Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lloyds TSB Pushing New Online Security Protocol

Posted by Zonk on from the another-toy-for-the-keychain dept.

An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."

14 of 228 comments (clear)

  1. What's new with this? by Z00L00K · · Score: 2, Informative

    Swedish banks has been using a code-gadget much like a calculator for years now!

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:What's new with this? by rylin · · Score: 2, Informative

      http://www.vasco.com/products/product.html?product =48 is what SEB gave me roughly 5 years ago IIRC.
      The only thing that bothers me is that I can't have two (one at work, one at home), but that's just a minor bother.

    2. Re:What's new with this? by LokiOfRagnar · · Score: 2, Informative

      Mmm, Dutch banks don't seem to have that problem. I have a small calculator for which I need my debit card and a pin code to generate a time dependent 8 digit number which has only single use validity. I can't figure why people trust username password stuff for their banking....

      cheers,
      Aad

      --
      maybe the American lunar expedition did not leave Hollywood at all.
  2. Re:Good for them. by GekkePrutser · · Score: 5, Informative

    If these devices work like the RSA SecurID does, clock lagging is not a problem. Every time the customer logs in, the server accepts not just the current password, but also the next and previous x (10, for example) passwords. So if the clock is a bit off, it will still accept the password.

    Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.

  3. Identity 2.0 by propagandize · · Score: 2, Informative

    This is pretty cool, but as someone else noted, a lot of accounts means a lot of fobs. The CEO of Sxip did an entertaining presentation on these types of issues. One piece that would be relevant is the idea of separating the credentialing from the site.

    http://www.identity20.com/media/OSCON2005/

  4. Re:Fob size by EasyTarget · · Score: 2, Informative

    They need to come up with a way to embed the device into a credit card.

    Here in the Netherlands you my bank uses a machine that you put your bank card into (it is a chip/pin card), you then tap in your pin and a 8 digit number displayed during the login sequence. The machine gives you a response that you enter back on the page.

    You get challanged a second time when you commit all the transactions you have made during the session, you see the transactions and do another code/response cycle to commit them.

    Yeah it's a hasssle but I do sooo like having a full-feature online bank account that nobody else can get at, even with a keylogger, even if I use it from an internet cafe.

    Any machine will work with any card! I've used my friends machines at their house no problem. It's small, ubiqutous and the batteries seem to last a crazy amount of time, mine is 4 years old and still going.

    The downside of all the above is that if anyone gets your card and pin the can also do online banking as well as cashpointing the money. But it's tied to the card (you have to tell the website it's issue number), once a card is reported stolen it will not work online eiter.

    I'm sure there is some attack for it, but it beats anything else I have seen hands down. Bank is ABN AMRO.

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  5. Re:Phishing is still a problem by vrai · · Score: 2, Informative

    If the fob's anything like the RSA Secure-Key cards then the code will change every 30 seconds. That dramatically limits the window of opportunity for a thief. Under the current system they can phish for thousands of username/password combinations and use them at their leisure.

  6. EDUCATION by Spy+der+Mann · · Score: 2, Informative

    Whenever you get a bank account, you should get a pamphlet saying "How to recognize SCAM emails".

    I'm sure this nifty trick would do wonders and prevent people from falling into phishing scams.

  7. Re:Good for them. by Suppafly · · Score: 2, Informative

    Having worked somewhere that uses securid, I can tell it doesn't work that slickly. Granted it's not that horrible to have to call the helpdesk and have them resync the token using ace server, but it is annoying.

  8. Re:Good for them. by Tet · · Score: 2, Informative
    Their IT department seems to be on the ball.

    Ha ha ha ha ha. I used to work for them until a couple of months ago, and you will never find a more useless bunch of beaurocratic fools. They are anything but on the ball. They are, however, running scared. LTSB has suffered abnormally high losses due to fraud last year, and they're flailing around clutching at straws to try and find a solution. I told them that the "memorable phrase" thing wouldn't work for long, and wouldn't provide much extra security, but they went ahead with it anyway.

    It'll be interesting to see if a widescale rollout of tokens (IIRC, they're rebadged SecurID) leads to a more sustained attack on the token generation algorithm. It's rumoured to have already been cracked, but there's precious little information available about it if it has been.

    --
    "The invisible and the non-existent look very much alike." -- Delos B. McKown
  9. Re:Phishing is still a problem by mindstrm · · Score: 2, Informative

    But that's not really phishing.. that's a man in the middle attack, and is already prevented in theory by SSL certificates.

    The danger with phishing is people not realizing their information has been stolen, and that information is used at a later date.

  10. Re:Phishing is still a problem by Anonymous Coward · · Score: 1, Informative
    It's phishing and a man-in-the-middle attack. You're going to a fake site without an SSL certificate (phishing), entering your credentials -- now including the rolling code (phishing), and the phishing site accesses your bank with your credentials (MitM). It's just a real-time version of phishing; it has to be real-time because of the rolling code. It requires more sophistication because the phishing site has to mimic the bank's web server responses in real time and play them back to the luser, but it's doable. Might even be doable with Apache's mod_proxy with just a few lines in a config file.


    In this attack, SSL certificates only would come into play between the bank site and the phising site. Surely the phishing site will recognize the bank's SSL certificates. If everybody would use SSL certificates, there would be no phishing.


    Somewhat OT: I still get legitimate emails from a financial institution (IIR,C Fidelity Investments) with http (not https) URLs in them. Idiots!

  11. Two-factor Coming to 1 Million Paypal Accounts by miller60 · · Score: 3, Informative
    Two-factor authentication was a big part of the recent eBay-VeriSign deal. The headlines all mentioned eBay buying VeriSign's payment processing unit for $370 Million. But the agreement also calls for eBay to buy up to 1 million two-factor authentication tokens from VeriSign for use on Paypal. eBay will start rolling out the two-factor authentication tokens to Paypal and eBay users in 2006, including marketing and security programs designed to "promote customer adoption."

    This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.

    --
    RichM
    Data Center Knowledge
  12. Magstripes are bad. by labratuk · · Score: 2, Informative

    This won't be cryptographically safe until the data held on the card is not directly readable. So magstripe cards are insufficient for this. All it needs is for the user to have spyware installed which snoops the data from the magstripe card next time it's scanned. Then the attacker has the right code to encrypt with the bank's public key himself and do what he likes with.

    This is what smartcards are for. With a cryptographic smartcard, you can never directly read the key off it. It does the cryptographic routines internally. The authentication can only ever succeed if the card is accessible at the time of the transaction so it can give the right 'answer' to the bank's 'question'. The 'question' of course is always unique to the transaction.

    And besides, nearly everyone in the UK already has a smartcard from their bank.

    --
    Malike Bamiyi wanted my assistance.