Slashdot Mirror


Lloyds TSB Pushing New Online Security Protocol

An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."

6 of 228 comments (clear)

  1. I have four bank accounts... by way2trivial · · Score: 4, Interesting

    and two credit card accounts, all with different corporations

    and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  2. Two-Factor... by WhoDey · · Score: 4, Interesting

    ...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.

  3. Phishing is still a problem by ingo23 · · Score: 5, Interesting
    After reading the article, I figured out that even the rolling password will not help much with the phishing problem. Imagine the following scenario:

    1. The user gets an e-mail asking him to log on to the bank site.
    2. The user enters the code from the keyfob into the phishing site
    3. Phishing site logs into the real banking site using just harvested code
    4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.

    So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?

  4. SMS by photonic · · Score: 4, Interesting
    My bank, used to rely on both a password and a 'TAN'-code, which is a number that is usable only once. They would send you a list of say 20 numbers by certified mail and every time you make a transaction you would use one number. The new system uses SMS to send the code. To make a transaction you log in to your account, fill in all the details of the money transfer and press the send button. You then receive a SMS some 15 seconds later, copy the number in your browser and you're done. The good thing is that you can access your account from anywhere, since you are carrying your mobile anyhow.

    If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.

    --
    karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
  5. I moved from Ireland to Sweden; by Biotech9 · · Score: 3, Interesting

    In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"

    Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.

    In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.

    Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.

  6. Re:Synching by RollingThunder · · Score: 4, Interesting

    I use a SecurID at work, and it definitely does not allow me to use the previous 10 codes.

    What it does do, is keep track of how my token's clock seems to be drifting, based on where it calculates my token should be vs what I'm punching in.

    My first entry after a week off has a moderate amount of slack - I can use a code that has rotated off within about 3 seconds of it vanishing. After a couple code entries, I have no slack at all - the servers have my token's drift pegged down to the tenth of a second.