- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
AMEN!!
captcha = dreadlocks (get a !@#$!@# haircut!)
Admin
Bank of America is awesome.
Any time I go to the Bank of America website, they have to show me a picture of a CASTLE. If I go to a website, and think I'm at BoA's website, but I don't see a CASTLE, that means that it's an imposter site!
Of course, I guess I could just look at the URL in the address bar to be sure I'm at the right site, BUT it's SO much easier to remember that a picture that may or not be there should be a picture of a CASTLE if it is there.
Admin
The questions remind me of Spaceballs.
BankofDruidia.com:"What was your maternal grandfather's hairdresser's roommate's college mascot's nickname?"
[email protected]: "Absolutely nothing- Which is what you're about to become!"
Admin
Washington Washington, District of Columbia Washington, D.C. Washington, DC Washington District of Columbia Washington D.C. Washington DC District of Columbia D.C. DC
And then you get into capitilization...
Admin
We sure have a lot of keyfob fans here. What do your keychains look like? 4-5 different keyfobs for online access, a couple of easypass keyfobs for buying gas, 4-5 keyfob discount cards for various chains... too much.
I use etrade, and they offer the keyfob option but I refuse to activate it. I am not carrying it around with me 364.95 days of the year uselessly for the .05 days it does any damn good.
Now if you could get a single RSA fob and use it for all your accounts that would be acceptable, but every account provider wants you to use their own physical dongle and that is just ridiculous.
Admin
Maybe if they provided the seed file, and an application to emulate the key on, say, a PDA. I'd like that.
Admin
Name of pet, mothers maiden name, favorite this or that - all that things are well known in your family, and family members tend to be corrupt, aggressive, bankrupt, evil.
Security from morons for morons.
Admin
If you are attempting to use the Latin abbreviation "i.e." then you should learn what it means, and how to write it before further advertising your ignorance.
Admin
Admin
I mean, who the heck can keep up with numbers like these?
Mind you, there's probably not much call for Franciscan monks in the FBI these days.
Admin
Are you complaining that blade does not follow the academic convention that one quotes the full phrase after the abbreviation on the first occasion of use? ie (id est). That would be a little mimsy, eh?
Are you complaining about the use of capitals in "IE"? If so, note that most surviving Latin text (gravestones, monuments, etc) are written in capitals.
Are you complaining about the use of punctuation? If so, nb that the expected form of "id est" in typical English usage is "ie," without the full stops/periods.
Are you complaining that the author really means eg (exempli gratia)? If so, you might have a point. An equally valid nit-picking interpretation of the post would be to suggest that "questions" should be replaced with "the question," in which case "IE" is irrefutably correct. Cue the Red Queen: Off with their heads!
Are you making a subtle comment about the inadequacies, perceived or otherwise, of Microsoft's flagship "It's all about the Internet, dummy" product? Doesn't work for me. The sentence is meaningless in this context. (Mind you, I haven't used IE for a while, so there's a strong possibility that it redirects "Error 404" to a page reading "I bet it's the same for any browser.")
Or are you simply suggesting that blade should use a more elegant language with which to express their pithy sentiment, such as Ancient Greek? That would be παραδείγματος χάριν. And I agree with you.
Ignorance? Pah! Kids these days, with their hifalutin' A/S levels, Baccalaureates, and wot not ...
Admin
You guys/gals are not getting it. The USPS Postal office is getting into financial trouble because you guys paying for your bills online. This is the gov scheme to get you to use snail mail again. ;)
j/k
Admin
I think he was complaining because the correct two-letter-acronym to use in that context is "e.g.", NOT "i.e.".
Admin
Admin
That's what they want you to think!
Admin
Admin
so, bank asks those questions, you fail, your account is being locked. Naturally, it makes me thinking - what if someone would do an attack, trying to re-enter passwords multiple times? As I understand, banks do not use those pictures with passwords for submitting request? Wouldn't that create a huge dissatisfaction among customers who got their accounts locked?
Admin
This is interesting, and goes well with a talk I saw at Defcon this year, "New Bank Practices Make Hacking Easier" http://www.darkreading.com/document.asp?doc_id=131191&f_src=darkreading_section_296
I found this article while doing Google research on two-factor auth, as I'm writing a paper that outlines my attempt to make a simple name/password almost just a small token to get into an account.
captcha: digdug (awesome!)
Admin
Admin
There are more issues with that cheap fix the U.S. banks try to sell to their customer as an enhancement in security. One of them is the fact that banks got much more vulnerable for attacks.
There was a great presentation at DefCon 15 that showed the flaws of the new systems.
I posted about it in August and updated the post with a link to the PDF of the presentation and also a video recording of the session at DefCon 15.
See my post: New Online Banking Security Process Opens More Security Holes Than it Closes
Now you got really something to worry about.
Admin
But that's the beauty of choosing your own question.
"What city were you born in? (e.g. 'St. Paul, MN')"
My scheme is to have a small selection of passwords which I use in varying contexts. One or two are for the really important stuff like banking. If I don't feel like a custom question, I can just make it into a password hint that only makes sense to me, like "cookies", or "vermin".
Admin
actually 92^10 ~ 4.3 X 10^19 while 62^11 ~ 5.2 X 10^19
so, Random was correct, the added character does make up for the reduction in possible characters.
Admin
D'oh.. betrayed by Windows Calculator yet again. I gotta start hitting the right keys (Though I hit the wrong keys several times, I checked the calculations a couple of times before posting). I has become a WTF, o woe is me. Maybe I can blame solar radiation.
Admin
I just received one of these. True two-factor and no government legislation necessary!
Admin
"..im screwed.
Thankyou"
after all that he still says thanks!
Admin
@Corey. Brilliant. I was having problems remembering the 'memorable' name for my Sainsbury's W^hBank account so I've reset everything online, rather than phoning their HellDesk as they recommended.
My password utility (plug: RoboForm2Go) is set to generate 45-bit strength passwords so that's more than good enough although I guess I've effectively reduced the security by using the same key for everything. Way to go, bankers.
Admin
Thank god for swedish internet banks that use hash-generators, certificates and one time use key-codes. (Skandia reprezent).
Admin
Exactly what I was going to say. I hate that shit. (funny to think that my blog allows more secure passwords than my cable, phone and credit card company...)
Admin
On the flip side, my credit union's site used to have just an account number and PIN (of course, four digits). Just how long do you think it takes to crack that? At least the account numbers were not sequential. Fortunately, it has gotten a bit better. They start with an acct num and captcha (not all that good though), then move on to a fun "security question -- thankfully allowing us to create our own) then the stupid PIN along with (late in the game) a regurgitation of a phrase I came up with to ensure I'm not looking at a phishing attempt. Perfect? Hardly! Better, eh... probably.
Admin
OMFG!! I am SO SICK of websites telling me what I canNOT use in my password. Damnit, if I want to use "special" characters AKA punctuation, etc., escape them! ALL OF THEM. Trolls. (And Microsoft STILL cannot handle a full charset for filenames!)
Of course, reading this site gives insight into the "quality" programmers out there. Like the recent bank story about Programmer Purgatory.
Thank you. I feel a little better now.
Admin
PRICELESS!
Admin
I guess that shoots waist size as well.
Admin
It doesn't matter. Do you think the bank is going to check? All you have to do is supply some string that you can reproduce when asked. I don't know who "my hero" is, but I know what characters to type when the web page asks me.
Admin
I recently wrote an article about 2 factor authentication and banking.. bottom line the bank don't care because it cost to much to do the right thing http://analysisandreview.com/security/2-factor-authentication-banking-industry/
Admin
Admin
I always write the words in full, exempli gratia, e.g. becomes exempli gratia, i.e. becomes id est, viz. becomes videlicit, etc. becomes etcetera, and et al. becomes et alia, et a^H^H^H^H /* et alia after exempli gratia is congruent to "I give you examples 1, 2, 3, and others" */ Not only do you get to subtly remind people of the meaning of the term but you get to look like you know Latin, and look like a pompous and arrogant writer, but rarely does something not have a downside.
Admin
My own (Dutch) bank Postbank utilizes text messages for authentication. A code is sent to your mobile phone, and you then have to input this code into a web form to make a transaction. This way, your identity is verified. Also, if I started receiving codes from Postbank at random times, I would instantly know that someone was using my username and password and trying to make transactions off my account.
Admin
Ohh, now that's clbuttic!
Admin
I wondered that too for a few minutes. I was actually hoping it would be answered in the article. It wasn't, but eventually I figured it out.
I realize it has been over two years, and nobody has answered your question (at least not correctly). Obviously not many people figured it out. Anonymous guessed the best he could. KenW felt that not knowing made him incompetent, and he tried to cover his perceived incompetence by acting like a child.
The government was recommending two factor authentication. Banks decided instead to do something vaguely similar. The article poster calls it "wish it was two factor", as in, it is not two factor, but he wishes it was.
Before reading this article, I was expecting something like this: Q: What is your IQ? A: 95 Error: answer must be at least 3 characters! A: Yeah, I "wish it was".
"Corey: When confronted with such free-form questions, I typically just make the answers the same as my password. This is probably infinitesimally more secure than one-factor."
That's less secure. The answers are not hashed on the server. Customer service reps will see your questions and answers, whereas they would not see your password.
Admin
Good grief, do American banks really implement such a retarded security system? If so, then that's a pretty solid WTF in itself.
I mean, it's not really secure at all. Anyone who knows the person will likely also know the answer to many of those questions, or could find out without much trouble.
And then there's the problem of the limited question alternatives, as illustrated by the customer who sent the mail. At least, if they had to use such a retarded system in the first place, they should allow the question itself to also be written by the user.
Where I live (Norway) online banks use a combination of personal number (social security number) and a physical code generator with a PIN code. Some also have a user-specified password in addition.
Admin
The thing that drives me crazy about bank security is that, however many questions they ask you online, your PIN is still a 4-digit number. Just 10,000 combinations. Can be hacked instantly by a Pentium 100.
That said, entering your own question is really the way to go. Writing novels is my hobby, so I pick stuff from old, unpublished stories that I've never let anyone read. Even people who know me very well are unlikely to know that the answer to "What nickname of Anna's means 'beautiful eyes'?" is "Aliaris." (No, that isn't one of my actual security questions.) Bonus: there aren't multiple ways to phrase the answer.
Admin
Three security questions - that makes it not two, but Wish-it-Was-FOUR-Factor authentication.
That's TWICE as pseudo-secure as the normal WIW-2F authentication.
Admin
One of the phone companies in the Turks & Caicos requires me to give them BOTH the secret question AND the secret answer before they can authenticate me over the phone. And I don't have a single smidgen of a clue what the secret question might be. So they won't talk to me over the phone.
Sigh.
Admin
I don't know about USA but at least here in Finland (not sure about rest of EU) it's not easy to fake an official identification card.
Admin
Of course, this is only if you mean that they can use public records and facebook to reconstruct your credentials, rather than relying on methods of trickery.
Admin
Most banks in my country use something called SMS autentification. You press a button on the web site, they send you an SMS with a random code to your mobile, and you enter the code into the web site. This is used in addition to a regular password.
So you have to know something (password) and have something (your mobile phone). And you have your phone with you all the time anyway. To change the phone number they use to send SMS, you have to visit the bank in person.
Smart cards would be better, but we are not as far as Estonia yet ;).
Admin
If that happened to me, I'd sue them for causing me emotional distress.
Admin
Since a few months my bank REALLY uses a two-factor authentication. I need to know a PIN and I need to verify any transaction in the app, which I have on my phone (and which is authenticated to communicate with my bank account).
I still have an account with a different bank, which still uses a wish-it-was-twofactor authentication. Password + "Where did you spent your favorite holidays?". Come on, as if no holidays from then on will ever be better than the one I entered when I set up the account...