• Beau "Porpus" Wilkinson (unregistered)

    AMEN!!

    captcha = dreadlocks (get a !@#$!@# haircut!)

  • Beau "Porpus" Wilkinson (unregistered) in reply to anymous because i'm scared
    anymous because i'm scared:
    This rise of phony "two factor" auth is even worse than you may think. This is a clear cut case of one or more private companies using the power of government corruption to hurt their competitors.

    The first big bank to implement one of these schemes was Bank of America. They did theirs BEFORE it was an official "guidance". They then strongarmed the FFIEC into making it required for all banks. All of a sudden, Bank of America is way ahead of all their competitors, can brag about being the first to implement the new regulations, etc. Also, they can sit on their piles on money and the small regional banks and credit unions bottom lines get hit by rushing to implement all this shit.

    Meanwhile, the actual consumer, the person whose security is supposed to be protected, is still screwed.

    captcha: darwin

    Bank of America is awesome.

    Any time I go to the Bank of America website, they have to show me a picture of a CASTLE. If I go to a website, and think I'm at BoA's website, but I don't see a CASTLE, that means that it's an imposter site!

    Of course, I guess I could just look at the URL in the address bar to be sure I'm at the right site, BUT it's SO much easier to remember that a picture that may or not be there should be a picture of a CASTLE if it is there.

  • Beau "Porpus" Wilkinson (unregistered) in reply to Beau "Porpus" Wilkinson

    The questions remind me of Spaceballs.

    BankofDruidia.com:"What was your maternal grandfather's hairdresser's roommate's college mascot's nickname?"

    [email protected]: "Absolutely nothing- Which is what you're about to become!"

  • Random DC guy (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    Forget the city? no. Forget how I entered it on this website? Yeah.

    Washington Washington, District of Columbia Washington, D.C. Washington, DC Washington District of Columbia Washington D.C. Washington DC District of Columbia D.C. DC

    And then you get into capitilization...

  • (cs)

    We sure have a lot of keyfob fans here. What do your keychains look like? 4-5 different keyfobs for online access, a couple of easypass keyfobs for buying gas, 4-5 keyfob discount cards for various chains... too much.

    I use etrade, and they offer the keyfob option but I refuse to activate it. I am not carrying it around with me 364.95 days of the year uselessly for the .05 days it does any damn good.

    Now if you could get a single RSA fob and use it for all your accounts that would be acceptable, but every account provider wants you to use their own physical dongle and that is just ridiculous.

  • freelancer (unregistered)

    Maybe if they provided the seed file, and an application to emulate the key on, say, a PDA. I'd like that.

  • Stefan W. (unregistered)

    Name of pet, mothers maiden name, favorite this or that - all that things are well known in your family, and family members tend to be corrupt, aggressive, bankrupt, evil.

    Security from morons for morons.

  • (cs) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    IE? I bet it's the same for any browser.

    If you are attempting to use the Latin abbreviation "i.e." then you should learn what it means, and how to write it before further advertising your ignorance.

  • (cs) in reply to Random DC guy
    Random DC guy:
    ...

    Washington Washington, District of Columbia Washington, D.C. Washington, DC Washington District of Columbia Washington D.C. Washington DC District of Columbia D.C. DC

    And then you get into capitilization...

    Born in the capital and can't spell "capitalization". Now that's a WTF.

  • (cs) in reply to ParkinT
    ParkinT:
    I agree on the absurdity of security so strict the user is unable to remember the correct answers. That forces a user to record the password/answes somewhere, defeating the security! Those of you with DoD Clearance know that access requires the correct answer to the "Three Golden Questions". In my case, I had originally acquired a Classified Clearance many, many years ago. I was required to update it and presented my "Three Golden Questions". The answers are in free form and here are two of the three; "What is your favorite movie?" Well, at the time I originally answered this question, WHAT WAS MY FAVORITE MOVIE? I have no idea. "How many brothers do you have?" That seems easy since I am an only child. But does it expect "0", or "zero", or "none"?
    ... and the second question is clearly discriminatory against African Americans and Franciscan monks.

    I mean, who the heck can keep up with numbers like these?

    Mind you, there's probably not much call for Franciscan monks in the FBI these days.

  • (cs) in reply to sas
    sas:
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    IE? I bet it's the same for any browser.

    If you are attempting to use the Latin abbreviation "i.e." then you should learn what it means, and how to write it before further advertising your ignorance.

    Even by my recent and lamentable standards, this is a little over the top.

    Are you complaining that blade does not follow the academic convention that one quotes the full phrase after the abbreviation on the first occasion of use? ie (id est). That would be a little mimsy, eh?

    Are you complaining about the use of capitals in "IE"? If so, note that most surviving Latin text (gravestones, monuments, etc) are written in capitals.

    Are you complaining about the use of punctuation? If so, nb that the expected form of "id est" in typical English usage is "ie," without the full stops/periods.

    Are you complaining that the author really means eg (exempli gratia)? If so, you might have a point. An equally valid nit-picking interpretation of the post would be to suggest that "questions" should be replaced with "the question," in which case "IE" is irrefutably correct. Cue the Red Queen: Off with their heads!

    Are you making a subtle comment about the inadequacies, perceived or otherwise, of Microsoft's flagship "It's all about the Internet, dummy" product? Doesn't work for me. The sentence is meaningless in this context. (Mind you, I haven't used IE for a while, so there's a strong possibility that it redirects "Error 404" to a page reading "I bet it's the same for any browser.")

    Or are you simply suggesting that blade should use a more elegant language with which to express their pithy sentiment, such as Ancient Greek? That would be παραδείγματος χάριν. And I agree with you.

    Ignorance? Pah! Kids these days, with their hifalutin' A/S levels, Baccalaureates, and wot not ...

  • Noogen (unregistered) in reply to real_aardvark

    You guys/gals are not getting it. The USPS Postal office is getting into financial trouble because you guys paying for your bills online. This is the gov scheme to get you to use snail mail again. ;)

    j/k

  • (cs) in reply to real_aardvark
    real_aardvark:
    sas:
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    IE? I bet it's the same for any browser.

    If you are attempting to use the Latin abbreviation "i.e." then you should learn what it means, and how to write it before further advertising your ignorance.

    Even by my recent and lamentable standards, this is a little over the top.

    Are you complaining that blade does not follow the academic convention that one quotes the full phrase after the abbreviation on the first occasion of use? ie (id est). That would be a little mimsy, eh?

    Are you complaining about the use of capitals in "IE"? If so, note that most surviving Latin text (gravestones, monuments, etc) are written in capitals.

    Are you complaining about the use of punctuation? If so, nb that the expected form of "id est" in typical English usage is "ie," without the full stops/periods.

    Are you complaining that the author really means eg (exempli gratia)? If so, you might have a point. An equally valid nit-picking interpretation of the post would be to suggest that "questions" should be replaced with "the question," in which case "IE" is irrefutably correct. Cue the Red Queen: Off with their heads!

    Are you making a subtle comment about the inadequacies, perceived or otherwise, of Microsoft's flagship "It's all about the Internet, dummy" product? Doesn't work for me. The sentence is meaningless in this context. (Mind you, I haven't used IE for a while, so there's a strong possibility that it redirects "Error 404" to a page reading "I bet it's the same for any browser.")

    Or are you simply suggesting that blade should use a more elegant language with which to express their pithy sentiment, such as Ancient Greek? That would be παραδείγματος χάριν. And I agree with you.

    Ignorance? Pah! Kids these days, with their hifalutin' A/S levels, Baccalaureates, and wot not ...

    I think he was complaining because the correct two-letter-acronym to use in that context is "e.g.", NOT "i.e.".

  • (cs) in reply to Beau "Porpus" Wilkinson
    Beau "Porpus" Wilkinson:
    Any time I go to the Bank of America website, they have to show me a picture of a CASTLE. If I go to a website, and think I'm at BoA's website, but I don't see a CASTLE, that means that it's an imposter site!

    Of course, I guess I could just look at the URL in the address bar to be sure I'm at the right site, BUT it's SO much easier to remember that a picture that may or not be there should be a picture of a CASTLE if it is there.

    Here's a 19-page document describing the numerous ways phishers have found to defeat the "look at the URL in the address bar": http://www.krcert.or.kr/english_www/inc/download.jsp?filename=TR2006005_URL_Spoofing_Vulnerabilities_of_WebBrowser.pdf

  • Synonymous Awkward (unregistered) in reply to real_aardvark
    real_aardvark:
    ParkinT:
    "How many brothers do you have?" That seems easy since I am an only child. But does it expect "0", or "zero", or "none"?
    ... and ((that)) question is clearly discriminatory against African Americans and Franciscan monks.

    I mean, who the heck can keep up with numbers like these?

    Mind you, there's probably not much call for Franciscan monks in the FBI these days.

    That's what they want you to think!

  • Hognoxious (unregistered) in reply to Captain Spongebath
    Captain Spongebath:
    If sites are going to play ridiculous little games like "Secret Questions!" they should at least let you use your own question, instead of things that most of your friends, family and employers know, or which complete strangers can look up on the electoral roll.
    They don't even need to do that. I'm sure my driving licence and/or passport have my city & date of birth.
  • crook-minded (unregistered)

    so, bank asks those questions, you fail, your account is being locked. Naturally, it makes me thinking - what if someone would do an attack, trying to re-enter passwords multiple times? As I understand, banks do not use those pictures with passwords for submitting request? Wouldn't that create a huge dissatisfaction among customers who got their accounts locked?

  • fak3r.com (unregistered)

    This is interesting, and goes well with a talk I saw at Defcon this year, "New Bank Practices Make Hacking Easier" http://www.darkreading.com/document.asp?doc_id=131191&f_src=darkreading_section_296

    I found this article while doing Google research on two-factor auth, as I'm writing a paper that outlines my attempt to make a simple name/password almost just a small token to get into an account.

    captcha: digdug (awesome!)

  • Darien H (unregistered) in reply to TwelveBaud
    TwelveBaud:
    grrr: It's to prevent SQL/FS injection attacks. They don't hash your passwords.
    Then the Real WTF is that they're not hashing your passwords :P
    Harrow:
    Strangely enough, "na" was not in my attack dictionary.
    Yeah, but it'll be almost the first thing covered when the dictionary fails and any sort of brute force is used.
    Stuart:
    But I defy anyone to attempt to remove the ol' back door....
    Do not tempt the dark and terrifying power of the Goatse guy.
    iw:
    Our bank here is almost as bad. We only have a username and password, BUT that username must have at least two non-alphanumeric characters. That means people end up doing nonsense like j$sm!th for their username.
    Yeah, that's nuts. I mean, a username is not only a token, but it has a definite descriptive component. If anything, the username must be even more memorable and hard to forget than the password.
  • Carsten aka Roy/SAC (unregistered)

    There are more issues with that cheap fix the U.S. banks try to sell to their customer as an enhancement in security. One of them is the fact that banks got much more vulnerable for attacks.

    There was a great presentation at DefCon 15 that showed the flaws of the new systems.

    I posted about it in August and updated the post with a link to the PDF of the presentation and also a video recording of the session at DefCon 15.

    See my post: New Online Banking Security Process Opens More Security Holes Than it Closes

    Now you got really something to worry about.

  • Darien H (unregistered) in reply to Random DC guy
    Random DC guy:
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    Forget the city? no. Forget how I entered it on this website? Yeah.

    But that's the beauty of choosing your own question.

    "What city were you born in? (e.g. 'St. Paul, MN')"

    My scheme is to have a small selection of passwords which I use in varying contexts. One or two are for the really important stuff like banking. If I don't feel like a custom question, I can just make it into a password hint that only makes sense to me, like "cookies", or "vermin".

  • merp (unregistered) in reply to Captain Spongebath
    Captain Spongebath:
    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11. 12 alphanumeric charactes will give you similar strength.

    actually 92^10 ~ 4.3 X 10^19 while 62^11 ~ 5.2 X 10^19

    so, Random was correct, the added character does make up for the reduction in possible characters.

  • Captain Spongebath (unregistered) in reply to brazzy
    brazzy:
    Captain Spongebath:
    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11.

    Um... no. It's actually a fair bit SMALLER. The wonders of exponential growth and all that...

    D'oh.. betrayed by Windows Calculator yet again. I gotta start hitting the right keys (Though I hit the wrong keys several times, I checked the calculations a couple of times before posting). I has become a WTF, o woe is me. Maybe I can blame solar radiation.

  • Rob Fisher (unregistered)

    I just received one of these. True two-factor and no government legislation necessary!

  • Michael.H (unregistered)

    "..im screwed.

    Thankyou"

    after all that he still says thanks!

  • Bogle (unregistered) in reply to Corey

    @Corey. Brilliant. I was having problems remembering the 'memorable' name for my Sainsbury's W^hBank account so I've reset everything online, rather than phoning their HellDesk as they recommended.

    My password utility (plug: RoboForm2Go) is set to generate 45-bit strength passwords so that's more than good enough although I guess I've effectively reduced the security by using the same key for everything. Way to go, bankers.

  • Wooh (unregistered)

    Thank god for swedish internet banks that use hash-generators, certificates and one time use key-codes. (Skandia reprezent).

  • Disgruntled Proctologist (unregistered) in reply to grrr
    grrr:
    Banks should start by accepting the special characters !@#$%^&*()-=[]{}\|'";:,<.>?/`~ as part of the password.

    I am sick of having to neuter my strong passwords into weak ones.

    Exactly what I was going to say. I hate that shit. (funny to think that my blog allows more secure passwords than my cable, phone and credit card company...)

  • (cs) in reply to anymous because i'm scared
    anymous because i'm scared:
    Also, they can sit on their piles on money and the small regional banks and credit unions bottom lines get hit by rushing to implement all this shit.

    Meanwhile, the actual consumer, the person whose security is supposed to be protected, is still screwed.

    On the flip side, my credit union's site used to have just an account number and PIN (of course, four digits). Just how long do you think it takes to crack that? At least the account numbers were not sequential. Fortunately, it has gotten a bit better. They start with an acct num and captcha (not all that good though), then move on to a fun "security question -- thankfully allowing us to create our own) then the stupid PIN along with (late in the game) a regurgitation of a phrase I came up with to ensure I'm not looking at a phishing attempt. Perfect? Hardly! Better, eh... probably.

  • (cs) in reply to gilleain
    gilleain:
    I got irritated with....So I entered a question /without/ a question mark, and it worked. Idiots.

    OMFG!! I am SO SICK of websites telling me what I canNOT use in my password. Damnit, if I want to use "special" characters AKA punctuation, etc., escape them! ALL OF THEM. Trolls. (And Microsoft STILL cannot handle a full charset for filenames!)

    Of course, reading this site gives insight into the "quality" programmers out there. Like the recent bank story about Programmer Purgatory.

    Thank you. I feel a little better now.

  • (cs) in reply to akatherder
    akatherder:
    A funny IRC quote about security questions.

    http://qdb.us/61277

    PRICELESS!

  • foo (unregistered) in reply to Benji
    Benji:
    No retinal scans. When a woman gets pregnant it changes her retinal pattern.

    I guess that shoots waist size as well.

  • tim (unregistered) in reply to Andrew

    It doesn't matter. Do you think the bank is going to check? All you have to do is supply some string that you can reproduce when asked. I don't know who "my hero" is, but I know what characters to type when the web page asks me.

  • Kurt (unregistered)

    I recently wrote an article about 2 factor authentication and banking.. bottom line the bank don't care because it cost to much to do the right thing http://analysisandreview.com/security/2-factor-authentication-banking-industry/

  • Tuesday Zombie (unregistered) in reply to Monday Zombie
    Monday Zombie:
    ;DROP DATABASE is a reasonably strong password...
    Your password has a bug. It should be: ;DROP DATABASE;
  • ELIZA (unregistered) in reply to ActionMan
    ActionMan:
    real_aardvark:
    sas:
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    IE? I bet it's the same for any browser.

    If you are attempting to use the Latin abbreviation "i.e." then you should learn what it means, and how to write it before further advertising your ignorance.

    Even by my recent and lamentable standards, this is a little over the top.

    Are you complaining that blade does not follow the academic convention that one quotes the full phrase after the abbreviation on the first occasion of use? ie (id est). That would be a little mimsy, eh?

    Are you complaining about the use of capitals in "IE"? If so, note that most surviving Latin text (gravestones, monuments, etc) are written in capitals.

    Are you complaining about the use of punctuation? If so, nb that the expected form of "id est" in typical English usage is "ie," without the full stops/periods.

    Are you complaining that the author really means eg (exempli gratia)? If so, you might have a point. An equally valid nit-picking interpretation of the post would be to suggest that "questions" should be replaced with "the question," in which case "IE" is irrefutably correct. Cue the Red Queen: Off with their heads!

    Are you making a subtle comment about the inadequacies, perceived or otherwise, of Microsoft's flagship "It's all about the Internet, dummy" product? Doesn't work for me. The sentence is meaningless in this context. (Mind you, I haven't used IE for a while, so there's a strong possibility that it redirects "Error 404" to a page reading "I bet it's the same for any browser.")

    Or are you simply suggesting that blade should use a more elegant language with which to express their pithy sentiment, such as Ancient Greek? That would be παραδείγματος χάριν. And I agree with you.

    Ignorance? Pah! Kids these days, with their hifalutin' A/S levels, Baccalaureates, and wot not ...

    I think he was complaining because the correct two-letter-acronym to use in that context is "e.g.", NOT "i.e.".

    I always write the words in full, exempli gratia, e.g. becomes exempli gratia, i.e. becomes id est, viz. becomes videlicit, etc. becomes etcetera, and et al. becomes et alia, et a^H^H^H^H /* et alia after exempli gratia is congruent to "I give you examples 1, 2, 3, and others" */ Not only do you get to subtly remind people of the meaning of the term but you get to look like you know Latin, and look like a pompous and arrogant writer, but rarely does something not have a downside.

  • Lennart Goosens (unregistered)

    My own (Dutch) bank Postbank utilizes text messages for authentication. A code is sent to your mobile phone, and you then have to input this code into a web form to make a transaction. This way, your identity is verified. Also, if I started receiving codes from Postbank at random times, I would instantly know that someone was using my username and password and trying to make transactions off my account.

  • Patrick (unregistered) in reply to Brandon
    Brandon:
    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Ohh, now that's clbuttic!

  • Bob (unregistered) in reply to Zylon

    I wondered that too for a few minutes. I was actually hoping it would be answered in the article. It wasn't, but eventually I figured it out.

    I realize it has been over two years, and nobody has answered your question (at least not correctly). Obviously not many people figured it out. Anonymous guessed the best he could. KenW felt that not knowing made him incompetent, and he tried to cover his perceived incompetence by acting like a child.

    The government was recommending two factor authentication. Banks decided instead to do something vaguely similar. The article poster calls it "wish it was two factor", as in, it is not two factor, but he wishes it was.

    Before reading this article, I was expecting something like this: Q: What is your IQ? A: 95 Error: answer must be at least 3 characters! A: Yeah, I "wish it was".

    "Corey: When confronted with such free-form questions, I typically just make the answers the same as my password. This is probably infinitesimally more secure than one-factor."

    That's less secure. The answers are not hashed on the server. Customer service reps will see your questions and answers, whereas they would not see your password.

  • (cs)

    Good grief, do American banks really implement such a retarded security system? If so, then that's a pretty solid WTF in itself.

    I mean, it's not really secure at all. Anyone who knows the person will likely also know the answer to many of those questions, or could find out without much trouble.

    And then there's the problem of the limited question alternatives, as illustrated by the customer who sent the mail. At least, if they had to use such a retarded system in the first place, they should allow the question itself to also be written by the user.

    Where I live (Norway) online banks use a combination of personal number (social security number) and a physical code generator with a PIN code. Some also have a user-specified password in addition.

  • katz (unregistered)

    The thing that drives me crazy about bank security is that, however many questions they ask you online, your PIN is still a 4-digit number. Just 10,000 combinations. Can be hacked instantly by a Pentium 100.

    That said, entering your own question is really the way to go. Writing novels is my hobby, so I pick stuff from old, unpublished stories that I've never let anyone read. Even people who know me very well are unlikely to know that the answer to "What nickname of Anna's means 'beautiful eyes'?" is "Aliaris." (No, that isn't one of my actual security questions.) Bonus: there aren't multiple ways to phrase the answer.

  • (cs)

    Three security questions - that makes it not two, but Wish-it-Was-FOUR-Factor authentication.

    That's TWICE as pseudo-secure as the normal WIW-2F authentication.

  • wpns (unregistered)

    One of the phone companies in the Turks & Caicos requires me to give them BOTH the secret question AND the secret answer before they can authenticate me over the phone. And I don't have a single smidgen of a clue what the secret question might be. So they won't talk to me over the phone.

    Sigh.

  • robsku (unregistered) in reply to ShelteredCoder

    I don't know about USA but at least here in Finland (not sure about rest of EU) it's not easy to fake an official identification card.

  • JoshL (unregistered) in reply to B. McAninch
    Ultimately, this reduces social engineering attacks
    Um...ok.

    Of course, this is only if you mean that they can use public records and facebook to reconstruct your credentials, rather than relying on methods of trickery.

  • mh (unregistered) in reply to j005u

    Most banks in my country use something called SMS autentification. You press a button on the web site, they send you an SMS with a random code to your mobile, and you enter the code into the web site. This is used in addition to a regular password.

    So you have to know something (password) and have something (your mobile phone). And you have your phone with you all the time anyway. To change the phone number they use to send SMS, you have to visit the bank in person.

    Smart cards would be better, but we are not as far as Estonia yet ;).

  • nibh (unregistered) in reply to Tukaro
    Tukaro:
    ... more than half the questions are about a spouse or relationship, neither of which I've had (sadly).

    If that happened to me, I'd sue them for causing me emotional distress.

  • 🤷 (unregistered)

    Since a few months my bank REALLY uses a two-factor authentication. I need to know a PIN and I need to verify any transaction in the app, which I have on my phone (and which is authenticated to communicate with my bank account).

    I still have an account with a different bank, which still uses a wish-it-was-twofactor authentication. Password + "Where did you spent your favorite holidays?". Come on, as if no holidays from then on will ever be better than the one I entered when I set up the account...

Leave a comment on “Wish-It-Was Two-Factor ”

Log In or post as a guest

Replying to comment #:

« Return to Article