boxes). Guess which one used to ask for "customer number", pin and one of these dodgy questions? Even better, you used to have to apply for a seperate online banking account for every bank account you had with them, and couldn't move money between accounts, making it little more than an online statement.

  • (cs)

    My bank (firstdirect) changed from needing username/password on logging in, to username/password/secret question. I made the secret question "what's the password?". I thought it would be rejected, but no....

    Re: RSA keyfobs... I was given one of those when I worked for a leading multi-national biotech company. The IT trainer showing me how to use it said, with a completely straight face, that it receives a new secret number every minute from a satellite. I almost LOLed until I realised she was serious.

  • James (unregistered)

    abbey business banking asks

    "what is your secret question?"

    !!!

  • Brady Kelly (unregistered)

    My bank has a proper two phase auth. To perform balance checks etc. only a login and password are needed. To transfer money, create recipients etc. a code is sent to your email or cell phone when you log in, and this code must be entered when doing the transaction. Something you know, and something you have.

  • rumpelstiltskin (unregistered) in reply to brazzy
    brazzy:
    Captain Spongebath:
    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11.

    Um... no. It's actually a fair bit SMALLER. The wonders of exponential growth and all that...

    It's smaller, but not by much- 1.5^10 is 50-something, so in security terms, they're the same.

  • GreyFox (unregistered)

    ABN Amro actually uses something called an E-dentifier. A small device in which you slide in your bankcard. Then you logon to their website, enter your bank# and card#, and get a random 6-digit number. You enter this number on your E-dentifier, then your pincode, and get back a 6-digit number, generated based upon the number you entered and information located on your bankcard.

    Basically it verifies you have your bankcard, and knowledge of your pincode, just like an ATM would. All-in-all much better than the third world country solutions running around in the USA.

Leave a comment on “Wish-It-Was Two-Factor ”

Log In or post as a guest

Replying to comment #:

« Return to Article