One-Time Pads To Protect Electronic Bank Access

dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"

Not a one-time pad

[kzinti]

Single-use passwords are not the same thing as a one-time pad, which is a form of encryption. However, one-time passwords do sound like a good idea. Given reasonably good encryption like in SSL, then password management becomes a weak point - which this scheme addresses. (Just parroting Schneier, and wondering if this scheme will get mention in the next Crypto-gram newsletter.)

Re:Not a one-time pad

[ryanwright]

One time passwords are fine for the average Joe. But this article is silly:

But it's difficult to remember dozens of strong passwords -- so many sites now require them.

Whatever. You simply need a pattern combined with "phrases" that only you know. For instance, your phrase could be "Jack and Jill went up the hill", so your password would be, "JJW!TH". Then you add a number to it that you can remember, for instance, the last four of your phone number reversed. So JJW!TH9834. Now throw in something unique from each site you visit. Take Google, perhaps Jack and Jill don't go up the hill, they go to Google: JJW!TGGL9834. Or on Hotmail, perhaps Hotmail went up the hill: HMW!TH9834. Mix and match for various web sites.

Easy to remember, extremely difficult to break. Secure enough for most anything us common folk would do - including online banking - and not such a hassle as carrying around scratch-off cards or RSA keys everywhere you go.

One time password not one time Pad.

[mindstrm]

A scratch-off password list is a password scheme.

a One-time pad is an encryption algorithm.

The two have basically nothing to do with each other.

A one time pad:

Generate a random pattern of bits of the same length as the plaintext. XOR the two. The resulting ciphertext and the random field are now both requried to re-generate the plaintext (to call one the ciphertext and one the key is wrong too. they are both statistically equivalent).

Both are also completely useless by themselves, and truly totally, provably, unbreakable.

This is the only form of unbreakable encryption.

The moment you use a pad more than once, though, it ceases to be a one-time pad, and is breakable.

Recent trend in Portugal... sort of

[r_cerq]

A few months ago, most (AFAIK, all) portuguese banks updated their online banking auth systems.

There's no standard, and they seem to be having some dificulty balancing user-friendliness with security.

The current "hip" thing is to require a login/password pair, followed by things like:

- Enter the the sixth and second numbers of your ID card/passport (random positions)
- Enter your numeric PIN using the randomly placed JavaScript keypad
- Use the code-matrix card (provided by the bank) and enter the value in square 4C
- Confirm every money-moving operation with digits in random positions from a fixed (long) code given to you by the bank. Said code is regenerated every month. ... and so on.
I don't thinks there's any bank here using plain login/password auth. There were attempts to use personal x509 certs, but most users had trouble installing them or using them.

Stronger security isn't always better security

[raehl]

Stronger security should only be provided if the cost of implementing that security (money, time, convenience) is less than the costs of not implementing it.

From my perspective, if someone breaks into my account, it's a hassle, but not a huge deal: My account is insured, and I get my money back. I'd rather deal with the inconvenince of this happening once or twice in my lifetime than having to deal with carrying and using a password generator for my entire life.

From the bank's perspective, it is probably cheaper to lose some money to accounts being compramised than to implement better security across the board. That translates to lower costs (or better interest) for me the customer, which is also nice. I'm fairly confident this is true, because were it better (cheaper, more convenient) to have stronger security, my commercial bank (always wanting to make a buck) would be doing that instead.

Your house would be more secure if you had bullet-resistent windows, steel-reinforced cross-bar doors, one-time pad electronic access, and 24/7 security guards, but most people the find much "weaker" deadbolt/key combination to be the BETTER solution.

Re:Much better in Saudi Arabia

[Cthefuture]

I work in the security field (mostly smartcards and biometrics) and I can tell you that if that's all they have then their security sucks.

Biometrics are highly inaccurate/insecure. We break them all the time. I myself would never use anything important that was secured with only a biometric. Even a 4 digit limited error PIN would be more secure.

Cellphones and banking

[jedrek]

Two areas where the USA is just out in left field, cellular services and banking. The first one has stopped suprising me, the second one blew me away. I consider my country (Poland) to be backwards, especially when it comes to commercial services - like banking. It's not.

Not only does my bank use one time passwords, the card they're on is a scratch-off card. This gives me 2 additional levels of protection. Not only does it prevent someone from peeking at my card, but it let's me verify that I made each transaction. I don't need to keep track of the last number I used, it keeps track for me. And I don't need the card unless I'm actually moving money around - all I need is my login and password.

The web interface on my bank is incredible - I can check on all transactions since I opened the account.I can set up sub-accts on the fly, issue debit cards to each of them, and my debit card works great online - so I can keep track of those internet purchases. Between-bank money transfers take a max of 1 day, usually same-day if I make it before 17.30, transfers within my bank are instantaneous - really handy for lending my brother some money *fast*.

And the icing on the cake, the thing that made me go to this bank - instant text-message updates on my current account. I get a transfer - I get an SMS, I buy something - I get an SMS. It's incredibly fast (I usually get the SMS before they hand me the reciept to sign) and incredibly useful. I know how much money I have, how much money I spent that day. It really helps to stem the spending sprees that plastic seems to lend itself to.

And all this, from my local, Polish bank.

It's just in the US.

[jwr]

It's just a US thing. Banks in the USA are for some reason stuck in the 80's.

All the banks I use in Poland provide one-time passwords for anything important. There are no checks in use, but you can use electronic money transfers to pay for just about anything (this is being introduced as "BillPay" in the US and advertised as big news).

I guess the US was first to develop a mature banking industry with credit cards and checks. This has worked so well (back in the 70's) that banks were not under pressure to innovate.