Slashdot Mirror

← Back to Stories (view on slashdot.org)

One-Time Pads To Protect Electronic Bank Access

Posted by timothy on from the so-wasteful dept.

dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"

6 of 345 comments (clear)

  1. Much better in Saudi Arabia by kneecarrot · · Score: 3, Interesting

    I do my banking with a local bank here in Saudi Arabia which has recently upgraded all its ATM machines with biometrics. I need only to register my fingerprint with the bank and then swipe it at the ATM to do my banking. Years ahead of its time.

    --

    I always save my last mod point to mod up a good troll. You people are too serious.

  2. I'm more concerned about internet shopping... by 26199 · · Score: 4, Interesting

    ...why are we still using a system that relies on you trusting every single person you give your credit card details to? It would be perfectly possible to generate a one-time authorisation code for each transaction...

    1. Re:I'm more concerned about internet shopping... by danielobvt · · Score: 3, Interesting

      American Express used to (still does? I am at work and for some reason, my network admins have decided that is a site I cannot reach....). They would give you a unique CC number each time to use, and it would be single use only. Pretty spiffy.

  3. Constructed passwords. by Jaywalk · · Score: 3, Interesting
    I long ago gave up on complicated passwords as being too hard to remember and turned to using a simple one. The trick is that I pump it through a process that exists only in the dark recesses of my brain to make a complex password. For example, suppose I want to have an account at First National Bank. My base password is simple: it's "First". Then comes the construction part.

    For example, I dredge up the number 42 (the answer to Life, the Universe and Everything) and some nonsense word. Let's say it's "snert". Pump it through the construction process and I come up with "first47snertt". Not exactly intuitive, but I'm just adding the number of letters in "first" (5) to my number and the last letter ("t") to the end of the nonsense word.

    The result is a pretty strong password. No cracking program is going to have the word in it's dictionary and knowing my password to First National isn't going to tell you that my password to Discover is "discover50snertr". Since "snert" is nonsense anyway, there's no way to tell where the letters come from; you could be sticking the third letter in "Discover" onto the beginning and your nonsense word could be "nertr". There are no rules to how to construct the password, but you want to have an obscure way for the base password to modify the gibberish in the rest so knowing one password will not give you the rest. It saves me the trouble of remembering a lot of strong passwords. Of course, if someone got ahold of several of my passwords and spent enough time on them, they could probably figure out the routine, but that's not as dangerous as using the same password.

    And yes, that's just an example. It's not the process I use to construct my own passwords. Trust me, you don't want to know.

    --
    ===== Murphy's Law is recursive. =====
  4. Re:Not a one-time pad by prodos · · Score: 4, Interesting

    I can foresee a problem with this when you start using these sorts of passwords for places with password expiration. You can't use your original clever creation, so now you must come up with variations on it every couple months or so; like incrementing the number at the end, so you have JJW!TH9835 etc. But then you start having "version" issues where some passwords expire faster, and some not at all... so you might have JJW!TGGL9839 and HMW!TH9842. Of course, you could change ALL your passwords whenever one of them expires... but then you have to remember every single place you've set up such a password.

  5. Effectiveness by Anonymous Coward · · Score: 3, Interesting

    As I understand it, most of these 'phishing' type things rely on getting someone to log into a web site which looks like their online banking system but isn't. I'd immagine they often get around the SSL problems by just not using SSL - most people won't read the url or notice the little padlock icon or whatever not being there.

    Say someone has created such a site - what prevents them from harvesting one time passwords or even challenge/response data this way and using them for fraud immediately? Say the user tries to perform a transfer on the fake interface, provides their transaction number or challenge/response token - the fraudster just uses these details straight away on the real site. The keys they've stolen are fully valid as far as I can see - even the timed challenge/response, if they use it quickly enough. The user would eventually notice that their transaction never happened, but by then they've been robbed. Am I missing something?