Slashdot Mirror
Lloyds TSB Pushing New Online Security Protocol
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
Their IT department seems to be on the ball.
Though I wonder what happens if the internal clock on those hardware key generators gets slow? If the key is generated every 30 seconds, you'd think time would be an issue.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Barclays bank has been doing this for years in addition to a secret pin and secret account number
and two credit card accounts, all with different corporations
and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
every day http://en.wikipedia.org/wiki/Special:Random
As always, it's a shame that people with the cleverness and skill to devise new phishing tricks don't opt for the lower income and increased job security and satisfaction of being useful, instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
What I'm listening to now on Pandora...
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
Makes sense to me. The key to defeating a keylogger is a keychain.
Any step that is taken to isolate a feature of online security from your PC is going to make it more secure. It'll probably inconvenience people in a lot of situations though- say you're abroad and you've had your bags & wallet stolen, including your hard key. You won't be able to access your online account to get money transferred locally etc. Still, sounds good to me :o)
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.
Regards,
Bank President
Swedish banks has been using a code-gadget much like a calculator for years now!
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
i believe these are linked to a timer but seeing as neither my digital watch or PC (linked to ntp) can keep accurate time much longer than a week, what is the drift like on these hard tokens and why do PC's and Digital watches drift in the first place, i thought accuracy was supposed to be the selling point of digital
Don't give the customers something to lose. Out of 30,000 people, you know that some will be losing this every day.
Instead, just publicly announce your policy that you will NEVER use external email to communicate with customers.
Using a toy like this just means that the phishers will have to move to man-in-the-middle attacks.
So what if your bank loses the ability to send ads to their customers? Your customer's security is more important.
No email from banks or other financial institutions EVER.
There is too much junk on my key ring already. I want mine implanted in the palm of my hand - with, of course, an on/off switch. While I'm dreaming: it should also a dna sensor so that it regularly checks for my red blood cells with oxygen, thus ensuring that if my hand is cut off, the implant won't work for more than a few minutes.
I'm with Lloyds TSB: the current system is all well and good but I - and I should know better - haven't changed my password nor my memorable phrase for ages. Yes that's my failing but they should've been forcing password changes every so often. But then the average punter is going to be sending 'lost password' emails every month or writing it down on a....blah blah blah
Regenerating passwords are the way forward. I'm all for it. Applause etc.
On the other hand - somebody steals the card and get everything in one piece.
i need to click in my password ..what a crazy stuff i n.jsp
lucky that still left the old type in interface
https://www.citibank.co.in/infojsp/login/guestlog
With a camera being used to steal someones PIN #. I get the creeps every time I use one of those weird privately owned ATM machines in convenience stores in the middle of nowhere. Some of them even have spelling mistakes on their screens. What's next? "Thank you for withdrawing, your account is TEH PWNAGE"
~jennifer.k~
Well duhh... why not use the obvious solution to prevent reading password information from the screen, like it's been done for ages: use * in place of readable characters. I for one, welcome our new multiple-choice password selection!
Please click your password:
(* replaced with x to please Slashdot junk filter)
Eat that! Good look trying to discover the real password!
1. The user gets an e-mail asking him to log on to the bank site.
2. The user enters the code from the keyfob into the phishing site
3. Phishing site logs into the real banking site using just harvested code
4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.
So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?
This is pretty cool, but as someone else noted, a lot of accounts means a lot of fobs. The CEO of Sxip did an entertaining presentation on these types of issues. One piece that would be relevant is the idea of separating the credentialing from the site.
http://www.identity20.com/media/OSCON2005/
That's why I always use large, generously sized bits in all the code I write.
In my experience, larger bits (mine are atleast 2-3 times the size of regular bits) are easier to see and less prone to problems like memory leaks and haxx00rrzing than their smaller counterparts.
On the other hand, they're more likely to fill up buffers and cause overflows than smaller bits.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
That's only slightly tongue-in-cheek. (Yes, I know that between all the holes in the OS and all the holes in user's heads that screen-loggers will get installed with admin privileges.)
As much as I hate DRM ("lets assume 100% of computer users are illegal content distributors" and inconvenience everyone), it seems that it could be useful as part of locking down a machine from copying selected types of data to unauthorized external locations.
Two wrongs don't make a right, but three lefts do.
When BOTH factors are sent over the SAME CHANNEL you do NOT increase the security of the system.
You need a different channel, such as calling a phone number they have on file that the phisher would not be able to get from that communication.
Ok, I'm sure its secure and everything, but i'm not carrying a keyring the size of a fucking brick around with me to use my online banking (I do actually bank with Lloyds) and it really dont think it'll catch on (or people will simply stop signing up for online banking).
IMHO: Swing, and a miss!
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.
If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.
As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.
Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.
People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.
If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"
Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.
In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.
Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
RSA access tokens occassionally need to be 'resynched'. Many systems, like the RSA SecurID do this automatically when you login by accepting the last and previous 10 passwords or whatever. But, if a customer hasn't logged in for a long time, the token can become wayyyy out of sync. So, typically they have to have it resynched in some way. This could involve logging into some known-secure web page and entering in some user information and the current number on the token, or by calling support and telling them what the current number on the token is.
Phishing is possible for at least one password by posing as a 'resync' page or as support personnel. Additionally, if the phisher is sophisticated and has the right software and sufficient computing power, the phisher may be able to deduce the private 'seed key' so that he can get ALL the passwords.
It's important to remember that there is no such thing as an uncrackable security system.
My blog
My father-in-law recently lost 1100UKP from his Abbey account through online banking!! After spending a good 3 hours removing the trojan keyloggers (multiple!) from his computer, I asked him to show me what he needed to put in to access his online banking. It went:
1. Card number
2. Pin number (entire)
3. Password
That was an easy one to rip off!! All the info in one hit, not obfuscation by asking for parts of numbers and an unsecured card number flying straight over the wire.
Moral of the story: Don't bank with Abbey.
It's good that they've provided a more secure way to authenticate the user, but it's a pity they haven't gone further (like some of the Norwegian banks, IIRC) and actually authenticated the transaction.
Coming up next: keyloggers that watch for you to type in your time-based authentication number, and *then* create a new transfer moving all your money to $OFFSHORE_3RD_WORLD_ACCOUNT.
I have two Lloyds TSB bank accounts, and access both on-line via Linux & Firefox. Lloyds has always impressed me with their commitment to keeping the service available to all... unlike other banks who routinely restrict it to IE-only.
Anyway, interesting security measure. I'd like to try it out, but I doubt I'll be one of the 30,000... not being a major customer and all.
We all know that crap is king
Give us dirty laundry!
Finger Print scanning hasn't taken off? I have sued it with windows and it seems to work pretty well. Its cheap too. Hek, IBM and HP have included it as an option with their laptops for years.
Having to carry around a token is a big pain in the ass, but touching a pad is easy, and nobody is going to easily forge your finger print and combine that with a short password, and you are golden.
The phishing messages say that there has been a problem with your account and that you need to login to fix the probem (click here).
But that isn't the real bank's site. It's a phishing site setup to look just like the real bank's site and it will collect their login info when they try to login.
Banks use email for all kinds of crap and their customers get used to the concept of receiving email from their bank with requests to click on links. This is because email is a very inexpensive way for banks to send ads and crap to their customers.
In order to end phishing, the banks will have to give up the cheap advertising medium of email. No email at all. Ever. You will NEVER receive ANY email from ANYONE from this bank for ANY reason. EVER.
If they really need to contact you, they have your phone numbers, your address, your social security number and so forth. They will NOT have a problem finding you and letting you know that there has been a problem.
ING Direct (I have an account, but no other affiliation) recently introduced an anti-keylogger/anti-sniffer scheme for logins. There's no token, just the PIN I already had, but instead of entering the digits, I click images on a numeric keypad. The trick is that each number on the pad is paired with a letter, and the letter is what's entered in the input field and sent to ING. (You can also type the letters corresponding to the numbers.) The letter-number cipher is unique to this page view, so if the letter-PIN-equivalent is intercepted it's useless next time.
As others have mentioned, screenshots would defeat this protection, but it's a good step anyway, easy to use, and required nothing new for the user -- just a change of interface to enter existing login info.
In the past few years they have spent millions of pounds replacing all of our traditional magstrip cards with smart cards. In my opinion the best two-factor authentication is the cards themselves, the logic being, if they're secure enough to withdraw cash, then they are to access my online banking. All they would need to do is send out a $2 smart card reader to each customer.
First, good work, Lloyds! May other banks beat a speedy path to follow in your footsteps.
;-)]
Second, given the pace of miniturization, it won't be long 'til this is little more than the size of a credit card and not much longer before it's the size of the ever-present grocery store keyring loyalty card.
Heck, if an iPod Nano can be as small as it is, this thing *will* fit on a keyring with little trouble in short order. At that point few people will be put out by this (though it will still present a problem for those with visual impairments who're using screenreaders.
[Note to banks: if you're having problems miniturizing this to keyring size -OR- are having a rough go figuring out how to create a good workaround for this for the visually impaired, just call Apple. Put them on it, and I'm sure they'll have it figured out in time for their next product release.
Best antivirus software
instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
A technical solutions is always better than a political one.
You can't legislate away crime. We've been trying for 5,000 years since the Code of Hammurabi. You simply cannot even prevent crime with capital punishment, locking them up, or giving them money to not commit crime. (Take Enron CEO's for example *coughs*)
These steps may reduce the overall crime level, but they can't stop people from simply walking in an unlocked door and taking your things or your life.
A technical solution not only implies that the crime is wrong, but you take steps to prevent it so that the crime cannot actually be commit. Such as locks on your doors and better security like the tokens the article talks about.
The only other way to prevent crime is to change human nature and that will have to take the path of social engineering.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Who moderated this Interesting??? You have fallen for a phishing trick!
Please notice the IN countrycode in the link. The site is in India! Citibank does not have an Indian site!
For wire transmissions my bank is using a printed (& sealed) sheet of numbers for years.
:)
For every transaction (wire you send) you enter the next LOOOONG string from your paper.
Phish this
RSA generators are cool, they are using it in the casino biz (and other risky biz) for ages. They are reliable if the software is working well on the other and. That and a password is GOOD security.
Are you retarded or just trolling?
Isn't this just SecureID?
I can see that conversation:
Customer: I don't want one those devices
Bank: These devices allow us to provide more secure services
Customer: But I already have three
Bank: We only provide one device for each customer...
Customer: The others are from different banks
Bank: I see...well we can clear this all up by transferring all your other accounts to our bank
And then there is:
Customer: I'm not going to use online banking from you if I have to have one of these things
Bank: That's fine but please be aware that access to our tellers and ATM's may incur processing fees
Customer: Ummm...how about telephone banking?
Bank: Excellent choice! Now where would you like us to send your security device?
Banks don't really care about your being inconvenienced if it coincides with something that helps them make/save money.
Whenever you get a bank account, you should get a pamphlet saying "How to recognize SCAM emails".
I'm sure this nifty trick would do wonders and prevent people from falling into phishing scams.
A reader comment on the BBC said it best:
I've lived in Sweden, had a SEB (SE-Banken) fob since 1995/6. It's expired and has been replace at regular intervals at no cost, and it's never failed. I work in the security field, and when I moved to Britain 6 years ago I was stunned by the state of affairs here. To this day, I am only slightly less stunned. Look at some of the other comments being made ("ooh, it'll never work", "one more thing to break", "what, I'm not carrying one around, why should I have to"). Luddites!
Britain: 17th century class-structure, 13th century plumbing, decades-old IT security mentality & infrastructure... you don't even HAVE an unique identifier, much less the basic concept of a working ID card - but you're unable to imagine anything not involving Orwellian uses. Jeez, it's a card, something that binds your picture to your name/identifier, not a ball & chain or barcode-tattoo across your forehead. For reasons so deeply ingrained in the British soul that it's nearly impossible to even get a rational explanation, you'd rather provide copies of telephone bills, teneancy agreements, payslips and god knows what - all full of non-relevant and pretty darn personal details - instead of simply flashing a card so everyone can get on with the show. ??!
Yeah, I know, could move back to Sweden. I just had to vent.
In next week's issue: How to change your address in in Sweden vs. Britain.
Synopsis: Sweden - Execute 'change to official place of residence', by post, phone or Internet. In britain: Tell your bank. Tell your employer. Tell your friends. Tell the council. Tell the DVLA (car-registration), tell the IRS... Actually, tell everybody, nearly always by post. Then do it again. And again, and again. Occasionally find out you moved to an address with poor credit. WHAT??? Yep, it can happen because person+address is the best thing you've got. Man, it's so backwards, I just can't believe it's true.
As long as the info is travelling over one channel (your Internet connection to that bank), you're still vulnerable to a man-in-the-middle attack.
This method doesn't provide any more security, just more toys to lose.
Now, if they tied those key-fobs to the cell network and you had to confirm the transaction that you entered via the Internet with a cell connection from the key-fob, that would be sufficient 2 factor security.
But that costs even more than the key-fobs they have now and the key-fobs make the users FEEL more "secure" because they don't understand man-in-the-middle attacks.
One piece that would be relevant is the idea of separating the credentialing from the site.
Damn! That's such a cool idea. It's a wonder that no one else ever though of that. Oh, wait! Some one did, ever heard of Microsoft Passport, Novell Identity Management, Liberty Alliance and more?
* Spam e-mail redirects you to the spoof site. Presents identical page to the real site.
* You enter your details, which are automatically passed through to the real site to automatically login the scammers.
* Spoof site works as a proxy between you and the bank up until the point when you logout
* At that point it empties your account.
While this scenario is pretty complex to set up none of it is beyond the wit of most decent web-coders, and we have seen the scammers get progressivley more sophisticated over the last few years.
I expect it to happen within the next few years. Criminals tend to adapt to security measures. PINs for Credit Cards have just meant that criminals have to watch people type them into a few machines, and then rob you (or get a pro pick-pocket to lift it).
Paul
Paul Leader
Dear Customer, Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number and secret password. Regards, Bank President Admittedly, still possible, but less likely. The best way around it would be to just make it policy not to send your password ever (obviously) but also to never mail your token anywhere. There is no reason that the bank ever needs the token back once they activate it, so you just tell your customers never to mail it anywhere. I know, some still will, but I think this is a FAR more unlikely possibility than a web page that looks and works EXACTLY like you actual bank's does.
There is already system featuring two factor authentication (something you have + something you know) fully deployed and already distributed to millions of bank customers. They keep the token in their wallet and remember the password.
I'm talking about ATM cards.
How about this: a small USB device with a magstripe reader, numeric keypad and a big notice saying "always enter your PIN on this keypad, never on your computer's keyboard".
This device will not verify the PIN number itself - it will just encrypt the magstripe data and entered PIN to the bank's public key and send it to the PC which will forward it to to the bank for authorization.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Accordin to a researcher in drug tendencies (cant remember who), most phishing attempt are run by crackheads on meta-anfetamine.
You are not going to keep that job if your boss finds out you are and addict
Why hasn't anyone questioned the root of the problem to begin with: people have spyware? The approach taken here is akin to handing out bullet-proof vests in a high crime area because there's a chance you *might not* die. I know that it's better than nothing, and IT security across the net is not entirely the banks' and financial institutions' fault, but if I were facing the ammount of pressure that they face from malware, then I'd at least try to put up a fight against the root cause. Kudos to the cleverness on their part to protect themselves and their clients, but I think the real problem of IT security is being largely ignored in favor of clever work-arounds.
The eternal struggle of good vs. evil begins within one's self.
HSBC has a good system. On the first page they ask for your online banking ID. On the second page they ask for your date of birth and then three numbers out of your 8-digit security number that you were able to choose when you signed up. The exact position of the three digits varies at random every time you log in. They've had this for about five years. Same goes for their online digital TV banking service too.
Drill baby drill - on Mars
I forsee tokens being only a short term solution. This is an arms race, and I predict that should 2-factor authentication with tokens become widespread, that the criminals will respond in the following way:
1) Trojan on user's system will redirect to the browser to the phishing site
2) The trojan will also load a bogus certificate into the browser so no mismatched certificate warnings
3) The back-end of the phishing site will talk to a zombie farm
4) User will enter two-factor authentication to the phishing site
5) In "real-time" a zombie will use the two-factor authentication information to log into the real site and wipe the user's account balance or something equally nefarious.
If I patent that, do you think I could license it to the russian mob?
All this is good but it does not fix the biggest problem with phishing: The user cannot trust the website they are visiting.
A better solution would be a "I tell you , then you tell me".
- The user visits a site (even if clicked from an e-mail)
- The banks site presents the expected current number on the keyfob (maybe also the previous and next ones, to accomodate for time drift)
- If number presented matches then user enters password with the next number on keyfob.
The process would take about 1 minute (just the time to wait for the next number sequence).
The user would know that the site is real and the bank would know that user is valid.
No more fraud.
"If it is just us, seems like an awful waste of space." -- movie: Contact
I hate all these new security schemes. ING Direct just changed the way you have to log into their web site and it is a pain. What I really don't get are why there must be infinite levels of security to log into my bank's web site but the most minimal security involved in me walking into the bank.
I recently needed a large 6-figure check for a house closing. I walked into my bank armed only with my savings account number and expired driver's license. Their computers were down so they couldn't validate my balance so they made a call to another branch. Then they gave me the money! This same bank practically requires a DNA sample to log into their web site. It's ludicrous.
I'm a big tall mofo.
My bank (national australia bank) has an optional service where you register your mobile phone number with them.
If you have it registered, when you do a transaction, you get a SMS from them with a number that you need to enter into the form before the transaction goes through.
If I ever end up with a mobile phone (and if I am still with the national), I will be enabling this feature myself.
I don't understand why US and UK banks make two factor authentication so complicated. A printed list of one-time passwords is excellent protection against keyloggers and requires no extra hardware. Banks in continental Europe have been using them for years, and users seem to be able to get along with them just fine.
Surely if there is a trojan acting as a proxy to several online banking sites running instead of a keylogger (the possibility of which was raised in an article posted on slashdot noting the banks are always several steps behind) where the user logs in *for* the phisher (logout is ignored, gives a fake page at which point the phisher can keep using their session) this will have not effect at all?
This type of phishing attack may not exist yet (I haven't heard of any real world examples of it yet) but it's definately feasable.
I have a Lloyds account.
Their 2nd stage "memorable information" security check is pretty much useless because, err.. its too long to remember, especially when its a number->letter scheme. so I keep it written down in my wallet.
I have a Citibank and SMBC (Japanese bank) account.
Citibank requires a PIN and what they call a PC-PIC code (ie. a fixed 6 letter password that is your DOB by default)
SMBC has an impossible to remember bank account number plus password (so I keep those in wallet too)
I have Amex and Visa cards, both of which require passwords too of course.
So now if these "dongles" catche on will I have to be carrying around a bag full of them just to be able to login? Is that secure?
Surely theres a better solution somewhere.. the more I think of it, M$`s passport was actually a good idea.
Obviously this solution is expensive and inconvenient because users have to get their hands on specialized hardware and carry it. Furthermore, synchronization issues need to be addressed. I don't think this time regulated random generators use atomic clocks, GPS or NTP... Also what about visually-impaired users? All these issues would not exist if they simply used the Secure Remote Password from Standord. http://en.wikipedia.org/wiki/Secure_remote_passwor d_protocol (check references for more details).
There already exist SSL/TLS implementations of this protocol.
A very good solution that uses SRP is suggested inhttp://www.cs.berkeley.edu/~tygar/papers/Battle_ against_phishing.pdf (previously slashdotted).
All the user has to do to verify a site is to compare images that are derived as visual hashes of a common secret session key (used for encryption) and exchanged random data. Audio hashes can also be used for the visually impaired.
What are we really talking about here? Is it someone making online purchases with your credit card? Or is it someone tranfering your money out of your bank account?
To me, those are both different aspects of the same issue and that issue. How do you correctly authenticate a person's identify from an anonymous terminal?
I don't believe you can. No matter how many security keys they have, they'll all be travelling over the same connection and all of them will be vulnerable to a man-in-the-middle attack. Anything you do with one computer online can be captured with another computer.
So, the solution is simple. Don't use a single avenue for all your authentication codes. Here are a couple of scenarios to illustrate that.
# 1. You authenticate to your bank online. You want to transfer funds to an account in Eastern Europe for some reason. You fill out all the info for the transfer and then you have to wait by the phone for the bank to call the number they have on record for you and hit "1" to confirm the transaction. Even if the phishers get your login info, they can't do anything without access to your phone. You authenticate over the Internet with your username/password and you confirm over the phone.
# 2. You want to order something from an online retailer. You fill up the shopping cart and go to checkout. At checkout, the retailer gives you a code number (right click to save to clipboard) identifying your purchase. You logon to your bank and paste that code into the online transaction field. The bank calls you to confirm the transaction. You press "1". The bank then sends the payment to the retailer so the retailer will NEVER see your credit card info. This also allows the bank to provide some historical data on disputes with that retailer.
The key concept is that the bank already has the info it needs to more accurately confirm your identity. The bank also has the phone systems in place to do automated calling and confirming. Why not use those items, together, to make online transactions more secure by requiring non-online final authentication?
Not only will this reduce phishing, but it will help reduce online scams from fake retailers.
You could even set the max single purchase and max daily purchase amounts with your bank. Even if everything else failed, you'd only be out whatever amount you set. For each purchase (add $1 convinience fee), the bank would generate a snail mail letter to your address of record and remind you of how much you spent, on what day, with what vendor.
Note: any online changes to your account info would likewise be confirmed via a phone call. If you're changing your phone number, you'd have to do it at a branch office and bring sufficient identification which would be scanned and stored.
SSL is used to encrypt the connection so no one outside can sniff it and collect things like your credit card info.
... for example. So, if I can get a certificate for that site, and the connection is a "secure" connection ... that means that it's not a phishing site, right? Wrong.
SSL is achieved via certificates issued by an "trusted authority". But that does not mean that the site you are securely connected to has anything to do with the organization that you believe you are connected to.
my.eBaySecurity.com
And that's supposing that the user even considers that an SSL connection (I'm not using the word "secure" in that) is necessary. A lot of the people falling for the phishing are not that enlightened.
And attempting to educate the end user is the most expensive and least effective approach to a problem.
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
RichM
Data Center Knowledge
hand out Knoppix cds to friends and family members and tell them to pop it in and reboot whenever they want to engage in secure banking.
not that most of them will listen or bother to go through the "laborious boot process"... but those that do, will have a much more secure experience.
unless they use a proprietary dial up application, knoppix or another custom designed distribution could handle the network aspect nicely.
Science : Proprietary , Knowledge : Open Source
To protect against phising doesnt it work the other way around ? What is required is a way for the user to be sure of the website's identity, not the opposite. No ?
This won't be cryptographically safe until the data held on the card is not directly readable. So magstripe cards are insufficient for this. All it needs is for the user to have spyware installed which snoops the data from the magstripe card next time it's scanned. Then the attacker has the right code to encrypt with the bank's public key himself and do what he likes with.
This is what smartcards are for. With a cryptographic smartcard, you can never directly read the key off it. It does the cryptographic routines internally. The authentication can only ever succeed if the card is accessible at the time of the transaction so it can give the right 'answer' to the bank's 'question'. The 'question' of course is always unique to the transaction.
And besides, nearly everyone in the UK already has a smartcard from their bank.
Malike Bamiyi wanted my assistance.
Actually, you probably go into that branch (or the drive-thru) several times a month. The people there *know* you and have *seen you before*. The phone call to the other branch verified your bank account balance, and probably also did a quick check of your account history.
That's a *LOT* more secure than some "random ip address" if you ask me.
It wouldn't get the phisher anything to make random confirming phone calls. The calls have to be within a reasonable time frame from when you made the 1st confirmation online.
You connect to a phish site (my.ebaysecurity.com) which has a valid certificate for ebaysecurity.com so you have a "valid" SSL connection.
That site (my.ebaysecurity.com) takes all your keystrokes and uses them to logon to ebay.com as you.
That is what a man-in-the-middle attack is. And don't bother telling me that every user should check every certificate from every site and make sure that the site name is a legitimate site for that organization. Just look at citibank to see the problems with that.
And if you're going that route, why not just expect every user to understand digitally signed and encrypted email and the details of the SMTP protocol so they can identify the phishing emails from the start?
No. The solution has to work for everyone with the minimum of education on the systems.
Walking into a bank and pretending to be someone else does not scale very well, you can only walk into so many banks each day.
But online scams like pishing makes it posible to scam hundreds even thousands bank customers in just a few days. Now, which problem do you think the bank is most worried about?
Also most banks today have surveillance cameras recording everything, so it is somewhat easier to track you down afterwards compared to only having an IP address to go on.
http://www.ingdirect.com/ does something similar. You type in your account number, the answer to a question about you, and then click buttons 1-9 in order to enter your PIN. This foils the keystroke logging spybots.
Now, if the bank requires the user to press "1" on the phone within 1 minute of the transaction being processed, if the user fails, the transaction fails. User fail, transaction fail. That's what is known as "good security practices".
In order for the user to be scammed in the second instance, the phisher would need to start a transaction, successfully, the bank calls the user and the user, for some reason, confirms that he did just enter and really does want to spend $10,000 on an item from some company in Poland.
Someone could still do a phishing site that grabbed that passwords and did a near-real-time attack on the real site.
I stopped using my lloyds current account for various reasons (mainly to do with awful rates of interest). One other issue I had was trying to get a change of address authenticated remotely from the US. They absolutely refused to do it without auth -which was fine- but all they accepted was a photocopy of a passport. Any fake passport jpeg would have done.
What they ought to consider is giving out USB card readers for the chip-and-pin debit cards everyone has. not only could the card to auth (if it was built in), but they could use it to kickstart an infrastructure for secure online purchase, in which the card# wasnt sent over the wire.
Obviously this solution is expensive and inconvenient because users have to get their hands on specialized hardware and carry it.
All they need to carry is a SHEET OF PAPER; it can be mailed with the montly statement. (Can't you be bothered to read THREE sentences before you reply?)
All the user has to do to verify a site is to compare images that are derived as visual hashes of a common secret session key (used for encryption) and exchanged random data.
Using a visual hash to protect against keylogging is about as effective as putting a condom on your nose is against pregnancy. Visual hashes protect against impersonation/phishing, one-time passwords protect against eavesdropping/keylogging.
The Bank of Ireland and DOUBTLESS other banks were using securid like devices literally 5 years ago. So what's the big deal here?
Why don't the banks issue super-lightweight client LiveCDs to access their online banking services? The advantages of a special protected client environment with no permanent storage are so huge, I suspect that for some unknown reason the US banking industry actually wants to be phished.
Could some kind body explain why?
It can't simply be that the banks are dumb can it?
Got that? Your system is failing TODAY.The bank calls the user. The user does not call the bank.
You got some basic problem with reading English? Maybe you're one of them people with a "learning disability"? Is that it? Or are you just stupid on your own?
The majority of people are just like you. They can't read correctly either which is why so many people lose so much money to phishing schemes. And you think they're going to get smarter? You are an idiot, aren't you?
I though seriously about creating a custom Knoppix CD to do this kind of thing. I even got as far as successfully customizing a Knoppix build. Then I happened to get a laptop with WiFi. I couldn't be bothered to get Knoppix to work with it -- and the last time I checked, there was no way to run this card in Linux w/WPA turned on. So, the little pet project died.
Plus, printers, access to email, and the general inconvenience of rebooting (twice! once to Knoppix, once back to whatever) put me off the whole thing. AND I'm a reasonably technical person... I wouldn't dream of getting my Mom to try it.
If you stick to regular ethernet, and use a PDF writer, and require a USB key for storage... things become better. Still it would still be a long way from being an adequate solution for a bank to require everyone to use it.
perhaps slashdot could use something like this for anonyous posters instead of the sometime difficult to read graphic word.
Maybe in your little idiot mind you can think of a magical way to wish they would, but in the real world, they don't and there's no reason to believe they will.Hey, Mr. Moron, you really do have a problem with basic English. It is your system because you proposed it. Maybe if you spend a bit more time on those special education course materials and less time trying to eat your own socks, you'd know that.Awwww, did I hurt the little 'tards feelings? Why don't you run and cry to your mommy? Mommy will tell you what a bright little boy you are and how other people are mean for saying you can't read basic English.
But the fact is, you can't read basic English. You are an idiot.
Gotta go now. You can have the last word.