Horrible bank security practices (not really news)
-
@chubertdev said:
up until a MITM attack
Perhaps you need to read what I posted with a bit more attention?
I only ever enter the PIN on a closed system that is not connected to any computer system. It is used as part of a crypto-algorithm to produce a nonce and the nonce is manually typed into an input element on the website.
Obtaining the PIN would require breaking said crypto-algorithm and reversing the nonce.
I was scrolling up to find a post I had made about that, to ensure you had seen what @chubertdev was referring to, and then discovered that I made that point in an entirely different thread here:
http://what.thedailywtf.com/t/from-my-friend-who-works-in-it-at-a-school-here-are-some-screenshots-of-pdfs/5360/107Yes. The hackers are live in your session via your computer while you're entering your PIN and messing with your transaction.
There is no such thing as an absolutely secure transaction that involves a computer connected to the internet. The best you can get is making it really difficult on any third parties that try to intercept your data, and due diligence monitoring your account activity so as to notify your financial institution if anything is amiss.
-
I am yet to locate a payment terminal that'll take it to find out.
Try Wal-Mart, Target, or chain gas stations like QT or Racetrac.
Here in Dallas it seems like most places have already upgraded, possibly in the middle of the night.
-
because they're annoying when all I want to do is login to online banking and it's been left at home.
They're largely interchangeable - either get a second from your bank to keep at work, or see if a cow-orker has one on them since they've already got a second...
-
Negative Walmart, chain gas stations, grocery stores, etc.
Bunch of places recently did a refresh, but they're just NFC and magstrip.
-
egative Walmart, chain gas stations, grocery stores, etc.
Bunch of places recently did a refresh, but they're just NFC and magstrip.
Funky. You must live in a backwater.
I have barely seen any Apply Pay or NFC machines, though.
-
Asked for a replacement AmEx and got an chipped card. No PIN, though. I assume it's set up for Chip-and-signature mode, which is way less good than chip-and-PIN.
I am yet to locate a payment terminal that'll take it to find out.
Oh yeah, same here. Well, not a replacement, but newly added to my wife's account.
-
Yeah, the single-use token makes it harder, as the MITM attack needs to pretty much be real-time, but it's still not 100% secure.
-
They're largely interchangeable - either get a second from your bank to keep at work, or see if a cow-orker has one on them since they've already got a second...
The thing is that "at work" is often not the same place - I'm usually in other offices more than I'm in mine.
If my current bank ever introduce them, I'll cross that road then. I was changing banks anyway when I picked the one without the true 2FA token.
At the moment username + password + n characters from secret word suits me, especially as any money transfer requires verification by phone. Phone numbers for verification can't be changed without waiting for a week and a notification being sent to the existing numbers.
-
Problem: The only practical way for them to do that is plaintext (or reversible encrypted) storage
Yes, I know. When I first realized this, I was OMGWTFBBQ SECRUTIZ TURNIT AUF but then I realized that without it, it would be still plaintext, and unprotected from keyloggers.About cards - they've been pushing this PayPass technology in Poland for few years now (probably what you call NFC). It's awful. It has basically no protection against old style theft except for daily limit.
-
I was a happy little Australian with my chip-and-PIN card... and then all the banks started issuing all this NFC bullshit, where just putting the card near the reader for two seconds is enough to authorize any transaction of up to $100. Didn't ask for that. Didn't want that. No way to turn it off either, without risking destruction to the chip.
This is the worst thing with the new cards. (In Canada it is $50 max, but still...). First they start by increasing security using Chip-and-PIN for bank and credit cards, and then then they take it all away for "convenience" of paying quickly, because typing in your PIN takes an extra 5 seconds at the checkout.
A while ago I was at a currency exchange place, which accepts only cash or debit (bank card) as payment for buying another currency. I took my C-n-P bank card out of my wallet and set the wallet down near the reader. Put the card in the slot and immediately the reader showed some failure message and quit. The teller insisted that I was trying to use a VISA card and that they won't do credit card cash advance. After a few minutes of pleading to just try it again, the second time it went through okay. It wasn't until after I left that I realized that my C-n-P, NFC VISA was in my wallet and was probably picked up by the reader. (Which I suppose it could have also randomly picked the other NFC credit card that I had in the same wallet.)
And no one around here (banks or customers) seem to care that everyone is a walking ATM for the bad guys. Sigh.
-
(Which I suppose it could have also randomly picked the other NFC credit card that I had in the same wallet.)
TRWTF being you not using a NFC proof/resistant wallet. TINFOIL IS BACK, BABY.
-
TRWTF is having to protect yourself from remote pickpocketing. Seriously, did anyone behind NFC ever thought about what they're doing!?
-
TRWTF is having to protect yourself from remote pickpocketing. Seriously, did anyone behind NFC ever thought about what they're doing!?
I rarely have any of my remotes in my pockets.
-
Seriously, did anyone behind NFC ever thought about what they're doing!?
I think you know the answer tothat.
-
That's why I hate English so much - it's the most ambiguous european language ever. If I didn't post from mobile, I would <abbr> every word to clarify if something is verb, noun, adjective, adverb, pronoun, or something else.
I think you know the answer tothat
I'm not Tothat. And writing people's names without first letter capitalized is rude (unless their name actually has lowercase first letter, which is very common over internet apparently).
-
That's why I hate English so much - it's the most ambiguous european language ever. If I didn't post from mobile, I would <abbr> every word to clarify if something is verb, noun, adjective, adverb, pronoun, or something else.
I'm not Tothat. And writing people's names without first letter capitalized is rude (unless their name actually has lowercase first letter, which is very common over internet apparently).
It's an adjective in either use here.
-
In what sense does adjective "remote" imply having remote controllers?
-
In what sense does adjective "remote" imply having remote controllers?
It describes/modifies what's being pickpocketed.
-
That's noun.
-
-
Enjoy your
-
because typing in your PIN takes an extra 5 seconds at the checkout
If you were to add up all those saved 5 seconds over the course of a typical supermarket's working day, you'd probably find that they allow the store to achieve the same throughput with one less checkout queue.
-
Yeah, the single-use token makes it harder, as the MITM attack needs to pretty much be real-time, but it's still not 100% secure.
The amount paid and the recipient bank number are, together with an initial seed set by the bank's systems, part of the input for the algorithm that generates the nonce. So a MITM attack that modifies either amount paid or recipient is virtually impossible.
-
What I think my password is: pAssWord1LaLaLaL
What Schwab stored my password as: password
That is a buttumption. We just had a thread recently about the Git vulnerability, where someone pointed out that case insensitivity, and case folding, are two separate things.
So they might store the password as
pAssWord, but the comparison is case-insensitive.Um, wouldn't that be even worse? Because for a case-insensitive comparison to work, they'd need to store passwords in the clear. And not as a hash.
AFAIK, there's no case-sensitive hash algorithm which also allows case-insensitive comparisons of the hashed content.
-
AFAIK, there's no case-sensitive hash algorithm which also allows case-insensitive comparisons of the hashed content.
because it's a stupid idea...
-
there's no case-sensitive hash algorithm which also allows case-insensitive comparisons of the hashed content.
Sure there is. The final hash is the concatenation of a shorter hash for the original content, and another for a case-folded copy of it. To do a case-insensitive comparison, just compare the folded-copy halves of the hashes.
Why you'd ever want to do that remains a complete mystery to me, but if you can spec it there's an algorithm for it.
-
Okay, I stand corrected.
-
The final hash is the concatenation of a shorter hash for the original content, and another for a case-folded copy of it. To do a case-insensitive comparison, just compare the folded-copy halves of the hashes.
Even easier, just lowercase the password from the user before hashing. (Not that I agree with this idea but...) If you're allowing a case-insensitive match any way then you probably don't need to store the original hash with the correct case, just the canonicalized (lower cased, non-ASCII chars removed, etc) password hash.
-
of course if you do that then you have just halved the entropy of all your passwords. which is why it's a stupid idea to create password hashes that way.
and that's not including the cluster that is unicode case folding rules...
-
The question required the hash algorithm to be case-sensitive.
-
of course if you do that then you have just halved the entropy of all your passwords. which is why it's a stupid idea to create password hashes that way.
Easily fixed - once you've turned them all lowercase, just turn them uppercase before hashing. Entropy restored ;)
-
really?
hmm.... i think the only correct thing to say to that would be:
BAKA NO AHO!
unless my study of Azumanga Daioh has lead me astray.
-
Even easier, just lowercase the password from the user before hashing.
Doing that means you can't then do a case-sensitive match that fails on a pure case mismatch. If you want to be able to do both case-sensitive and case-insensitive matches on something's hash, you do need to derive part of that hash from the unfolded original.
Of course none of this is anywhere near as bone-headed easy as storing the user's password in an uppercase-only, fixed-size field on an AS/400, which is almost certainly what Schwab is doing.
-
westpac.PNG1095x686 74.6 KB
Didn't notice this was westpac earlier. Back when I used them it was a 8 digit access number (luckily separate from bsb/account number) with a 3 (!) digit password. 11 numbers to uniquely and securely identify me and my hundreds of dollars.
My bank started out as a credit union.
My current bank started as a building society, and still see some "BS" written around :) marginally better security practises. They were supposed to bring out phone based NFC payments but after 2 years everyone else is beating them to market.
-
Westpac still uses 8-digit customer numbers conveniently provided on correspondence, and a 3-digit code for telephone banking...
-
O.o
http://bankmecu2014corporatereport.com.au/
I'll make sure to remember that if I happen to move to Aus at some point.
-
and a 3-digit code for telephone banking...
Yeah, when they first brought out internet banking you used that same code to log in! Can't remember exactly when though. I had to open a Westpac account in 1999 due to my then-employer forcing it, I had avoided Westpac for years before then for personal reasons, plus still using my Dollarmites account by default until they both started charging account keeping fees.
-
I'll make sure to remember that if I happen to move to Aus at some point.
I've just remembered that I did complain once, right after the name change from mecu to bankmecu, when they stopped calling members "members" and started calling us "customers" instead.
To management's credit, they did not just blow off this complaint, but took it seriously enough to engage in a reasoned email back-and-forth on it. Turns out that "union" and "membership" are dirty words and a barrier to business in the 21st century. Which is a shame, and will undoubtedly end up causing the ruination of everything that's still good about bankmecu; but for the time being it's still easily the least irritating, most helpful and best-run bank I've ever dealt with.
-
Not heard the word "nonce" in this context before.
Over here it usually means a child molester, or is an abusive term for homosexual.
I presume you mean one-time-code, is there more to it than that?
Not going to Google it on company hardware.I still can't keep a straight face with this.
-
Not heard the word "nonce" in this context before.Over here it usually means a child molester, or is an abusive term for homosexual.I presume you mean one-time-code, is there more to it than that?Not going to Google it on company hardware.
I still can't keep a straight face with this.
It has always meant something created just for a specific purpose; any possible objectionable meaning is a latecomer.
I am reminded of the time some online person laughed himself into hysterics at a news story about a rifle range hosting a "skeet-shooting tournament".
-
-
If you were to add up all those saved 5 seconds over the course of a typical supermarket's working day, you'd probably find that they allow the store to achieve the same throughput with one less checkout queue.
NFC readers are [u]stealing our JOBS!!?!?!?!!!?!111eleven[/u]
-
For what other reason has any piece of "convenience" technology ever been widely pushed out without consulting its end users?
-
IT MAKES ME SO MAD I WANT TO SMASH THINGS WITH MY CLOGS!
-
Personally, I make a point of overcompensating for my five seconds by conversing with the checkout operator for an extra fifteen. This is doubly satisfactory because not only do I get to engage warmly with another human being, but I also score the incomparably smug satisfaction that comes from knowing I've just infuriated any blakeyrats behind me in the queue.
-
This is doubly satisfactory because not only do I get to engage warmly with another human being,
And you rank up mana points so later on if there is an issue store personnel is more likely to help you out.
-
I've just infuriated any blakeyrats behind me in the queue.
Because you hope they ragequit the supermarket, and over time it'll make it quieter?
-
No, just because deliberately yet deniably enraging people who can't be arsed learning to exercise a bit of patience is simply tremendous fun.
-
No, just because deliberately yet deniably enraging people who can't be arsed learning to exercise a bit of patience is simply tremendous fun.
I think we just hit the explanation for Discourse's performance, or rather: lack thereof.
-
because typing in your PIN takes an extra 5 seconds at the checkout
I was in IKEA in Sydney yesterday, and tried to pay using PayPass/PayWave (NFC) in the restaurant. I was told that they no longer accepted NFC payment in the restaurant because they took longer than chip+pin, and cost more for the merchant.
Made little sense for me, especially when the transaction took 30+ seconds to actually go through, compared to the normal few for NFC payment..
