Secure - yeah right



  • I was going to sign up for online banking, but when I this error message I decided against it. My trash can is more secure! 

     


  • Considered Harmful

    I think they're trying for Wish-It-Was Two-Factor.

    They'll pick a random two letters from this word in addition to your password, which does have the slight benefit of not being fully revealed to key loggers or shoulder surfers. Not very secure, but combined with a 5-attempt lockout or so, it beats just-a-password by a little.

    My bank uses just-a-password.



  • @joe.edwards said:

    They'll pick a random two letters from this word in addition to your password, which does have the slight benefit of not being fully revealed to key loggers or shoulder surfers. Not very secure, but combined with a 5-attempt lockout or so, it beats just-a-password by a little.

    My bank uses just-a-password.

     

    Good thinking, but the whole password thing is hopelessly retarded, no matter what. And I really don't understand why they're still used.

    At least where I live, every major online bank offering access to all of your money has used some sort of challenge-response authentication method, for as long as I can remember. Think RSA-tokens or such. My bank uses calculators where you insert your bank/chip-card and your PIN (I call that two-factor). You key in a challenge and read back the response.

    How come you pick one with just-a-password? Really no other options?





  • It just seems daft that the company who is safeguarding my money is using such a weak security system, and on top of that, I can't think of a memorable word between 6 and 8 characters, so I end up with some stupidly probably incredibly common word just to match the insane requirements, and then forget what it is next week.

    The other (1st) password is 'cool' too and it's completely the opposite - it has to be 5 digits. Nothing else, and they ask for it all, everytime.  Now who can think up a memorable 5-digit passnumber?

    So a typical password to access all of my financial banking information could be as simple as 12345JW. Really secure. But at least it's over 128-bit SSL, and we know thats uncrackable, right? ;-)

    Meanwhile the company I work for only allows email collection via a ssh2 tunnel, authenticating using a 2048-bit public/private key combination (the only password used is the one to decrypt your private key), as they consider that you might have been sent some potentially sensitive internal emails. They don't seem to mind when you setup a forward on your account though (so the potentially sensitive emails could possibly be both sent to another server in plain text, and/or received via unencrypted pop3 connection). The same key is also used for X11-forwarding, shell access, ftp, and others, so applying it to email too isn't much of a WTF. 



  • @joe.edwards said:

    I think they're trying for Wish-It-Was Two-Factor.

    Banking is Japan is really old-school in a lot of ways (pain to wire transer, limited hours, ATMs the are not 24x7, etc.) but they seem to be able to do real two-factor authentication without that much trouble. With my bank, they give me an unique card with a random X/Y grid. I hit the site and need to put in a password first, then the next sceen asks for 3 digits from the card, and then I get to the account. Their website is clunky, ugly, difficult to use, and looks like they never hired a graphic designer or had usability testing. It does not look they dropped big money on this website at all.

    But it works. They still pulled it off when the big American banks don't. I don't get it...



  • My bank went from

    login: account number, pass: 4-digit ATM PIN

    to

    login: account number, pass: must be 10 digits, not the same as any previous password, at least one lowercase, one uppercase, one number, and one non-letter, non-number (ie, punctuation. I didn't try { or %...).

    There's also no way to retrieve or reset your password aside - or at least, one that works - and your account is locked out *completely* after two failed attempts, requiring a physical visit. Two typos in a row with your absurdly complex password? Is it after 4:30 on Friday? No online banking for you until Monday at 9am after a trip into town!

    *thumbs up*

    And, of course, it's all still single-factor, so anyone with a keylogger is just as boned as he was before.


  • Discourse touched me in a no-no place

    @badcaseofspace said:

    At least where I live, every major online bank offering access to all of your money has used some sort of challenge-response authentication method, for as long as I can remember. Think RSA-tokens or such. My bank uses calculators where you insert your bank/chip-card and your PIN (I call that two-factor). You key in a challenge and read back the response.
    Barclays do in fact have these. (As do a few other UK banks, though admittedly not all. They appear to be compatible with each other.)



  • Around here (Czechia), many banks converged to a solution, that you login with a password (and can see account statement with just that), but than to confirm any transaction they text you a one-time password that you need to type back. Slightly less secure than the calculator, but still quite decent (SMS can be sniffed, but it would require a lot of effort plus you'd have to know which phone number goes with which account) and pretty easy given everybody has a mobile these days. Of course the WTF is the largest one did not, despite having been target of successful phishing attacks a couple of times already.


  • Garbage Person

     The only US financial institution I've seen get the two factor thing right is the goddamn Treasury. As a result, I have a bitchin' code card that makes me look like a secret agent or some shit.



  • @Mole said:

    The other (1st) password is 'cool' too and it's completely the opposite - it has to be 5 digits. Nothing else, and they ask for it all, everytime.  Now who can think up a memorable 5-digit passnumber?
     

    (Oblig The password to my luggage!)

    When I got phone banking with one of the biggest banks in Australia the password was 3 digits. I think mine was 791. I'm pretty sure they don't still do that. :)

     



  • @Zemm said:

    When I got phone banking with one of the biggest banks in Australia the password was 3 digits. I think mine was 791. I'm pretty sure they don't still do that. :)

     

    Are you sure? By the way, what is your account number?



  • @Weng said:

     The only US financial institution I've seen get the two factor thing right is the goddamn Treasury. As a result, I have a bitchin' code card that makes me look like a secret agent or some shit.

    Code card? Pfft! My bank had that but it is already deemed unsecure and obsolete. I now have to use smart card authentication if I need to make bank transfers greater than about $300.



  • @Mole said:

    It just seems daft that the company who is safeguarding my money is using such a weak security system
     @Mole said:
    Meanwhile the company I work for only allows email collection via a ssh2 tunnel, authenticating using a 2048-bit public/private key

    Welcome to the wonderful rich world of the manifold human interpretations of reality!

     



  • The situation in the UK seems to be just as retarded as in the states.

    My brother has a physical RSA fob for WoW and Paypal but his proper bank doesn't offer it. My bank asks me to check a certain picture displayed during login is the one I choose while signing up but doesn't offer an RSA fob either.

    And we have the broken Verified-By-xxxx schemes for using your card online that uses information printed on the goddamn card for resetting your password! This handily means you are liable for the loss if someone steals your card details as 'you must have given them your Securecode'..... (I have actually had the bank tell me this when my credit card was fraudulently used).

     

    With all the regs banks have to abide to it's just shameful that proper two-factor authentication isn't mandatory for any bank offering an online service.

     



  • Account number and 6-digit PIN on my bank. But what really annoys me is how you input the numbers.

    It's an on-screen keypad where you have to click the digits with your mouse. If you start typing, a popup will come up telling you to "use the virtual keyboard".

    And somehow, even if it is implemented as an HTML table with onclick attributes on its TDs, the key "buttons" manage to get a "focussed" dashed line around them after I press each of them. Just in case the person looking over my shoulder fails to see where I am clicking.

    But hey, the addKey() javascript function checks to see if the document's title is the same as it expects. That makes it much more secure, right?



  • My Barclays account uses a memorable word, an RSA fob and the last 5 digits of your bank card for full login. Seems secure enough to me.



  • @Mole said:

    Now who can think up a memorable 5-digit passnumber?
    Think of your favorite sentence.  Mine is "I'm impotent, man! Get away from me, biatch!"  Now dial the first letters of each word on a phone.  BAM!   you have your 5 digit passcode.



  • @Zecc said:

    And somehow, even if it is implemented as an HTML table with onclick attributes on its TDs, the key "buttons" manage to get a "focussed" dashed line around them after I press each of them. Just in case the person looking over my shoulder fails to see where I am clicking.

    But hey, the addKey() javascript function checks to see if the document's title is the same as it expects. That makes it much more secure, right?

    Barclays top that - for the 5 'security' digits they request, each digit is a pull down menu with the options 0 - 9 that you select with your mouse. Once you select one, the number stays in the box, so the person looking over your shoulder can easily write down your "Secure PIN", even if they only looked over whilst you were entering the 5th digit.


  • @gremlin said:

    @Zemm said:

    When I got phone banking with one of the biggest banks in Australia the password was 3 digits. I think mine was 791. I'm pretty sure they don't still do that. :)

     

    Are you sure? By the way, what is your account number?

     

    It had a 6 in it. I closed that account in 2005 when I stopped getting student rate and they started charging me fees. I haven't paid a bank fee in years, other than the occasional foreign ATM or currency conversion fees.



  • @PJH said:

    Barclays do in fact have these. (As do a few other UK banks, though admittedly not all. They appear to be compatible with each other.)

    True, but IME those are only given to Business customers, not personal customers. Typical!



  •  Barclaycard has made 300 redundancies at their Northampton offices in the UK this month. They close their credit/debit card fraud department in the UK and move it to Mumbai in India.  The staff were offered a bigger package if they went over to india to help train the replacements.



  • @Helix said:

    The staff were offered a bigger package if they went over to india to help train the replacements.
    Gahh!  Too many bad jokes involving dick puns!  Brain overloading... aneurysm imminent...  *THUD*


  • Discourse touched me in a no-no place

    @Cad Delworth said:

    @PJH said:
    Barclays do in fact have these. (As do a few other UK banks, though admittedly not all. They appear to be compatible with each other.)
    True, but IME those are only given to Business customers, not personal customers. Typical!
    Your E appears to be unusual.


    I frequent one of the more popular message boards in the UK for money related matters, and there was a general uproar about Barclays introducing it for 'even moving the mouse' </hyperbole> (and while having control over a personal Barclays account, don't have one for it, because there is no card associated with it.)


    I, myself, have the Nationwide one, and have used it precisely once in the 18 months I've had it. Can't comment personally on Co-Op or Natwest. For completeness, Lloyds TSB (another personal account,) don't use them.



  • @belgariontheking said:

    @Mole said:

    Now who can think up a memorable 5-digit passnumber?
    Think of your favorite sentence.  Mine is "I'm impotent, man! Get away from me, biatch!"  Now dial the first letters of each word on a phone.  BAM!   you have your 5 digit passcode.

    But there are 8 words.



  • @Spectre said:

    @belgariontheking said:

    @Mole said:

    Now who can think up a memorable 5-digit passnumber?
    Think of your favorite sentence.  Mine is "I'm impotent, man! Get away from me, biatch!"  Now dial the first letters of each word on a phone.  BAM!   you have your 5 digit passcode.

    But there are 8 words.

    But "But there are 8 words" has five words! 

     



  • @DaveK said:

    But "But there are 8 words" has five words! 

    We have a winner!



  • @Spectre said:

    @belgariontheking said:

    @Mole said:

    Now who can think up a memorable 5-digit passnumber?
    Think of your favorite sentence.  Mine is "I'm impotent, man! Get away from me, biatch!"  Now dial the first letters of each word on a phone.  BAM!   you have your 5 digit passcode.

    But there are 8 words.

    then I just start typing until my pants fall off.  Then I know I've hit the limit.



  • @belgariontheking said:

    then I just start typing until my pants fall off.  Then I know I've hit the limit.

    Wow, what site sends pstorer to your house when you exceed the password limit?


Log in to reply