Slashdot Mirror
One-Time Pads To Protect Electronic Bank Access
dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"
I do my banking with a local bank here in Saudi Arabia which has recently upgraded all its ATM machines with biometrics. I need only to register my fingerprint with the bank and then swipe it at the ATM to do my banking. Years ahead of its time.
I always save my last mod point to mod up a good troll. You people are too serious.
To log in you need to enter:
- A 12 chacacter alphanumeric code as your username (given to you on a card when you sign up)
- Your date of birth
- Three digits from your security number, and it's different digits on each subsequent visit. For example on one visit you'll be asked for the 1st, 2nd, & 3rd digit. The next visit you might be asked for the 4th, 6th & last.
I have a lot of respect for the HSBC. Their customer service is also second to none - with my US bank I frequently find myself getting passed around between different customer service reps and having to tell my story from the beginning each time. Not so with the HSBC, they know my name before I've even spoken, and they never lose track of me no matter how many people I get passed along to.Drill baby drill - on Mars
...why are we still using a system that relies on you trusting every single person you give your credit card details to? It would be perfectly possible to generate a one-time authorisation code for each transaction...
My bank uses SSN, a PIN and a password and a three try lock-out. I feel just slightly better about this, as the SSN and a PIN only is a useless security. Having a PIN and a password (which can be alpha-numeric) is better - especially with the three try lock-out.
This is the only bank I use on-line.
I worry about other on-line accounts that I might have in 'quasi-ready-to-go' state, at my other financial institutions. These are the ones where I haven't setup a formal on-line relationship, but the bank assumes I want to, so they have the account in a 'pending' setup status.
Does anyone know if there is legislation/banking guidelines that protect me if I DON'T setup the on-line account, but some cracker does?
One example of crap security was my old cell phone account, which setup on-line instantly by sending my new 'PIN' security code to the phone. Had I lost the phone, the thief could have setup the on-line account, by using the phone's show own number feature and then getting PIN. VIOLA! On-line access. Obviously I would have reported the phone lost/stolen, but if he did this quickly enough he could have change my birthdate, etc (and gotten access to personal info) so I couldn't prove I was me.
USA Corporations are scum, and that's the way it is.
"The problem inherent with one-time passwords and TAN schemes is that people print them out and stick them on their monitor with a post-it."
What is the utility of doing that since they are ONE TIME. Why would you ever want to post it up after it was used once? Presumably they are "scratch off" so merely putting the booklet up won't make it obvious what the passwords actually are. And then they STILL need your real password first.
It's 10 PM. Do you know if you're un-American?
For example, I dredge up the number 42 (the answer to Life, the Universe and Everything) and some nonsense word. Let's say it's "snert". Pump it through the construction process and I come up with "first47snertt". Not exactly intuitive, but I'm just adding the number of letters in "first" (5) to my number and the last letter ("t") to the end of the nonsense word.
The result is a pretty strong password. No cracking program is going to have the word in it's dictionary and knowing my password to First National isn't going to tell you that my password to Discover is "discover50snertr". Since "snert" is nonsense anyway, there's no way to tell where the letters come from; you could be sticking the third letter in "Discover" onto the beginning and your nonsense word could be "nertr". There are no rules to how to construct the password, but you want to have an obscure way for the base password to modify the gibberish in the rest so knowing one password will not give you the rest. It saves me the trouble of remembering a lot of strong passwords. Of course, if someone got ahold of several of my passwords and spent enough time on them, they could probably figure out the routine, but that's not as dangerous as using the same password.
And yes, that's just an example. It's not the process I use to construct my own passwords. Trust me, you don't want to know.
===== Murphy's Law is recursive. =====
Just plain sucks when it comes to security. Got to http://www.bankofamerica.com. Notice that its http and not https. Also, now go to https://www.bankofamerica.com, and notice that it kindly redirects you back to the insecure link.
I use this bank, and I always put in my wrong userid and passwd so that I can enter them on a secure page. If someone is interested in thousands of bank accounts go ahead and register www.bankfoamerica.com or something similar, and mass mail people to make sure their account is correct or whatever. People will follow the link. You can simply grab their info and redirect them to the proper server with little hastle from anyone.
I've called and told them about this, and they told me that "We are a bank, we take security very seriously, thank you very much". This was when I called them to find out the real balance of my credit card. I had 2 balances with $1,200 difference between them. They told me it was a cache problem in my browser, even thought I used 3 different browsers, under 2 different usernames on my system. They didn't seem to understand that a) https data is not cached between browsers, nor b) https data is not cached between different users. Oh yeah, this is also after they started talking to me about my last purchases on my cc without confirming _any_ form of identification besides my cc number.
I feel as though I have an OK workaround by putting in the wrong info the 1st time, but if anyone else uses Bank Of America, I would suggest a call to them.
HBCI yet. HBCI is an open standard that's widely deployed throughout Europe (at least as far as I can tell). It incorporates encryption through OpenSSL and its source code is readily available on Sourceforge.
Actually they are good at reversing the charges, however most will write off all the the small (less the severl thousand dollar) ones because it would cost them too much to track the theif down. I know this because my wife had a case of ID theift last year. It's amazing how little the banks care, which is why it's a "low-risk" crime. The banks are the victims (not the people who's ID was stollen) and since the banks to see it in their best interest to persue/file chages in many cases it's a low risk crime.
In my bank the online banking site allows me to check the balance and that's about it. Doesn't leave too much to the intruder.
My regular bank is a branchless bank in Canada, they're website offers quite a bit of functionality including transferring money to other accounts.
But what really concerns me is *physical* security. I have a small bank account with CIBC (another Canadian bank). I needed about a thousand bucks off my account, so rather than using the atm, i went inside, handed the teller my flimsy plastic access card (no photo id on it, faded signature on the back). He proceeded to tell me the balance of each of my accounts, and then handed me one thousand dollars in return for my signature on a piece of paper. He didn't ask for photo ID. He didn't ask for a pin number or account number. I don't think he even compared the signatures (but even if he did, that's easy enough to forge). I had a serious problem with this but when I asked the teller, he just sort of shrugged and didn't really understand my concern.
Am I the only one who finds this alarming???
I'll have something intelligent to add one of these days...
I can foresee a problem with this when you start using these sorts of passwords for places with password expiration. You can't use your original clever creation, so now you must come up with variations on it every couple months or so; like incrementing the number at the end, so you have JJW!TH9835 etc. But then you start having "version" issues where some passwords expire faster, and some not at all... so you might have JJW!TGGL9839 and HMW!TH9842. Of course, you could change ALL your passwords whenever one of them expires... but then you have to remember every single place you've set up such a password.
I want my bank to do that, instead of making the webbased login work for the idiots.
A five piece login would drive the soccer moms batty. All the more reason to do it...
of course they used to use the primary social security number on the account for the login well at least is it was https.
Like the poster before me noted, what's to prevent someone from simply looking at your check and copying the data?
Nothing. (from a Treasury & Risk Management article.)
Businesses are not the only ones affected by this type of fraud. See this Federal Reserve case study for an example of how a bank customers can be defrauded by someone who has a presence within the banking system, and is able to initiate ACH (automated clearinghouse) transfers. Almost all checks are now processed electronically - there is no difference between a check and an ACH transfer from the point of view of the banking system. You can read more about how ACH fraud is replacing check fraud.
If you don't trust someone with your financial information, don't write them a personal check - use a money order.
What is the security impication of putting my entire credit line on my keychain? I've already got my entire credit line in my wallet....
:)
I guess you're right... it's not that much tougher to slide a stolen credit card (swipe a swiped card?) through the slot, than it is to wave a Speedpass over a sensor. Makes me think again about that wallet full of cards... thank goodness they're already maxxed out.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Which is fine, the beauty of a one time pad is that the message can be decrypted to read anything you want, given the proper "key". So the common practice (in higher security situations than either of us will likely ever find ourselves in) is to have a "fake" one time pad that decrypts the message to read something plausible (nobody would encrypt their grocery list with a OTP so make it somewhat "juicy"), but not what the message REALLY says.
Nobody can prove it one way or another, which is what makes OTPs unbreakable by any cryptographic means.
Finkployd
I used to think biometrics were the ultimate form of authentication. Then I worked at a company which used fingerprint scans as a clock in / clock out device. After a few good years of use, the thing couldn't tell a fingerprint from a warm hot dog. I actually tried that once, it validated me. It would also validate on the back of the hand, the elbows, and a few other body parts that involved seriously cleaning the pad afterwards.
While the idea may be great, I've yet to be convinced of either the strength of implementation or the wisdom of making everyone in a company share germs immediately before lunch.
The ______ Agenda
I'm not usually one to re-reply, but after looking over these chip cards, it looks like it just accepts your PIN and then spits out a secondary password. I'm thinking, that sounds ok. You get to choose your username, and your primary passwd and then you have to punch your pin into the calc device to get your new randomly generated password. Not bad. What i'd like, though, would be a USB keychain device, or PC card, smartcard, whatever, that you activate it and stick in your computer when you need to logon to the website (maybe it could auto-shut off after 5 min or so?). Then while you're typing in your chosen login, and your chosen passwd, the website is requesting a response from your security device, once it gets that response and your login information, it logs you in. All of the security device activity would be in the background while you're plugging in your information. Wouldn't slow you down much, and wouldn't require any extra activity by the user aside from activating the card and sliding it into your computer.
One thing I was thinking would be cool, since this thing is also a calculator, is to allow it to sync with your account when you plug it in and allow you to view your balance for chosen accounts on it (with the necessary PIN, 3 bad guesses kills it permanantly of course) Of course this would be a major security issue, if the card eats itself after 3 guesses, that's helpful so long as someone doesn't know your exact PIN, which, as I stated, is still probably an unacceptable security risk to most people. (i'm on the fence about it myself.)
-matt
I live in Canada, but I also use services of a bank in Poland, via Internet, of course. They use similar system as described in the original article - for example, if I want to transfer money to a different account, I have to use one-time password, which I get from a printed form mailed to me by the bank. To get these, I had to call the bank and order them first. When they arrived, I had to call again to activate.
:-)
:-) The bank I use has one password for everything, just login and do whatever you want. I have to say, I prefer this more relaxed attitude. I do not enjoy being treated as a potential thief :-)
Every time I call the bank, they ask me tons of questions to verify my identity before they can proceed. In some cases, they ask me to disconnect, and wait until they call back my home phone number
- to make sure that that's really me
And do not even ask how difficult it was to open an account in Polish bank remotely, without physically visiting the branch - it took about four months.
Compared to this, Canadian banks are like from another planet
That is only if the key is random and as long as the message and used only once via XPOR. One-time passwords are something entirely different end infinitely more insecure, given that one-time pads are the most secure possible encryption method.
Somebody (the createo od the title) is obviously shaky on crypto.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
As I understand it, most of these 'phishing' type things rely on getting someone to log into a web site which looks like their online banking system but isn't. I'd immagine they often get around the SSL problems by just not using SSL - most people won't read the url or notice the little padlock icon or whatever not being there.
Say someone has created such a site - what prevents them from harvesting one time passwords or even challenge/response data this way and using them for fraud immediately? Say the user tries to perform a transfer on the fake interface, provides their transaction number or challenge/response token - the fraudster just uses these details straight away on the real site. The keys they've stolen are fully valid as far as I can see - even the timed challenge/response, if they use it quickly enough. The user would eventually notice that their transaction never happened, but by then they've been robbed. Am I missing something?
NOPE
The best idea is a password of whatever persuation and a x509 certificate used for SSL which is ussed by the bank in the sign on process. As a result you are always asked two passwords one of which cannot be set to "remember" - your SSL cert store and your bank username/password. This combines luser authentication with machine authentication. As a result you have to steal the machine used by Joe Average in order to use his/her bank account. This has the obvious plus that Joe Average cannot access shit through an unsecure public terminal even if he/she wants to do so.
This scheme is used nearly everywhere in the less developed countries where even the smaller sums in accounts are a sweet target. It is sometimes combined with one time passwords, but it is always "both machine and luser", not "just luser". It is also used by some banks handling larger accounts (or lifetime savings/investment schemes) in EU and in that case the cert is locked on a keyfob or something else that uses the windows crypto API to give the machine only what it needs. Yeah, I know, a windows only bummer, but it is something which Windows has and Linux does not in mainsteam stable kernel and mainstream userland - a crypto API to plug things at a device level and allow userland a uniform API to access it which is understandable to openssl, browsers, etc.
In fact the less developed a country is, the better the internet banking security. For example UK e-banking security is pathetic compared to Russia, Bulgaria or the ex-soviet block.
To add further, this is valid not just for banking. Locks, code access, etc are all similar. Most locks sold in the UK will take an average of 5-10s to open for an Eastern European criminal and houses usually have just one lock. For example in Russia it is considered standard to have at least two locks and they have to be turned simultaneously and they self close so you cannot open one and then the other.
So on so forth (simple economics as usually being the reason).
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/