- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I use etrade.com for banking, and they have true two-factor authentication (key fob). That was one of the main reasons I switched from a bank that uses 1+1 instead.
What other banks use two-factor?
Admin
The swedish bank Swedbank (catchy name), that I use, also uses a real two-factor authentication (users have those key thingies).
Admin
Interestingly, I was on a team where it was decided that remote access to one (not particularly sensitive)system should use two-factor authentication.
The cost of dongles being considered exhorbitant, it was suggested that we give the remote workers one-time-pads, with a different number for each hour of each day, which we could generate ourselves.
Of course the cost of organising the printing and distribution of these pads would itself be not insignificant, but the project's champion had already thought of a way round that.
He suggested we generate them as PDFs and e-mail them to peoples home mailboxes.
We went with the dongles.
Admin
Which means really only the text message ones (since a cell phone that can receive messages directed at your phone number is not trivially easy to spoof) qualify. Not even email-based systems—well, that’s just “something else you know” being your email account server+username+password (server+username can be deduced in most cases from the email address, but that’s obscured at least by my bank’s system)
Admin
I think all Swedish banks do, except for Nordea since it just asks you for your codes sequentially instead of randomly.
Admin
Why the hell does it matter? And who the hell is silly enough to a) bother to search Google for that phrase, and b) is silly enough to complain about it?
And usually getting a low number of hits in a Google search is a good thing. It makes it much faster to find what you're looking for, or to realize you need to change your search expression.
Wow... Some people get way too excited and worked up over nothing.
Admin
Let me fix that for ya:
There ya go.
Admin
62^11 = 52036560683837093888 92^10 = 43438845422363213824
(62^11) - (92^10) = 8597715261473880064 (62^11) / (92^10) = 1.1979269
Admin
I think all of this online security stuff is great. DNA, fingerprints, questions. What if someone gets your acccount number and just heads down to a local branch (assume you use a large bank) won't he/she be able to fill out a withdraw slip and get your money? As long as the person at the counter doesn't know you, they will assume the guy with the account number is the account holder. Hows that for security? (Yes I know they can ask for a photo id, but how hard is that to fake?)
Admin
Perhaps that's the reason the title of the article is "Wish-It-Was Two-Factor"?
Admin
Our bank here is almost as bad. We only have a username and password, BUT that username must have at least two non-alphanumeric characters. That means people end up doing nonsense like j$sm!th for their username.
Admin
These questions become infinitely more fun when you're Finnish like I am.
I have an e-wallet account and needed to spell out my mom's maiden name (Pöyhönen) and where I was born (Seinäjoen keskussairaala) to a lady with an Indian accent over the phone. I am fairly sure she gave up around the fifth letter.
Admin
I was annoyed when it refused to accept a password that wasn't in the range of acceptable characters [a-z][0-9]. Who the hell thought that would be secure. Morons. PS I am actually opening an account with a building society now because I am so sick of the stupid stuff like this that HBOS keep doing
Admin
my favorite part of bank of america online banking has to be the sitekey. nothing better than having to choose from a set of cheesy pictures to look at every time you log in. do you want the fuzzy kitten or the pretty flower? oh, you're a boy, you must want the soccer ball.
seems like it'd be more secure if you could upload your own image.
Admin
I agree on the absurdity of security so strict the user is unable to remember the correct answers. That forces a user to record the password/answes somewhere, defeating the security! Those of you with DoD Clearance know that access requires the correct answer to the "Three Golden Questions". In my case, I had originally acquired a Classified Clearance many, many years ago. I was required to update it and presented my "Three Golden Questions". The answers are in free form and here are two of the three; "What is your favorite movie?" Well, at the time I originally answered this question, WHAT WAS MY FAVORITE MOVIE? I have no idea. "How many brothers do you have?" That seems easy since I am an only child. But does it expect "0", or "zero", or "none"?
Admin
You must be new here. <g> Do a search on this site for "Paula" and "brillant" so you get the joke (and don't embarrass yourself again).
Admin
Admin
Please read my post again. The whole quote is meaningful, not just the outer part you decided to quote here. If you still don't get it, ask someone else for clarification (but please avoid embarrassing yourself again). ;)
Admin
This reminds me of my helpdesk days when a user called because she had forgotten her password. Let's just say that when I reminded her that her password was 'dome69now', she was extremely embarrassed. :)
Admin
a "?" would be a question for a Unix geek. The answer is probably "h". . w comment 69 q
Admin
Both PayPal and EBay have now offered the key fob things as two factor authentication for customers for only $5 for the fob. They were initially going to offer them free, but decided that if people got them for free, they would be less likely to treat it as something with value. If you listen to Security Now Episode 103 you can learn all about how these things work, and how PayPal/Ebay implemented their system.
If you don't have your fob or lose it, there are ways to still get in, and this is where the security reverts back to the Wish-It-Was Two-Factor, but you have to give them credit for doing this.
Admin
The worst I saw was for the website of one of my student loans. I guess when I signed up for the site, it asked me to make my own question/answer set. At some point in the future, I think I was trying to recover my password, it asked me for my e-mail, name, and my question/answer set. Except it prompted me to put in the question. So not only was I supposed to remember the answer, I had to remember the question. How the heck do the expect me to remember my QUESTION? I eventually figured out what my password was. But I still have no idea what my question was. I even went back and changed the question to something that I'd easily remember. Of course, I have no idea what I changed the question to. God forbid I ever forget my password again.
Admin
My Danish bank (Jyske) gives you a credit-card sized list of 80 4-digit keys. Whenever you log on or make a transaction, you're requested to enter a randomly selected key, each key being used only once before you're issued another list. In addition to that you need your CPR number (Danish eq. of a NI or social security number, it's considered reasonably sensitive information that you never disclose without a good reason), as well as a "strong" but fairly easily remembered password generated by the bank's system. All in all a very secure authentication system that you can safely use "from anywhere" (even if your keypresses are logged for a year you're reasonably safe).
My UK bank (Lloyds TSB), on the other hand, have the most horrible system: You choose a password, as well as a bit of "memorable information". The latter is simply another password from which you have to enter three characters when you log on. So if you choose, say, "microsoft" as your second password, it may ask for characters 2, 3 and 9, and you then have to select I, C and T, respectively, from three drop-down boxes. Watch a guy log on two-three times, and you're more than likely to have seen the entire thing on hi screen (as he slowly navigates past the clumsy interface - FFS dropdown boxes?). Once you're logged in, you can make any transaction (including instant(!) transfers to other Lloyds accounts) using only the first password. And just as if that wasn't weak enough, they didn't even think to test the system using Firefox (Firefox asks whether or not to remember_the_password (!(!!!))).
I think it goes to show that banks have the resources to provide really good online services and to secure them well, but all the money in the world won't do dick if you put an idiot in charge of spending them. So what else is new? ;P
Admin
Ditto. This must be a modern meme. I personally don't give a rat's arse how many questions I'm asked; I just copy/paste from my password vault. If someone untrustworthy gets ahold of my home machine, I'll just consider myself screwed.
The average Joe (like my brother) doesn't have a password safe and just struggles like the dickens to get anything done online (always requesting new passwords). Perhaps the future holds all of us owning some kind of key fob device. Makes sense.
Admin
I use Compass and I called the other day to have my password reset. (I had changed it and forgot to tell my wife, she then locked the account using the old password.) Anyway, the guy reads off my new password. I asked him if the letters are uppercase or lowercase. His response? It doesn't matter, it's not case sensitive.
Admin
That is another kind of sort of two factor - i.e. "where you are"
Admin
A funny IRC quote about security questions.
http://qdb.us/61277
Admin
And I recently had a minor retinal condition which altered it.
Admin
No, the better approach is to allow the extra characters so that people can remember the shorter passwords.
Also, SQL injection concerns (mentioned in a later post) should not be an issue if the appropriate prevention techniques are used.
Admin
What do you mean "where did it come from"? It came from this post!
Admin
It's brillant.
Admin
Except for the part where now the government has an easy time of profiling how you vote, what you shop for, probably even what kind of toppings you like on your pizza.
Then again, that's probably not so different from us. Bring on the national id card!
captcha: craaazy
Admin
If you simply type your in pin, there's no security hole here. Maybe it should be required.
Admin
The best trick was Frank Abagnale (Catch me if you can) who, in the old days, noticed that at a friendly local bank, many customers wouldn't put their account number on a deposit slip. When this happened, the teller would happily fill it in for them. So he simply took home a stack of deposit slips, put his account number on each, dropped the stack back at the bank and waited for the dough to roll in.
Admin
This is arbitrary to. Was it the town I lived in when I was born or the town where the hospital was?
Admin
Yes, I hate many of the common implementations of this.
What is my maternal grandmother's first name? I can't remember. I know the first names of my other three grandparents, but not my maternal grandmother's first name.
Who was my best friend in grade school? I don't remember.
Many questions are about honeymoons or spouses. This doesn't apply to many people.
Worse, one site required certain LENGTHS for the answers to THESE questions.
You can require a minimum length of 6 or so for made-up passwords, but not for answers to real questions (like a city name or a person's first or middle name).
When I called about this, they suggested I add some ones, or 123, to the end of the answer.
How am I supposed to remember later, whether I added ones or 123?
Finally, one system seemed to get completely screwed up. It asked me questions that I am SURE I have never set answers to. Like what was my favorite restaurant in college". Huh? I hadn't thought about it, and I am 100% certain I have never answered this question on any banking or credit card site. In fact, I can't think of an answer now.
I hope some two-factor implementers are invited to read this thread!
Oh yes, one other credit card site made me choose one of the 8 pictures that were shown. They somehow omitted the usual PassMark drop-down box that shows other categories, so you can select a different picture. I don't know how they did that.
Admin
well, if you pin in a pin you might get a tiny hole in your screen and what leaks out from there could be captured by anybody. What? WTF!
Admin
If the question was: "What's the length of your dick?" you might have added 123 to it
Admin
I know what you mean. Some time ago I managed to lock myself out of an investment account by not being able to remember where I was married.
The problem was a case of the metro area vs the actual city name. We had a simple justice-of-the-peace wedding from a convenient justice. (Money was tight, neither of us are ones for ceremony and there were only two relatives that could get there.) I wasn't the one who did the scheduling, there was basically no planning ahead. (Yes, we knew we were going to get married but the actual date wasn't set.) What suburb was the courthouse in???
Admin
My bank recently introduced a two-factor security question, and what frustrated me the most was that while I KNOW THE RIGHT ANSWER I couldn't get past the question because of formatting problems.
For example, the question, "What is your sibling's birth date?"
Here is the e-mail I sent to my bank, from which I (surprisingly! :) haven't gotten any reply:
Using a free-form date as an answer to a security question is EXTREMELY BAD BAD BAD DESIGN! We are currently travelling and briefly lost our VISA card, so we really needed to get into the website to see if any unauthorized charges had been made. We got stuck at the security question "What is your sibling's birth date?" and had to wait overnight until we could get BECU rep on the phone and get it cleared up.
For this question, we know the answer, but do we enter it "4/1/1901" (nope! illegal characters!), or "04-01-01", or 1 April 1901, or April 1, 1901, or apr 1 1901, or ... Hopefully, you get the picture.
There are a million ways to enter the correct date such that you fail the security question. You are far more likely to enter a date in the wrong format - getting it right seems highly unlikely.
If you keep this security question in your stable, then please change the input from a free-form text field to separate drop down combo boxes, one each for month, day, and year. At a minimum there should be text suggesting a format ("use MM-DD-YYYY").
-Steve M.
Admin
IN A HANDBAG. (http://en.wikipedia.org/wiki/The_Importance_of_Being_Earnest)
Admin
Admin
Admin
I have spotted the WTF Here!. I would be just the kind of asshole who would send an email like that! Dude read my mind without even knowing me.
On the up side... does anybody know my 8th grade earth science teacher? I need to log into my bank acount and make a transfer... ?
Admin
One very nice method is to pick a specific method of scrambling the original question and putting it for an answer.
Say: What is your favourite color? Wiyfc - easy, pick first letters from the question. Wsuoo - pick every nth letter from nth word. hsoao - pick second letters. Wsyac - pick first from odd words, second from even. wai_yufvcl - pick first and third from each word....
Just remember the method of scrambling and you're home.
Admin
So what you're saying is we need a federal regulation demanding implementation of the Ident-I-Eeze?
Seriously, at the very least, how much would it cost banks to mail out a smart card (and maybe USB reader) to every single online banking client they have? A few hundred grand, maybe a few million for the bigger banks? Then you have honest-to-goodness 2-factor authentication, and you can even charge your clients for the privilege. I'm so sick of lazy bastards trying to wish their way to decent security.
Admin
I found out late in life that i was wrong about what city i was born in. Now i never remember if the answer to that question is the wrong city or the right city.
Admin
I found out late in life that i was wrong about what city i was born in. Now i never remember if the answer to that question is the wrong city or the right city.
Admin
It's pretty easy. In pseudo-code,
if (name.length < 6) { sendToRejectController('message' => "Your name is too short"); }
I think you're the idiot.
Admin
This is true 2-factor.