Slashdot Mirror
Lloyds TSB Pushing New Online Security Protocol
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
and two credit card accounts, all with different corporations
and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
every day http://en.wikipedia.org/wiki/Special:Random
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
i believe these are linked to a timer but seeing as neither my digital watch or PC (linked to ntp) can keep accurate time much longer than a week, what is the drift like on these hard tokens and why do PC's and Digital watches drift in the first place, i thought accuracy was supposed to be the selling point of digital
i need to click in my password ..what a crazy stuff i n.jsp
lucky that still left the old type in interface
https://www.citibank.co.in/infojsp/login/guestlog
The funny (sort of) thing about crime is that criminal jobs suck. Take being a drug dealer. Your clients won't pay you. You get calls at all hours of the day and night. Your competition wants to shoot you and the police will give you 5 to 10. If you put this much effort into running a convience store you would be rich.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
1. The user gets an e-mail asking him to log on to the bank site.
2. The user enters the code from the keyfob into the phishing site
3. Phishing site logs into the real banking site using just harvested code
4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.
So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?
That's only slightly tongue-in-cheek. (Yes, I know that between all the holes in the OS and all the holes in user's heads that screen-loggers will get installed with admin privileges.)
As much as I hate DRM ("lets assume 100% of computer users are illegal content distributors" and inconvenience everyone), it seems that it could be useful as part of locking down a machine from copying selected types of data to unauthorized external locations.
Two wrongs don't make a right, but three lefts do.
If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"
Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.
In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.
Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
The funny (sort of) thing about crime is that criminal jobs suck. Take being a drug dealer. Your clients won't pay you. You get calls at all hours of the day and night. Your competition wants to shoot you and the police will give you 5 to 10. If you put this much effort into running a convience store you would be rich.
There is a very interesting article on this In Freakenomics analyzing the earnings of a Chicago drug gang. The interesting points:
1. The street level dealer would make more working at McDonalds than dealing drugs with an added bonus of not being shot or arrested;
2. The gang was organized much like a corporation with the CEO making the most money and the workers getting very little.
They leaders also hated competition amongst gangs - turf wars were costly and drove away customers.
I highly recommend the book.
I'm a consultant - I convert gibberish into cash-flow.
I use a SecurID at work, and it definitely does not allow me to use the previous 10 codes.
What it does do, is keep track of how my token's clock seems to be drifting, based on where it calculates my token should be vs what I'm punching in.
My first entry after a week off has a moderate amount of slack - I can use a code that has rotated off within about 3 seconds of it vanishing. After a couple code entries, I have no slack at all - the servers have my token's drift pegged down to the tenth of a second.
I don't understand why US and UK banks make two factor authentication so complicated. A printed list of one-time passwords is excellent protection against keyloggers and requires no extra hardware. Banks in continental Europe have been using them for years, and users seem to be able to get along with them just fine.
I think that the value of the "memorable information" stage is that it protects against the problem of someone from occasionally logging on at an insecure computer.
Say if I log on to my account once from an Internet cafe, where a rogue employee has installed key-loggers/screenshot-takers on the terminals. Say my memorable information is 10 letters long, there would be.... 120 different combinations of the letters that could be asked for. That means that the information the attacker has from my one compromised login will be useful once every 120 successful logins. So the attacker would have to very lucky in timing his attack to coincide to when that combination of letters has come around again and would probably have to make a noticeably large number of unsuccessful login attempts, which would presumably cause access to be frozen.
Was that scenario part of the decision to use this feature, or was it purely to protect against keystroke loggers?
hand out Knoppix cds to friends and family members and tell them to pop it in and reboot whenever they want to engage in secure banking.
not that most of them will listen or bother to go through the "laborious boot process"... but those that do, will have a much more secure experience.
unless they use a proprietary dial up application, knoppix or another custom designed distribution could handle the network aspect nicely.
Science : Proprietary , Knowledge : Open Source
To protect against phising doesnt it work the other way around ? What is required is a way for the user to be sure of the website's identity, not the opposite. No ?
Why don't the banks issue super-lightweight client LiveCDs to access their online banking services? The advantages of a special protected client environment with no permanent storage are so huge, I suspect that for some unknown reason the US banking industry actually wants to be phished.
Could some kind body explain why?
It can't simply be that the banks are dumb can it?
I though seriously about creating a custom Knoppix CD to do this kind of thing. I even got as far as successfully customizing a Knoppix build. Then I happened to get a laptop with WiFi. I couldn't be bothered to get Knoppix to work with it -- and the last time I checked, there was no way to run this card in Linux w/WPA turned on. So, the little pet project died.
Plus, printers, access to email, and the general inconvenience of rebooting (twice! once to Knoppix, once back to whatever) put me off the whole thing. AND I'm a reasonably technical person... I wouldn't dream of getting my Mom to try it.
If you stick to regular ethernet, and use a PDF writer, and require a USB key for storage... things become better. Still it would still be a long way from being an adequate solution for a bank to require everyone to use it.