Locked out of the wha..?



  • Thought others would get a kick out of the language on my bank's e-banking page:

    We encourage you to take the opportunity to choose a "personal question" and "personal question answer"; this will allow you to reset your password if you inadvertently lock yourself out of the internet.

    The entire damn internet...

    Link



  • I can see where this might have made sense to a developer.  They have intranet (internal) apps and internet (external) apps (we call them extranet, but whatever).  A user could lock him/herself out of all of the bank's internet apps.

    That, or they could simply answer the question aloud and overcome a court-ruled computer and touch-tone phone ban like Dade Murphy had.



  • I got my new credit card yesterday, and during an online payment, I was asked to set up a "verified by visa" password. And they asked me to give a security question and an answer, in case I forgot the password.

    I never got that. It will always be way easier to remember or guess the answer than the password, so why not simply ask the question instead of asking for the password?

    For the record, I chose the question "I am not Sarah Palin" and the answer "dbQ!!"!"apoewDfd_Fgøæergznvbm++e132123AADGBMNZgb". Try gyessing that, punk!



  • @ahnfelt said:

    For the record, I chose the question "I am not Sarah Palin" and the answer "dbQ!!"!"apoewDfd_Fgøæergznvbm++e132123AADGBMNZgb". Try gyessing that, punk!

     

    I guess "dbQ!!"!"apoewDfd_Fgøæergznvbm++e132123AADGBMNZgb", am I close?



  •  Just as weird...

     If you do not have
    a Val-E-Bank ID and want to be able to do online banking, please come
    by one of our convenient locations or call us and ask for an enrollment
    form and we will fax or mail one to you.

    So you go in to one of their "convenient locations", and instead of them having a stack of enrollment forms to give you, or being able to print one of pre filled with your details, they have to fax or mail it to you???



  • @SirCH said:

     Just as weird...

     If you do not have
    a Val-E-Bank ID and want to be able to do online banking, please come
    by one of our convenient locations or call us and ask for an enrollment
    form and we will fax or mail one to you.

    So you go in to one of their "convenient locations", and instead of them having a stack of enrollment forms to give you, or being able to print one of pre filled with your details, they have to fax or mail it to you???

    Did you really create an account just to show off a lack of reading skills?  Since you already failed, it's clear that they only mail or fax the form if you call them on the phone.



  •  @boomzilla said:

    it's clear that they only mail or fax the form if you call them on the phone.
    You forget we're dealing with Val-E-Bank here. Truly a cesspit of WTFs if ever I did see one. Except I haven't seen it so I'm just guessing.



  • @SirCH said:

    If you do not have
    a Val-E-Bank ID and want to be able to do online banking, please come
    by one of our convenient locations or call us and ask for an enrollment
    form and we will fax or mail one to you.

    Real weird .. 



  • @belgariontheking said:

    I can see where this might have made sense to a developer.  They have intranet (internal) apps and internet (external) apps (we call them extranet, but whatever).  A user could lock him/herself out of all of the bank's internet apps.

    My previous employer used intranet, extranet and internet apps. The difference between extranet and internet is that "extranet" was for suppliers/partners, and "internet" was for actual clients (users).

    @belgariontheking said:


    That, or they could simply answer the question aloud and overcome a court-ruled computer and touch-tone phone ban like Dade Murphy had.

    Nice! If you'll excuse me, I'm going to take over a TV station by phone. ;)



  • @danixdefcon5 said:

    Nice! If you'll excuse me, I'm going to take over a TV station by phone. ;)
     

    Easy. Ring up a TV station. Tell them they've been took'd over'd! Done.

     



  • @danixdefcon5 said:

    The difference between extranet and internet is that "extranet" was for suppliers/partners, and "internet" was for actual clients (users).

    I've previously used the terms this way:

    intranet - inside the firewall.

    internet - outside the firewall.

    extranet - exposes or uses limited visibility through the firewall.

    An example would be a web server communicating with a database server. If they're both inside the firewall, that's intranet. If they're both outside the firewall, that's internet. If the web server is outside but the database server is inside, that's extranet.

    And if the web server is inside but the database server is outside, that's a WTF.



  • I'm familiar with the domain; it belongs to a bank software developer.  Banks that have partnered with this developer to provide their online banking services are able to brand and customize the site to various degrees through tools they are provided, and that is one of the areas they can manipulate.  One of the employees put in charge of implemetation apparently thinks that this is the correct terminology to use.  I would hope that part of the job requirement would be understanding what the internet actually is... but perhaps not.



  • @boomzilla said:

    @SirCH said:

     Just as weird...

     If you do not have
    a Val-E-Bank ID and want to be able to do online banking, please come
    by one of our convenient locations or call us and ask for an enrollment
    form and we will fax or mail one to you.

    So you go in to one of their "convenient locations", and instead of them having a stack of enrollment forms to give you, or being able to print one of pre filled with your details, they have to fax or mail it to you???

    Did you really create an account just to show off a lack of reading skills?  Since you already failed, it's clear that they only mail or fax the form if you call them on the phone.

    But what if SirCH parsed it the same way as the bank employees responsible for distributing the enrollment forms? I have previously dealt with a bank which had indicated one could get more information about their online banking in the same manner as above. When I stopped by their nearest location (conveniently located inside the secured-access building in which I worked at the time), I was asked whether I wanted the information faxed or mailed. So, of course, I told them "mail it to <username>@<domainname>", which they really didn't like at all. They then went and sicced their manager on me, who handed me a brochure.



  • @gremlin said:

    @ahnfelt said:

    For the record, I chose the question "I am not Sarah Palin" and the answer "dbQ!!"!"apoewDfd_Fgøæergznvbm++e132123AADGBMNZgb". Try gyessing that, punk!

     

    I guess "dbQ!!"!"apoewDfd_Fgøæergznvbm++e132123AADGBMNZgb", am I close?

     

    That is the funny thing: Your password is suposed to be secure, yet only say 6-8 chars like in some secure sites. So say &kl0O.p2 would be a good password. Yet the security question of where were you born can probably be found on facebook, or highschool search sites, or w/e even if that is something not revealed by your facebook profile (you damn hippies). I guess the palin incident exposed the problems TDWTF has been pointing out for years, and the most hillarious thing is that nobody fucking points how that all banks/emails/etc are flawed because these questions are less secure.

     

    Btw your answer was really "Well I Wish I Was", ahnfelt.



  • @astonerbum said:

    and the most hillarious thing is that nobody fucking points how that all banks/emails/etc are flawed because these questions are less secure.
     

    You'd trust a bank that lets you reset your with a "security" question?

    Dunno how it is in the states, but here in the Netherlands my bank

    1. mails (yes, mail, you know with paper & stuff) your username is a black envelope (to prevent looking trough it)

    2. Mails your password 7 days later in a black envelope

    and then, depending on your choise you

    3a. Get mailed a list with 100-codes. 1 is at random selected every time you make a transfer and every one can only get used once (you get a new list after 90 transfers)

    3b. Get a security code SMS'ed to your cell phone every time you make a transfer

     Resetting your passwords triggers step 1 and 2

    I don't know exactly how other banks do it, but 2 I know use a simalar method for username & pass, and require a smartcard inserted every time you log in to online banking. (downside: it only works on internet explorer or the banks custom app)



  • @dtech said:

    Dunno how it is in the states, but here in the Netherlands my bank [...]

    It's the same here in Germany.

    I think in the States, security is not important. Only the illusion of security is. When a customer fells secure, then that's fair enough. When he doesn't, well, blame some African or Asian country, bomb them, and then tell the people they should be safe now.



  • @derula said:

    I think in the States, security is not important. Only the illusion of security is. When a customer fells secure, then that's fair enough. When he doesn't, well, blame some African or Asian country, bomb them, and then tell the people they should be safe now.
    Sadly, no flamewar here. That is a 100% accurate assessment. Although the blame is also often placed on "hackers", because apparently copying and pasting a birthday and high school from one Web page to another is considered all that's required to constitute "being a hacker."

    Besides, how many US banking websites end up on the front page? I counted at least 15.



  • @dtech said:

    Dunno how it is in the states, but here in the Netherlands my bank

    Mexico might not be up-to-date with technology, but random-generated OTPs are required for the following operations:

    - Sending money for the first time to an account not owned by the account holder

    - Services payment

    and encouraged for initial bank logon procedures. All but one bank uses either one of those "press to get random number" tokens, or a card with a code matrix for logging on. The bank that doesn't ask it on logon, asks it for anything that isn't just balance checking.

    @dtech said:

    3a. Get mailed a list with 100-codes. 1 is at random selected every time you make a transfer and every one can only get used once (you get a new list after 90 transfers)

    3b. Get a security code SMS'ed to your cell phone every time you make a transfer

    I prefer the actual electronic tokens, as printed lists (or that card-matrix I mentioned earlier) might be compromised without me knowing it (someone Xerox-ing the list when I'm not watching.) However, if my token's missing, I know its compromised and report it; if someone takes a number out of the token, it will be invalidated if I logon before he has a chance to use it.

    Still, I prefer those tokens that generate a random number every 60 seconds. Those banks that do issue them, do so for internal users, though.



  • @dtech said:

    Dunno how it is in the states, but here in the Netherlands my bank

    1. mails (yes, mail, you know with paper & stuff) your username is a black envelope (to prevent looking trough it)

    2. Mails your password 7 days later in a black envelope

    This doesn't sound very secure. My current bank (which I'm leaving because they started requiring you to enter passwords through virtual keyboard) requires you to authenticate with a certificate you register with them (you can use any of the officially recognised CAs, though the cheapest [read: free] is the state-issued certificate), and a password which you initially choose at the bank, then change on your first login.
    The bank I'm switching to also uses a certificate to log you in, but you also confirm the transactions with one time passwords generated with a token to which you insert your bank card and enter your PIN.



  • @ender said:

    and a password which you initially choose at the bank, then change on your first login.
     

    That would either require the bank to have a large number of offices spread trough the country, or greatly inconveniences users that do not have such office close by. imho the seperate mail username and password is secure enough, especially since you have to chagen it after first login and every 3 months.

    @ender said:

    but you also confirm the transactions with one time passwords generated with a token to which you insert your bank card and enter your PIN.

    Which is not really less secure than a sms-message 1-time password. You have to have a physical object (cell phone) and know a password (pin code for cell phone). Granted, the cell phone could be stolen while on but even that can't be too long before the theft since the cell phone could be blocked in the meantime.

     



  • @dtech said:

    That would either require the bank to have a large number of offices spread trough the country, or greatly inconveniences users that do not have such office close by. imho the seperate mail username and password is secure enough, especially since you have to chagen it after first login and every 3 months.
    I guess this is a benefit of living in a small country - your bank's office is never too far away.@dtech said:
    Which is not really less secure than a sms-message 1-time password.
    I was actually referring to the use of just username+password to log in as not very secure. While they're adequate for most sites, I wouldn't trust a bank to authenticate me with just that (even if it only allows viewing of the account state).



  • Half my post automatically deleted by editing it = abbreviated version. I'm short on time.

     

    We have a small card reader (not hooked up to the PC). AFAIK it has a random seed which is unique per reader and which only the bank and the reader itself know (requesting a new reader automatically invalidates the old one).For certain transactions you slot your card in, enter your PIN, enter a challenge code given by the site, and it gives you a response code which you type back into the site. For me this is far more secure than my unlocked phone, which has no valuable data on (deliberately, and which a certain McDonalds customer should also have made sure of...).



  • @Kemp said:

    We have a small card reader (not hooked up to the PC). AFAIK it has a random seed which is unique per reader and which only the bank and the reader itself know (requesting a new reader automatically invalidates the old one).For certain transactions you slot your card in, enter your PIN, enter a challenge code given by the site, and it gives you a response code which you type back into the site.
    Sounds like what my bank uses, though the reader is universal, and you can use any such reader with your card (I found out that my father got one of these readers somewhere, and since he didn't need it, I now use that reader at my workplace).



  • Christ, I know I'm contributing to a month-old zombie thread, but I cannot resist...

     

     

    @derula said:

    @dtech said:
    Dunno how it is in the states, but here in the Netherlands my bank [...]

    It's the same here in Germany.

    I think in the States, security is not important. Only the illusion of security is. When a customer fells secure, then that's fair enough. When he doesn't, well, blame some African or Asian country, bomb them, and then tell the people they should be safe now.

    Right, in Germany you can feel secure just by murdering your 6.5 million closest neighbors!  HA HA, you fucking inhuman monsters!!

     

    Seriously, don't be a fucking idiot.  I had a shred of respect for you before you posted this.

     

    WRT to US bank security: I've never seen a problem nor heard of anyone having a problem with money being stolen via their bank's website.  It is much more likely you will be ripped off some other way, so most of the bullshit non-US banks put you through seems like pointless security theater, especially given the small amount of increased security and the limited amount of money one can steal from a single individual.  Additionally, I infrequently do bank-to-bank transfers, mostly using credit or debit cards or electronic billing to pay for things, so there's not a whole hell of a lot you could do by getting access to my web account anyway.  I would honestly say bank security in the US seems too tight for online transactions.  I get "alerts" triggered on my credit cards all the time where I get an automated call within seconds of making a > $500 purchase, asking me to confirm that I recently made the transaction.  Sometimes this can be annoying, like any time I purchase from Dell, because they always trigger the damn "fraud protection" stuff and if the company denies the card you have to call Dell to get them to re-run the transaction.  Anyway, it's pretty ridiculous to claim that US banks have a huge problem with web security when actual thefts seem few and far between.



  • @morbiuswilters said:

    I had a shred of respect for you before you posted this.

    Honest question for you.

    Why do you seem to constantly assume that anyone cares what you think of them?



  • @Farmer Brown said:

    @morbiuswilters said:
    I had a shred of respect for you before you posted this.

    Honest question for you.

    Why do you seem to constantly assume that anyone cares what you think of them?

    Assumptions make an ass out of you and mptions.  I do not assume, I know. 



  • @morbiuswilters said:

    I do not I know.

    I figured as such.



  • @morbiuswilters said:

    Right, in Germany you can feel secure just by murdering your 6.5 million closest neighbors!  HA HA, you fucking inhuman monsters!!

     

    Seriously, don't be a fucking idiot.  I had a shred of respect for you before you posted this.

    On second thought, I apologize for this and ask that any moderator who see it delete it.  I was trying to make a point (I don't think any of you are "inhuman monsters") but I overreacted quite a bit.  It bothers me immensely when I see people take cheap shots at my country like this, but I should be more mature than I was, so I am sorry.  derula, I don't think you suck, I just wish you hadn't said that.

     

    Every nation, religion, race and ethnicity on Earth has had evil bastards in it.  Sometimes the evil bastards have even been in the majority.  But I'm a libertarian at heart which means I ultimately believe that the individual is fundamental in any system of morality and that we should judge people as individuals.  I do not believe in classifying individuals by superficial associations, but only through the ideals they represent and the actions they take.  My comment was meant to illustrate this in a sarcastic way, but on further consideration I realize it is mean-spirited and wish to retract it, if possible.  I still do not approve of broad generalizations against any group, whether that be Americans, Germans, blacks, whites, etc.. but I will try to be more reasonable in my objections in the future.

     

    Thank you. 



  • @Farmer Brown said:

    @morbiuswilters said:
    I had a shred of respect for you before you posted this.

    Honest question for you.

    Why do you seem to constantly assume that anyone cares what you think of them?
     

    As a side note:  not caring what other people think about you is sociopathic behavior and should be treated as it is often a symptom of some larger problem.



  • @tster said:

    As a side note:  not caring what other people think about you is sociopathic behavior and should be treated as it is often a symptom of some larger problem.

    I believe some here call it "Thick Skin".



  • @morbiuswilters said:

    It bothers me immensely when I see people take cheap shots at my country like this, but I should be more mature than I was, so I am sorry.

    For one, of course my post was intended as a troll attempt, so it's really my fault. The only thing about security in the US I really know is that many older houses in Ohio have paper-thin doors. I should be the one apologizing for not thinking about whether making stupid assumptions about a country might hurt people personally.

    However, I recall this sort of speech (accusing other people's countries, especially my one) was a rather common way of communicating here, at least when MPS was still around. That's why I'm a little surprised this bothers you that much.

    But then I'm not a patriot (not even close) and as I've experienced it when you're living in the US, you have to be a bit of a patriot at least, so maybe I should have considered that. That said: I apologize too for having said that, without even having the slightest idea of how true or untrue that assumption was.



  • @tster said:

    often a symptom of some larger problem.

    I believe the term is 'the internet'. Welcome to the internet BTW.



  • @derula said:

    @morbiuswilters said:
    It bothers me immensely when I see people take cheap shots at my country like this, but I should be more mature than I was, so I am sorry.

    For one, of course my post was intended as a troll attempt, so it's really my fault. The only thing about security in the US I really know is that many older houses in Ohio have paper-thin doors. I should be the one apologizing for not thinking about whether making stupid assumptions about a country might hurt people personally.

    However, I recall this sort of speech (accusing other people's countries, especially my one) was a rather common way of communicating here, at least when MPS was still around. That's why I'm a little surprised this bothers you that much.

    But then I'm not a patriot (not even close) and as I've experienced it when you're living in the US, you have to be a bit of a patriot at least, so maybe I should have considered that. That said: I apologize too for having said that, without even having the slightest idea of how true or untrue that assumption was.

    It's okay, I definitely overreacted.  I wasn't really hurt, just frustrated because you seemed like a smart guy and I don't like when people repeat silly mistruths.  I think things have calmed down since MPS was slain and I think it is better.  I joke a lot and toss off silly comments, but I try to keep it above-board (my above response exluded, of course).  I'm not really a superpatriot or anything, I just get tired of having everyone tell me my country sucks or does all kinds of evil things or is run by evil people when that clearly is not the case.

     

    Anyway, glad we could resolve this.  Drop by IRC sometime if you get a chance -- we haven't seen you in awhile. 



  • @morbiuswilters said:

    I just get tired of having everyone tell me my country ... is run by evil people when that clearly is not the case.

    So you are not from the USA then?



  • @Farmer Brown said:

    @morbiuswilters said:
    I just get tired of having everyone tell me my country ... is run by evil people when that clearly is not the case.

    So you are not from the USA then?

    Quiet, please, adults are talking. 



  • @morbiuswilters said:

    Quiet, please, adults are talking.

    I know, and they would appreciate if you wouldn't keep derailing threads with racist, anti semitic gibberish.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.