Slashdot Mirror
Lloyds TSB Pushing New Online Security Protocol
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
As always, it's a shame that people with the cleverness and skill to devise new phishing tricks don't opt for the lower income and increased job security and satisfaction of being useful, instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
What I'm listening to now on Pandora...
Any step that is taken to isolate a feature of online security from your PC is going to make it more secure. It'll probably inconvenience people in a lot of situations though- say you're abroad and you've had your bags & wallet stolen, including your hard key. You won't be able to access your online account to get money transferred locally etc. Still, sounds good to me :o)
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.
Regards,
Bank President
Next up, perhaps they can fix it so their online banking isn't offline between 12am and 4am. Not everyone is tucked up in bed at that time!
--- Commission free trading & free stock up to $500 - use http://share.robinhood.com/kelvinp6
> Instead, just publicly announce your policy that you will NEVER use
> external email to communicate with customers.
Why do you think that would help? Banks already tell their customers that they will NEVER send them emails requesting account information.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.
If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.
As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.
Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.
People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.
RSA access tokens occassionally need to be 'resynched'. Many systems, like the RSA SecurID do this automatically when you login by accepting the last and previous 10 passwords or whatever. But, if a customer hasn't logged in for a long time, the token can become wayyyy out of sync. So, typically they have to have it resynched in some way. This could involve logging into some known-secure web page and entering in some user information and the current number on the token, or by calling support and telling them what the current number on the token is.
Phishing is possible for at least one password by posing as a 'resync' page or as support personnel. Additionally, if the phisher is sophisticated and has the right software and sufficient computing power, the phisher may be able to deduce the private 'seed key' so that he can get ALL the passwords.
It's important to remember that there is no such thing as an uncrackable security system.
My blog
The phishing messages say that there has been a problem with your account and that you need to login to fix the probem (click here).
But that isn't the real bank's site. It's a phishing site setup to look just like the real bank's site and it will collect their login info when they try to login.
Banks use email for all kinds of crap and their customers get used to the concept of receiving email from their bank with requests to click on links. This is because email is a very inexpensive way for banks to send ads and crap to their customers.
In order to end phishing, the banks will have to give up the cheap advertising medium of email. No email at all. Ever. You will NEVER receive ANY email from ANYONE from this bank for ANY reason. EVER.
If they really need to contact you, they have your phone numbers, your address, your social security number and so forth. They will NOT have a problem finding you and letting you know that there has been a problem.
As long as the info is travelling over one channel (your Internet connection to that bank), you're still vulnerable to a man-in-the-middle attack.
This method doesn't provide any more security, just more toys to lose.
Now, if they tied those key-fobs to the cell network and you had to confirm the transaction that you entered via the Internet with a cell connection from the key-fob, that would be sufficient 2 factor security.
But that costs even more than the key-fobs they have now and the key-fobs make the users FEEL more "secure" because they don't understand man-in-the-middle attacks.
Why hasn't anyone questioned the root of the problem to begin with: people have spyware? The approach taken here is akin to handing out bullet-proof vests in a high crime area because there's a chance you *might not* die. I know that it's better than nothing, and IT security across the net is not entirely the banks' and financial institutions' fault, but if I were facing the ammount of pressure that they face from malware, then I'd at least try to put up a fight against the root cause. Kudos to the cleverness on their part to protect themselves and their clients, but I think the real problem of IT security is being largely ignored in favor of clever work-arounds.
The eternal struggle of good vs. evil begins within one's self.