Re: WTF Bites (My longest running banking :wtf: to date)
-
@Polygeekery said in WTF Bites:
Apparently I cannot change settings, e.g. email notifications on or off, without also changing my password.
Ohhhhh, someone remind me tomorrow of a major banking
regarding my bank. It's glorious.Several years ago I changed over all of my business banking to my current bank. My previous bank required me to have a separate login for each business. My new bank has an association process where you can setup additional accounts as "children" of a primary account for the purposes of online banking. Login to the primary and then you can select each of the associated children accounts from there. Which is actually really convenient.
But that is where the
s started. They of course push you to setup 2FA on each account, and banks love to use phone numbers for that. But each phone number can only be used once in their system. So the first one I set as my cell phone number and I get the message about each account needing its own number when setting up 2FA when signing into the second account. So I used my business VoIP number for the second one. For the rest I was SOL because no more numbers. Maybe a year later I got a notification on signing in that they no longer accepted VoIP numbers for 2FA, which left me with no 2FA on all of my accounts but one. Brillant!!The primary account at the time was for a business name that I no longer use and when the name changed I had to open a new account for it. That old primary account had several notifications setup on it. Notify me of deposits and ACHs going through, notify me of transactions over $X, notify me if my balance is below $Y. The normal stuff.
So I go through the process of transitioning everything to the new account after the name change. As part of that long arduous process you have to keep money in the old account to cover recurring transactions that you forget about, etc. Eventually I get to the point that I can close that account. I have to go into the bank to do so and as part of that they set the new account to be the primary account with all the child accounts under it on online banking. The account is closed, we should be all done with it, right?
Wrong. So those notifications I had setup? Particularly the one for account balance being below $Y? Two years on and that notification is still running. Every single morning the bank sends me an email letting me know that my account balance is below the threshold and that my account balance is $0.
I have tried logging into the old account, but I cannot because that account is closed so my access to the online banking part of it is shut off. But the account is still in their system because it probably has to stay there forever or some government mandated retention period in case myself or the IRS ever needs records from it.
On numerous occasions I have contacted the bank about it and there is always some department that takes care of stuff like that and they will forward on my request and I assume all of those requests get filed in /dev/null because nothing has ever happened with that. Two years later I still get a balance notification every single morning for an account I closed 2+ years ago. I have since made peace with that via an email filter that files them in the same place in my email that their department files my requests to have those notifications purged from my old account. A few months ago I checked to see if they were still there by disabling the filter rule and sure enough, the next morning I get a notification that my balance is below my set threshold.
Extra special bonus
: I cannot use my cell phone number for 2FA on any of my accounts because it is still listed on the closed account and every account has to have a unique 2FA phone number.Additional minor but annoying
: I refuse to use their mobile app now because they updated it a while back and it required me giving the app all the permissions and fuck that. Location, phone access, access to files, access to contacts, even access to the microphone. So now I just signin to the mobile site to do my online banking.Another minor
: The mobile site used to have a single signon for all accounts. But a month or so ago they changed to having a separate site for business accounts. But there is no easy way to get straight to it. So my normal workflow for that is to attempt signing in to the normal one and upon submitting my username and password it redirects me to the business login, which is not mobile friendly so all the blanks are tiny in the default view requiring me to zoom way in. It also requires you to answer one of your 2FA questions if the browser is "unknown" to your account and it always is. Those question boxes appear to mobile Chrome as a password box so it prompts me to submit my saved password again, requiring me to close out of that prompt and answer the question and then when I submit that it prompts me every time to update my password for that site, which I don't want to, because it wasn't a password.
-
Additional banking
that literally just happened. As part of the transition to a new machine for the accountant that has the check scanner that will not work when connected through a USB hub, because security, the bank (JP Morgan) had to configure the software and blah blah blah.We get an urgent ticket requiring someone to login and help install said software. They had to uninstall the current version of their scanning middleware because it only supports Chrome up to version 80-something and the new version of their scanning middleware triggered SmartScreen because they don't even bother signing their applications. Brillant!!
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):2FA questions
Which, BTW, I know it has been discussed around here on multiple occasions but those are the worst form of 2FA. The questions invariably include lots of them that could be figured out from internet stalking if a person has enough of an online presence.
- What was the name of your elementary school? (I went to no less than 4 different elementary schools so that makes it more difficult to figure out what I might have answered)
- Who did you go to prom with?
- What was the name of your first pet?
- What was your favorite band in high school? (Dig and see if the person's MySpace page is still up. Bet it has a lot of annoying graphics of that band.)
- What was the name of your X grade teacher?
- Who was your best friend in high school? (Easily found from social media, depending on the person's age)
Just lots of crap like that. Almost all of them are easily discerned via social media stalking. All of them get lumped in NR2FA
-
@Polygeekery "What is your favourite ____" is especially bad if you set it up with a real answer, since those can change over time
-
@Polygeekery set some script that will grab that mail every morning, quote it, add an "this is still happening on an already closed account. please fix" and will forward it to support email of the bank.
i'll bet it's gonna be resolved within 2 weeks.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):the worst form of 2FA.
From back when we still had a front page:
Wish-It-Was Two-Factor
Unless you’ve just recently signed on to this whole Internet Thing, you’ve probably noticed an increasing trend in the World of Authentication. These days, when logging on to various websites, users are asked for a name, password, and the answer to one or more “secret questions.” It’s actually a...
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):@Polygeekery said in Re: WTF Bites (My longest running banking
to date):2FA questions
Which, BTW, I know it has been discussed around here on multiple occasions but those are the worst form of 2FA. The questions invariably include lots of them that could be figured out from internet stalking if a person has enough of an online presence.
- What was the name of your elementary school? (I went to no less than 4 different elementary schools so that makes it more difficult to figure out what I might have answered)
- Who did you go to prom with?
- What was the name of your first pet?
- What was your favorite band in high school? (Dig and see if the person's MySpace page is still up. Bet it has a lot of annoying graphics of that band.)
- What was the name of your X grade teacher?
- Who was your best friend in high school? (Easily found from social media, depending on the person's age)
Just lots of crap like that. Almost all of them are easily discerned via social media stalking. All of them get lumped in NR2FA
The worst part is that when banks implemented 2FA wrong, everyone just followed the trend. 2FA is supposed to be "something you know" and "something you have" ... so a) your username/password and then b) Some form of generated ID you have to enter as a one time use code.
-
@sh_code said in Re: WTF Bites (My longest running banking
to date):@Polygeekery set some script that will grab that mail every morning, quote it, add an "this is still happening on an already closed account. please fix" and will forward it to support email of the bank.
i'll bet it's gonna be resolved within 2 weeks.Was going to suggest the same thing, but also do it for the emails received over the past 2 years as well.
-
@CodeJunkie Actually, the even worst worst part is that websites still seem to continue to fuck up even proper 2FA, especially when it involves keeping track of your "device". Not sure why, but so many of them never seem to remember that I've actually logged in from my "device" before ... The fun part is a) the "device" is a desktop computer that hasn't changed in like 6 years. b) I have a static Internet IP address.
-
@CodeJunkie it gets reset every time the browser updates. Which these days is at least a couple times per month.
-
@boomzilla said in Re: WTF Bites (My longest running banking
to date):@CodeJunkie it gets reset every time the browser updates. Which these days is at least a couple times per month.
Oh, well, that's just great. Makes sense though.
EDIT: I'm completely sick and tired of web browsers.
-
Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Almost all of them are easily discerned via social media stalking.
Only if you use real answers!
-
@sh_code said in Re: WTF Bites (My longest running banking
to date):@Polygeekery set some script that will grab that mail every morning, quote it, add an "this is still happening on an already closed account. please fix" and will forward it to support email of the bank.
i'll bet it's gonna be resolved within 2 weeks.Bet he's blocked as a spammer in 2 days.
-
@boomzilla said in Re: WTF Bites (My longest running banking
to date):@CodeJunkie it gets reset every time the browser updates. Which these days is at least a couple times per month.
I've noticed that minor FF updates usually don't. But major updates always do.
-
This seems to have gotten OT. The longest I dated a
at a bank was like 3 years.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
How the absolute fuck is this supposed to be useful?
What is the scenario here??
-
@CodeJunkie said in Re: WTF Bites (My longest running banking
to date):The worst part is that when banks implemented 2FA wrong, everyone just followed the trend. 2FA is supposed to be "something you know" and "something you have" ... so a) your username/password and then b) Some form of generated ID you have to enter as a one time use code.
Actually, your username is not part of the "something you know" in 2FA. The A stands for "authentication", so the factors are there to authenticate your claim that the username is yours. And it doesn't have to be a generated ID blah blah blah. It could be your fingerprint or your iris scan or whatever. (Biometrics are all "something you have" => I have my finger, I have my iris, I have my retina, etc.)
-
@Steve_The_Cynic said in Re: WTF Bites (My longest running banking
to date):Actually, your username is not part of the "something you know" in 2FA
What if I have an NFT minted to my username?
-
@Steve_The_Cynic and these horrible security questions are just another “something you know.” So it’s just like a 2nd password, just a really terrible one. 1.5 passwords does not 2FA make.
On the other side of the spectrum are all these things you really couldn’t give a fuck about (you know, unlike your bank account), that absolutely piss you off with “activate 2FA now!!” Or Facebook/google just wanting an excuse to get your phone number.
If NodeBB ever decides that I need 2FA, I’m out.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):If NodeBB ever decides that I need 2FA, I’m out.
I mean, these days, you just add the TOTP to your Keeper/1Password/LastPass record and call it a day. No phone number required, unless you're dealing with something stuck in the 19th century like a bank...
-
@izzion I have that on the phone, not on the pc (otherwise it defeats the security purpose), so getting the TOTP out takes a minute.
Fine for a bank,
for here.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
How the absolute fuck is this supposed to be useful?
What is the scenario here??It's supposed to be anti-phishing. You're supposed to look for that when you login to make sure you're logging into the legit site. I'm not sure it's ever saved anyone.
-
@boomzilla said in Re: WTF Bites (My longest running banking
to date):@topspin said in Re: WTF Bites (My longest running banking
to date):@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
How the absolute fuck is this supposed to be useful?
What is the scenario here??It's supposed to be anti-phishing. You're supposed to look for that when you login to make sure you're logging into the legit site. I'm not sure it's ever saved anyone.
The correct way to do that, is of course, already built in to every browser: check that the site has a secure connection (with a lock icon) with the right certificate. Users who don’t notice a wrong address won’t notice that either.
But of course if you’re already MITM’ing the user, you could just forward this stupid token from the real site.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):@Steve_The_Cynic and these horrible security questions are just another “something you know.” So it’s just like a 2nd password, just a really terrible one. 1.5 passwords does not 2FA make.
Absolutely for sure. Well, except that those questions aren't really a second password, but an extension of the main password, as if your password is really a multi-part password, but still just a password.
-
@topspin More to the point, a phishing site will have a real certificate provided by a real "trustable" CA and all. Doesn't even need to be one like Diginotar... The DNS name will be "feasible" for the phishee's bank ("jpmogan.com" ???) but distinct from it, and will pull graphical assets from the real bank's site for extra authenticity. (Probably by fetching them once and hosting them locally.)
-
@topspin said in Re: WTF Bites (My longest running banking
to date):How the absolute fuck is this supposed to be useful?
It gives the illusion of usefulness.
@topspin said in Re: WTF Bites (My longest running banking
to date):What is the scenario here??
In theory if a user were phished they would see the counterfeit screen and it would either be missing their passphrase thing or display the wrong one and the user would realize that and stop right there.
In actuality as long as the checkbox is there the user would pay zero attention to phrase or no phrase as they become automatons after a while, just going through the motions. There is even a good chance that if there were not checkbox at all that they would go through with the phishing attempt.
A slightly better but still probably mostly useless implementation of this is when they use a selected picture. There is more of a chance that the user would notice if the picture changed than if someone changes some text below a tickbox. That chance is still approximately zero, but it is much better than the stupid phrase thing.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):The correct way to do that, is of course, already built in to every browser: check that the site has a secure connection (with a lock icon) with the right certificate. Users who don’t notice a wrong address won’t notice that either.
The site could have a secure connection and still be a phishing site. Most of them are. They just duplicate the look of the site on https://alihreiuhaefdklj.totallynotukrainianphishingsite.com/phishing.html and when the user enters their login information it gets saved in their database.
Almost all of these measures are security theater when the users are absolutely retarded. It is like the website that I use where once a month I have to enter a NR2FA code to re-authorize my session. That code gets emailed to me. If I need to reset my password, that also gets emailed to me. So for many people and many sites their email becomes the keys to the kingdom.
-
@Applied-Mediocrity said in Re: WTF Bites (My longest running banking
to date):@Steve_The_Cynic said in Re: WTF Bites (My longest running banking
to date):Actually, your username is not part of the "something you know" in 2FA
What if I have an NFT minted to my username?
Then you're one of those people we
talk about here.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
My Polish bank has a similar feature but done right. First you type in the login and click next. Then you have the password input screen, except next to the password is a picture you picked on your first login (an avatar of sorts). Unobtrusive, and very memorable. This has two functions:
- You know the website is genuine. A fake website wouldn't know your picture.
- You know you entered your login correctly. You won't waste your login attempts because you made a typo on the previous screen.
I guess the "tick the box if you recognize the word" is meant to serve the same purpose except in the worst way imaginable.
That bank also has actual 2FA. You can choose between SMS, smartphone app, dedicated token device, or printed out single-use keys. IIRC the last two were available for online banking since at least 2000.
Overall a very good online banking system. Very likely one of the best in the world - I can't even think of a single WTF (okay, the "only type some letters of the password" feature is probably a WTF because it suggests questionable password storage practices; but it's true that it increases security in a different way.) The two other Polish banks and the one American bank I had a chance to use are much worse.
-
@Gąska said in Re: WTF Bites (My longest running banking
to date):questionable password storage practices; but it's true that it increases security in a different way
What do you mean?
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):In theory if a user were phished they would see the counterfeit screen and it would either be missing their passphrase thing or display the wrong one and the user would realize that and stop right there.
The user side of that problem is of course that this is totally not idiomatic and they never would actually notice this crap, as you said.
The technical problem, as mentioned above, is that the phishing site could just ask the real site for the phrase, since it happens before authentication. (And if it happened after authentication it would be too late anyway.)@Gąska said in Re: WTF Bites (My longest running banking
to date):You know the website is genuine. A fake website wouldn't know your picture.
Why not?
User goes to phishing site. User enters login name in phishing site. Phishing site contacts real site with user's login name and gets served the picture. Phishing site presents the "secret" picture to the user.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):The technical problem, as mentioned above, is that the phishing site could just ask the real site for the phrase, since it happens before authentication.
Sort of.
Each browser has a one-time setup procedure. I don't recall what it is. After that point the passphrase thing shows up. I presume that they install their own certificate or something during setup?
There is a lot of manual setup required by JP Morgan in order for users to access their treasury system. As in literally you have to get on the phone with some drone working through a flowchart and they are even less computer literate than the accountants and bookkeepers that they are "assisting". It is the blind and functionally retarded leading the blind.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):@Gąska said in Re: WTF Bites (My longest running banking
to date):questionable password storage practices; but it's true that it increases security in a different way
What do you mean?
Taking a guess, it probably works like one of my bank accounts:
For online banking, I have a normal user name and password, as well as another 6-digit numeric password. I first log in with user name and password (which I hope is hashed correctly), then get asked for 2 out the 6 digits of the second password. That probably means this second password is not stored as a hash (but it would be easy to reverse anyway).
From my understanding, this serves as a simplistic version of a one time password token, in that the full password never gets transmitted but only a "token" (2 of the digits) which is "computed" (in a very simple way by the human user) from the real password. So just like the certificate or whatever you save in your OTP generator, this second secret password kinda-sorta becomes "something you have" instead of "something you know".
It's simplistic because, while you cannot steal both the login info and the full second password by snooping one login session, it only takes at most a dozen logins to reconstruct the full password. (Or you could try a few times until you get asked for the two digits you know.) But it's still a little bit more secure.Thankfully, the real part of 2FA there is that actual transactions get authenticated with a TAN, for which you could use a TAN generator or an old-fashioned paper list.
-
@Steve_The_Cynic said in Re: WTF Bites (My longest running banking
to date):("jpmogan.com" ???)
Wait. Is ".corn" (yes, that is an r and an n instead of an m) still available?
-
@dcon said in Re: WTF Bites (My longest running banking
to date):@Applied-Mediocrity said in Re: WTF Bites (My longest running banking
to date):@Steve_The_Cynic said in Re: WTF Bites (My longest running banking
to date):Actually, your username is not part of the "something you know" in 2FA
What if I have an NFT minted to my username?
Then you're one of those people we
talk about here.They're called “marks” or “suckers” in the trade.
-
@topspin said in Re: WTF Bites (My longest running banking
to date):@Gąska said in Re: WTF Bites (My longest running banking
to date):You know the website is genuine. A fake website wouldn't know your picture.
Why not?
User goes to phishing site. User enters login name in phishing site. Phishing site contacts real site with user's login name and gets served the picture. Phishing site presents the "secret" picture to the user.
Okay, yeah, you're right. Still, something that requires significantly more effort from the scammer, and that's always good. And the other part - knowing you typo'd the login - is still useful on its own. And most importantly - zero effort from the user.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):@Gąska said in Re: WTF Bites (My longest running banking
to date):questionable password storage practices; but it's true that it increases security in a different way
What do you mean?
Keyloggers. And looking over the shoulder.
-
@dkf said in Re: WTF Bites (My longest running banking
to date):They're called “marks” or “suckers” in the trade.
And elsewhere they're called NFT purchasers.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):In theory if a user were phished they would see the counterfeit screen and it would either be missing their passphrase thing or display the wrong one and the user would realize that and stop right there.
In actuality as long as the checkbox is there the user would pay zero attention to phrase or no phrase as they become automatons after a while, just going through the motions. There is even a good chance that if there were not checkbox at all that they would go through with the phishing attempt.
A slightly better but still probably mostly useless implementation of this is when they use a selected picture. There is more of a chance that the user would notice if the picture changed than if someone changes some text below a tickbox. That chance is still approximately zero, but it is much better than the stupid phrase thing.The login for my credit card company used to do both of these at the same time. They've discontinued it now.
I knew what the phrase was as it's a reference to one of my favourite shit jokes but it could have displayed any picture and I'd have had no idea if it was the right one or not.edit: plus the issues already pointed out
-
@topspin
My bank has set that up so when I'm at my PC, I login with username and password (something I know), and they send the TOTP to my cellphone (something I have) for me to confirm.To the banking app I have installed on my cellphone. From where I could have done anything that I was planning to do at my PC anyway. More often than not that's where I end up doing it.
-
@izzion said in Re: WTF Bites (My longest running banking
to date):I mean, these days, you just add the TOTP to your Keeper/1Password/LastPass record and call it a day. No phone number required, unless you're dealing with something stuck in the 19th century like a bank...
Which brings up something else. In the same vein as so many websites having a single point of failure (the user's email account), how long before some exploit exposes every user's logins from one of these services?
Yeah yeah yeah, lots of people can chime in with lots of things that these services say that they do that prevent such things from happening but how much shit is going on behind the scenes that would or will be worthy of front page status if/when this happens?
The only one that would be very unlikely to suffer such an exploit would be KeePass (am I the only one that sees "Keep Ass"?) due to how it works and lots of eyes potentially being on the codebase. But it is still not impossible.
LastPass, 1Password, etc., they all seem like a bad idea to me. You're putting all of your eggs in one basket and depending on them to do their job perfectly and not expose any potential vectors of attack. You are giving nefarious people one target to attack to hundreds of thousands or millions of keys to the kingdom.
Am I the only person that is this skeptical and pessimistic about such services?
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):KeePass ... due to how it works
How does it work differently from LastPass, etc.?
-
@Gąska said in Re: WTF Bites (My longest running banking
to date):@Polygeekery said in Re: WTF Bites (My longest running banking
to date):Another NR2FA that popped up.
JP Morgan displays a phrase on the login screen that you are supposed to read and then check a box to acknowledge that is the phrase that you chose.
If a user is being phished I would wager that 99.99% of them would never think, "Hey, where's that phrase thing at?"
If a website just displayed any phrase I bet users would just tick the box and move through because over a relatively short period of time they just become conditioned to do so.
My Polish bank has a similar feature but done right.
Oh, this should be good.
First you type in the login and click next. Then you have the password input screen, except next to the password is a picture you picked on your first login (an avatar of sorts). Unobtrusive, and very memorable. This has two functions:
- You know the website is genuine. A fake website wouldn't know your picture.
Couldn't they? If they try your login ID, then they could easily pull your picture and then associate it with your ID.
- You know you entered your login correctly. You won't waste your login attempts because you made a typo on the previous screen.
That will already be shown by not being able to log in in the first place, so the "feature" adds nothing.
That bank also has actual 2FA. You can choose between SMS, smartphone app, dedicated token device, or printed out single-use keys. IIRC the last two were available for online banking since at least 2000.
Ok, those are all decent options for "something you have," unless someone steals your phone or token device.
But how are you supposed to get the single-use key? Do they give you a cipher book of single-use keys, with instructions on each login for which key to look up?Overall a very good online banking system. Very likely one of the best in the world - I can't even think of a single WTF (okay, the "only type some letters of the password" feature is probably a WTF because it suggests questionable password storage practices; but it's true that it increases security in a different way.) The two other Polish banks and the one American bank I had a chance to use are much worse.
My credit union is at least as good, and does operate worldwide.
-
@djls45 said in Re: WTF Bites (My longest running banking
to date):First you type in the login and click next. Then you have the password input screen, except next to the password is a picture you picked on your first login (an avatar of sorts). Unobtrusive, and very memorable. This has two functions:
- You know the website is genuine. A fake website wouldn't know your picture.
Couldn't they? If they try your login ID, then they could easily pull your picture and then associate it with your ID.
- You know you entered your login correctly. You won't waste your login attempts because you made a typo on the previous screen.
That will already be shown by not being able to log in in the first place, so the "feature" adds nothing.
After several unsuccessful login attempts (5 IIRC?) the online access is locked (and rightly so).
That bank also has actual 2FA. You can choose between SMS, smartphone app, dedicated token device, or printed out single-use keys. IIRC the last two were available for online banking since at least 2000.
Ok, those are all decent options for "something you have," unless someone steals your phone or token device.
But how are you supposed to get the single-use key? Do they give you a cipher book of single-use keys, with instructions on each login for which key to look up?Never used it myself, but IIRC you get like 100 of those keys and you can use any of them at any time (I guess there's expiration date for the whole batch?) but each one works only once. You have to pick up new ones yourself, or maybe they get mailed to you. As I said, never used it myself.
Overall a very good online banking system. Very likely one of the best in the world - I can't even think of a single WTF (okay, the "only type some letters of the password" feature is probably a WTF because it suggests questionable password storage practices; but it's true that it increases security in a different way.) The two other Polish banks and the one American bank I had a chance to use are much worse.
My credit union is at least as good, and does operate worldwide.
Which one is it? I'm currently in PNC and it doesn't even let me autopay the credit card balance as soon as the statement arrives. And the statement arrives on a different day each month. Currently I have it set up on a fixed date and I just hope it never arrives after 10th.
-
@HardwareGeek said in Re: WTF Bites (My longest running banking
to date):@Polygeekery said in Re: WTF Bites (My longest running banking
to date):KeePass ... due to how it works
How does it work differently from LastPass, etc.?
KeePass is an open source password manager and requires you to make your own encrypted database of passwords portable in your own way. You can keep it on a USB drive, put it in your Google Drive or OneDrive or DropBox or whatever you want to keep it synchronized amongst machines.
The rest of them, to my knowledge, sync your password database for you. Which makes them a single point of failure and single point to attack.
If you find an exploit in how LastPass or others are storing data at rest or in transit than you could dump everyone's data and go to town. With KeePass you would have to attack every user's machines or exploit the loophole on a much broader scale.
Given my work I am always leery of single points of failure.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):am I the only one that sees "Keep Ass"?
Not now. So y'know... thanks for that.
-
@loopback0 said in Re: WTF Bites (My longest running banking
to date):thanks for that.
You're welcome. I do what I can. It is very little, but I do what I can.
-
@Polygeekery said in Re: WTF Bites (My longest running banking
to date):@izzion said in Re: WTF Bites (My longest running banking
to date):I mean, these days, you just add the TOTP to your Keeper/1Password/LastPass record and call it a day. No phone number required, unless you're dealing with something stuck in the 19th century like a bank...
Which brings up something else. In the same vein as so many websites having a single point of failure (the user's email account), how long before some exploit exposes every user's logins from one of these services?
Yeah yeah yeah, lots of people can chime in with lots of things that these services say that they do that prevent such things from happening but how much shit is going on behind the scenes that would or will be worthy of front page status if/when this happens?
The only one that would be very unlikely to suffer such an exploit would be KeePass (am I the only one that sees "Keep Ass"?) due to how it works and lots of eyes potentially being on the codebase. But it is still not impossible.
LastPass, 1Password, etc., they all seem like a bad idea to me. You're putting all of your eggs in one basket and depending on them to do their job perfectly and not expose any potential vectors of attack. You are giving nefarious people one target to attack to hundreds of thousands or millions of keys to the kingdom.
Am I the only person that is this skeptical and pessimistic about such services?
Given that I lose all of the passwords in my personal vault if I forget my passphrase or wallet ID ("username" guid-like-thing) and work has to reset my credentials, I have naive hope that their encryption is actually good enough to prevent brute force style attacks. Doesn't solve the getting phished problem, but it's no worse than your e-mail account from that perspective.
And obviously the bigger win in a business environment is having shared vaults without having to share credentials, which to my knowledge isn't really a thing with KeePass.
-
@izzion you would get no argument from me that they are the lesser of evils when talking about users at large. If you asked me to bet on Jane from payroll inputting her password into a phishing site or a large group that we hope knows what they are doing keeping all of that safe, I would bet on the large group every time.
This is especially so considering that we have had users that avoided getting phished because their password manager did not prompt them to fill the password.
But that does not mean that it is not a risk. And also a risk with much broader and larger implications.
I would also say that just because LastPass or whatever says that they cannot recover your passwords does not mean that they are unable to or that if they suffered a data breach that another group could not recover them due to a flaw in their software and/or practices.
In fairness, the same is true of KeepAss but the exploit would need a near infinitely larger attack vector.
Either of them would be up a moving body of feces without a means of conveyance if the attack vector is browser or OS based. If they ever find an exploit that allows a website to spoof the chain of custody and impersonate a website so that the user and password manager does not realize then the jig is up anyway.
This is all a stretch. I concede that. But when I see single points of failure in systems my spidey sense tingles.
