My bank's security.



  • My bank recently changed their log in process.  Unless I am missing something, the change was not for the better.

    Here's how it works:

    Under the new system, you pick a picture and enter a phrase.  After you pick 4 security questions and provide answers to them you're all set up.  When you go to log in, you give it a username and that is all.  When you click the "Login" button, it takes you to a page where your special picture and phrase show up.  That's how you know you're not at some evil phishing website.

    At this point, two things can happen.  If you have "registered" your computer (received a cookie from the bank's website), you are asked for your password.  If you haven't "registered," then you have to answer two of your security questions, and then you are allowed to enter your password.  After you enter your password, you're logged in.

    Here are the security issues that I see:

    1. The site lets you discover valid user names.  If the username you type in is valid, you get to see that user's special picture and phrase.

    2. Knowing 1 above, it is trivial to set up a site that will take a username and then use it to retrieve that user's picture and phrase from the bank to display on your site.  This means that even if your site's URL reads "ImGonnaHackYourMoneysRealGood.RobYouBlind.DONTENTERYOURINFO.ThisIsAScam.com," the user will still enter his password or security question answers because he will see *his* special picture and *his* special phrase on your evil phishtastic website.  It took me about 5 minutes to put together a proof of concept website for this (don't worry, I didn't put it up anywhere; it's all on my computer).  This makes this scheme worse than the typical username and password login scenario, because the typical user has no reason to suspect that anyone else would know his special picture and phrase.

    Am I missing something?

    If not, what should I do about it?

    I'm kinda planning on polishing up my proof of concept site and then handing them the source code.  But I don't want them to turn around and claim that I am an evil phisher and have me arrested.

    If I am right about all this and they end up fixing things because of me, I want 15% interest monthly on any account I hold with them.  :-)



  • Don't approach the bank directly with what you have found.  Get a lawyer, give it to the lawyer and have the lawyer approach the bank.

    That's if you want to do anything about it.  Maybe you don't, as it could be a can of worms.

    The bank is not interested in real security.  The bank did this only to be in compliance with some regulations.  At this point it doesn't matter to the bank whether someone breaks in; their ass is covered.  If they had knowledge that their security sucked, that could potentially uncover their asses, so to protect themselves they have to say their security meets or exceeds regulations and you don't know what you're talking about.

    By the way, one of the most common security questions is "What was your mother's maiden name?"  How secure is that for rich and famous people?  Like for instance the president of Harvard University?   http://www.marquiswhoswho.com/biogs/Biography.aspx?tbn=YjRaq%2BDmdjNO6lcDltuB2Q==

     



  • @newfweiler said:

    Don't approach the bank directly with what you have found.  Get a lawyer, give it to the lawyer and have the lawyer approach the bank.

    That's if you want to do anything about it.  Maybe you don't, as it could be a can of worms.

    The bank is not interested in real security.  The bank did this only to be in compliance with some regulations.  At this point it doesn't matter to the bank whether someone breaks in; their ass is covered.  If they had knowledge that their security sucked, that could potentially uncover their asses, so to protect themselves they have to say their security meets or exceeds regulations and you don't know what you're talking about.

    By the way, one of the most common security questions is "What was your mother's maiden name?"  How secure is that for rich and famous people?  Like for instance the president of Harvard University?   http://www.marquiswhoswho.com/biogs/Biography.aspx?tbn=YjRaq%2BDmdjNO6lcDltuB2Q==

    I'd like to do the right thing.  I don't need this new "security feature;" I know how to sniff out phishing sites pretty well.  But people like my parents do need some help.  But this isn't helping anything.  This is essentially giving phishers *better* tools to screw people with.

    How much would one of these lawyer things cost?  It doesn't seem right that I'd have to pay in order to help somebody or some corporation out.  Hrmph.



  • Presumably, the phishing site would show up as attempting to login to multiple accounts over a short period of time (concurrently?)

     If the phisher's server is making outbound connections to bank.com/reallySuperSecurePictureLookupAndPhisherBuster.asp?myid=234-12-1234  every few minutes, you'd hope that someone at the bank would notice, flag those accounts, and call the FBI.  At least I hope so, too because my bank uses the same silly system, and requires me to use my SSN as the login id.  Really dumb of them.  I need to get off my butt and send them an polite (well, mean) email about that one.

     



  • You know, it occurs to me that most of the senators and congressmen who put the legislation in place for these requirements can be found in the Marquis Who's Who in America, with mother's maiden name, city of birth and everything. 

    I'm not saying anyone should make use of this information.  That would be wrong.

     



  • Show someone high up enough in the bank (as high as possible) and they will care.  They will see this as a possible loss of reputation.  Send the correspondence anonymously.  Log in from a library or use a proxy. 



  • @tster said:

    Show someone high up enough in the bank (as high as possible) and they will care.  They will see this as a possible loss of reputation.  Send the correspondence anonymously.  Log in from a library or use a proxy. 

    Yah, cause mitnick's anonimity worked out real well for him.

    Not to say that it isn't a good idea... But if my bank was doing that i'd go down to a branch office and swipe my card and refuse to enter my pin, and just show them a picture instead and say "SEE, IT'S ME!" until a manager came to help me.

    I hate banks. Everytime i have a bank account they screw some small transaction up and it takes me hours to fix it, at the bank, with the manager. And i can usually barely contain my voice. Sometimes i yell.

    Hate banks.



  • Strange, because good security is not all that difficult. My own bank, in the Netherlands, lets you login with username and password, but you can then only get information on the account. If you want to make a payment, they send you an sms with a one-time code which you will need to enter, or you can get a series of such codes snail-mailed to you beforehand. So the internet part is cryptographically secure. I don't know about the security of the sms system, but i'm sure you need to do a lot more to crack it. Mere phishing will only get you past payment information, imho that's an acceptible risk.



  • @bouk said:

    Strange, because good security is not all that difficult. My own bank, in the Netherlands, lets you login with username and password, but you can then only get information on the account. If you want to make a payment, they send you an sms with a one-time code which you will need to enter, or you can get a series of such codes snail-mailed to you beforehand. So the internet part is cryptographically secure. I don't know about the security of the sms system, but i'm sure you need to do a lot more to crack it. Mere phishing will only get you past payment information, imho that's an acceptible risk.

    Why don't you take your dutchie security and shove it!

    hehe i'm dutch too. but i live in the US, where we don't care about security of persons, only of corporations.



  • @bouk said:

    Strange, because good security is not all that difficult. My own bank, in the Netherlands, lets you login with username and password, but you can then only get information on the account. If you want to make a payment, they send you an sms with a one-time code which you will need to enter, or you can get a series of such codes snail-mailed to you beforehand. So the internet part is cryptographically secure. I don't know about the security of the sms system, but i'm sure you need to do a lot more to crack it. Mere phishing will only get you past payment information, imho that's an acceptible risk.

    Securitywise, I should probably switch to the SMS instead of the paper list, but I'm really greedy and don't want to waste prepaid credit for every little €€ that I transfer.



  • You might be able to interest a journalist in this.  Then the newspaper or magazine or TV station can deal with the bank, if the bank wants to prosecute (and be exposed to the world).



  • @UncleMidriff said:

    1. The site lets you discover valid user names.  If the username you type in is valid, you get to see that user's special picture and phrase.

    What happens if you enter an invalid username? If they do it right, you still see some picture and phrase...

     

    2. Knowing 1 above, it is trivial to set up a site that will take a username and then use it to retrieve that user's picture and phrase from the bank to display on your site.  This means that even if your site's URL reads "ImGonnaHackYourMoneysRealGood.RobYouBlind.DONTENTERYOURINFO.ThisIsAScam.com," the user will still enter his password or security question answers because he will see his special picture and his special phrase on your evil phishtastic website.  It took me about 5 minutes to put together a proof of concept website for this (don't worry, I didn't put it up anywhere; it's all on my computer).  This makes this scheme worse than the typical username and password
    login scenario, because the typical user has no reason to suspect that
    anyone else would know his special picture and phrase.

    The same can be said for every security procedure I can think of. Without the help of hardware tokens, I can't imagine a tamper-proof way to avoid man-in-the-middle attacks if we assume that the user's PC is untrustworthy. 



  • @ammoQ said:


    @UncleMidriff said:

    1. The site lets you discover valid user names.  If the username you type in is valid, you get to see that user's special picture and phrase.



    What happens if you enter an invalid username? If they do it right, you still see some picture and phrase...

    It tells you that the username you entered is invalid and to try again. 

     

    @ammoQ said:


    @UncleMidriff said:

    2. Knowing 1 above, it is trivial to set up a site that will take a username and then use it to retrieve that user's picture and phrase from the bank to display on your site.  This means that even if your site's URL reads "ImGonnaHackYourMoneysRealGood.RobYouBlind.DONTENTERYOURINFO.ThisIsAScam.com," the user will still enter his password or security question answers because he will see *his* special picture and *his* special phrase on your evil phishtastic website.  It took me about 5 minutes to put together a proof of concept website for this (don't worry, I didn't put it up anywhere; it's all on my computer).  This makes this scheme worse than the typical username and password login scenario, because the typical user has no reason to suspect that anyone else would know his special picture and phrase.

    The same can be said for every security procedure I can think of. Without the help of hardware tokens, I can't imagine a tamper-proof way to avoid man-in-the-middle attacks if we assume that the user's PC is untrustworthy.

    I agree that nothing is fool proof, but I would argue that what my bank has done is worse than what they had before, which was just a regular old username and password Login page.

    Here's what they have done, essentially:

    Bank Teller: Mr. Guy, in an effort to make your banking experience more secure, we are going to require you to give us a secret piece of information.  When you do business with us, if the Bank employee can tell you the secret piece of information that you gave to us, you know you can trust him/her.  If the Bank employee cannot tell you your secret piece of information, then do not give him/her any of your bank account information!  Instead, contact us immediately via our Security Hotline at: 1-800-Bank-Safe.

    Mr. Guy: Cool!  Thanks for looking out for me!  Let me try this out.  Ok, Bank Teller, my secret bit of information is *lowers voice*: "blahblahfrinkleblingydoingsplirts."  You got that?

    Bank Teller: Yes sir!  Thank you!  Now, how may I help you?

    Mr. Guy: Nuh-uh-uh...You have to give me my secret info first!

    Bank Teller: Oh!  Right...silly me.  Mr. Guy, your secret information is *lowers voice*: "blahblahfrinkleblingydoingsplirts."  Is that correct?

    Mr. Guy: Yes it is!  This is super great!  Ok, now, I would like to withdraw $500 from my savings account.

    Bank Teller:  Ok.  Here you go, Mr. Guy.  $500 from your savings account.  Thank you for doing business with us today!

    Mr. Guy: Thank YOU!

    -------------------------------------- 

    *Later that day, a sign is posted on the front door of The Bank listing every account holder's name and corresponding secret info*

    --------------------------------------

    Phisher: Jackpot!  *Takes a few pictures of the sign and then goes home and starts calling people*

    Phisher: Hello sir.  I am Mr. P. Hisher from The Bank.  As part of our new security program, I need to verify some of your account information.

    Mr. Guy: Oh sure!  I'd be glad to help.  What do you need?

    Phisher: Well, first I need your full name.

    Mr. Guy: Ok.  My full name is: John Doe Guy.

    Phisher: Ok, now I need your Social Security Number, driver license number, all your bank account numbers, your mother's maiden name, your first pet's name, and the age of your first child.

    Mr. Guy: Well, ok.  My Social Security Number is 12...Wait a minute!  I'm not supposed to trust you unless you can tell me what my secret piece of information is!

    Phisher: Aha!  Very good sir!  You'd be surprised at how many people would just give their information out to anybody who calls them.  Let me look up your secret information...ah, here we are.  Your secret information is: "blahblahfrinkleblingydoingsplirts."  Is that right?

    Mr. Guy: Yes it is.  *whew*  You had me worried there for a sec.  Ok, my Social Security Number is: ...*gives Phisher all his information and finds his accounts sucked bone dry a week or so later* 



  • @UncleMidriff said:

    @ammoQ said:


    What happens if you enter an invalid username? If they do it right, you still see some picture and phrase...

    It tells you that the username you entered is invalid and to try again.

    This is bad... very bad...



  • @newfweiler said:

    You might be able to interest a journalist in this.  Then the newspaper or magazine or TV station can deal with the bank, if the bank wants to prosecute (and be exposed to the world).

    I agree.  Set up an anonymous webmail account somewhere (library, proxy) and send them your source code.  If they don't do anything about it, call a journalist.



  • @Albatross said:

    I agree.  Set up an anonymous webmail account somewhere (library, proxy) and send them your source code.  If they don't do anything about it, call a journalist.

    An anonymous account isn't guaranteed to be leakproof.  The bank most likely will prosecute you to cover their own asses and the judge won't believe you were "trying to help".  You want the bank to try to prosecute the newspaper instead.  That will be much more fun to watch.  Actually you want not just this bank but all banks to fix the problem.  The publicity might help.  Maybe.

     



  • Just anonymously mail a letter (you know, with stamps!), and cc: the business editor at the local paper.



  • @RayMarron said:

    Just anonymously mail a letter (you know, with stamps!), and cc: the business editor at the local paper.

     

    Better yet, you know that girl you like?  Use her boyfriend's email account to send it...
     



  • @RayMarron said:

    Just anonymously mail a letter (you know, with stamps!), and cc: the business editor at the local paper.

    Carbon copy? you mean with actual carbon paper? can you still buy sheets of that? IMPRESSIVE!

    @iAmNotACantalope said:

    Better yet, you know that girl you like?  Use her boyfriend's email account to send it...
     

    HAHAHA! Brillant!



  • I thought I'd give an update:

    I called my bank, got run around in circles with no one I talked to giving a crap, so I gave up.  I didn't have time to fight with my bank in order to help them.

    Then I saw this on Slashdot:

    http://it.slashdot.org/article.pl?sid=07/04/12/1444204

    I might email my bank with the article to see what they have to say about it. 


Log in to reply