Domain: rabobank.nl
Stories and comments across the archive that link to rabobank.nl.
Comments · 7
-
Re:Scare tactics
with the Rabobank, there are four stages:
1 identify https://www.rabobank.nl/ in the browser
2 enter 1-time pin (out of random reader) and account number for identification and access.
your screen name appears on the site
3 enter transactions
4 you get transaction pin (and amount if it is >â500) and enter those in reader, and you get another 1 time pin for completion.
The Random reader has a clock built in, and this is also encoded in the pin, so your pin is only valid for a couple of minutes (clock running fast/slow is computed with step 1, at server-side) so you cannot authenticate with another reader as you logged in with -
Re:Predefined one-time keys are insecure
...just verify the forged transaction, rather than the one the customer thought he was entering.
That's of course still an issue; it's the weakest link in the chain that counts. Still, with time-limited cryptographic challenge/response verification, it requires much more effort from the attacker. With user/password or user/password/one-time-key login schemes, the weakest link is even weaker. My Dutch bank actually tells me on the login screen: "Please verify that the URL starts with "https://bankieren.rabobank.nl/". ABN Amro mentions "please check the padlock icon to verify that you are connected to ABN Amro." The same for ING bank. (We have one major bank that uses a less secure login protocol.) Compromising the entire web browser is probably harder than installing a keylogger or building a phishing site.
-
My bank, Rabobank, only supports IE....
I have no choice when doing online banking. Rabobank
-
Re:NOT A TROLL!!!For the Dutchies out there...
ABN Amro has an excellent wesite, and it works perfectly in mozilla and safari.
I actually left the Postbank because (at the time, don't know about now) there website did not work with mozilla, and being able to pay bills online is important to me. And yes, I told them this as well.
The other bank that I use, Rabobank has a website that works, but only when you allow popup windows. Very, very annoying.
-
Homograph attacks might bite us all
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for
./, the advice to type URL into the address bar may be one that we should all take to heart in the future.As pointed out here, the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank, features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
-
Re:woo woo
I like Opera too, but my bank's website renders horribly with it. Also there is _no_ browser that runs on Linux that can be used for online banking with their site even though it uses only html+javascript.
Sending the bank emails does not help. I don't really want to switch banks because other than this web problem, it's ok.
So here another <PLUG>:
Please Slashdotters, visit this site to put some browsers other than IE in their logs. This might make them sit up and listen to the consumers.
Thanks a lot, Jos -
Re:woo woo
I like Opera too, but my bank's website renders horribly with it. Also there is _no_ browser that runs on Linux that can be used for online banking with their site even though it uses only html+javascript.
Sending the bank emails does not help. I don't really want to switch banks because other than this web problem, it's ok.
So here another <PLUG>:
Please Slashdotters, visit this site to put some browsers other than IE in their logs. This might make them sit up and listen to the consumers.
Thanks a lot, Jos