Slashdot Mirror
Lloyds TSB Pushing New Online Security Protocol
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
and two credit card accounts, all with different corporations
and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
every day http://en.wikipedia.org/wiki/Special:Random
As always, it's a shame that people with the cleverness and skill to devise new phishing tricks don't opt for the lower income and increased job security and satisfaction of being useful, instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
What I'm listening to now on Pandora...
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
Makes sense to me. The key to defeating a keylogger is a keychain.
Any step that is taken to isolate a feature of online security from your PC is going to make it more secure. It'll probably inconvenience people in a lot of situations though- say you're abroad and you've had your bags & wallet stolen, including your hard key. You won't be able to access your online account to get money transferred locally etc. Still, sounds good to me :o)
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.
Regards,
Bank President
Swedish banks has been using a code-gadget much like a calculator for years now!
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
There is too much junk on my key ring already. I want mine implanted in the palm of my hand - with, of course, an on/off switch. While I'm dreaming: it should also a dna sensor so that it regularly checks for my red blood cells with oxygen, thus ensuring that if my hand is cut off, the implant won't work for more than a few minutes.
i need to click in my password ..what a crazy stuff i n.jsp
lucky that still left the old type in interface
https://www.citibank.co.in/infojsp/login/guestlog
With a camera being used to steal someones PIN #. I get the creeps every time I use one of those weird privately owned ATM machines in convenience stores in the middle of nowhere. Some of them even have spelling mistakes on their screens. What's next? "Thank you for withdrawing, your account is TEH PWNAGE"
~jennifer.k~
Next up, perhaps they can fix it so their online banking isn't offline between 12am and 4am. Not everyone is tucked up in bed at that time!
--- Commission free trading & free stock up to $500 - use http://share.robinhood.com/kelvinp6
If these devices work like the RSA SecurID does, clock lagging is not a problem. Every time the customer logs in, the server accepts not just the current password, but also the next and previous x (10, for example) passwords. So if the clock is a bit off, it will still accept the password.
Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.
Well duhh... why not use the obvious solution to prevent reading password information from the screen, like it's been done for ages: use * in place of readable characters. I for one, welcome our new multiple-choice password selection!
Please click your password:
(* replaced with x to please Slashdot junk filter)
Eat that! Good look trying to discover the real password!
1. The user gets an e-mail asking him to log on to the bank site.
2. The user enters the code from the keyfob into the phishing site
3. Phishing site logs into the real banking site using just harvested code
4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.
So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?
This is pretty cool, but as someone else noted, a lot of accounts means a lot of fobs. The CEO of Sxip did an entertaining presentation on these types of issues. One piece that would be relevant is the idea of separating the credentialing from the site.
http://www.identity20.com/media/OSCON2005/
That's why I always use large, generously sized bits in all the code I write.
In my experience, larger bits (mine are atleast 2-3 times the size of regular bits) are easier to see and less prone to problems like memory leaks and haxx00rrzing than their smaller counterparts.
On the other hand, they're more likely to fill up buffers and cause overflows than smaller bits.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
They need to come up with a way to embed the device into a credit card.
Here in the Netherlands you my bank uses a machine that you put your bank card into (it is a chip/pin card), you then tap in your pin and a 8 digit number displayed during the login sequence. The machine gives you a response that you enter back on the page.
You get challanged a second time when you commit all the transactions you have made during the session, you see the transactions and do another code/response cycle to commit them.
Yeah it's a hasssle but I do sooo like having a full-feature online bank account that nobody else can get at, even with a keylogger, even if I use it from an internet cafe.
Any machine will work with any card! I've used my friends machines at their house no problem. It's small, ubiqutous and the batteries seem to last a crazy amount of time, mine is 4 years old and still going.
The downside of all the above is that if anyone gets your card and pin the can also do online banking as well as cashpointing the money. But it's tied to the card (you have to tell the website it's issue number), once a card is reported stolen it will not work online eiter.
I'm sure there is some attack for it, but it beats anything else I have seen hands down. Bank is ABN AMRO.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
That's only slightly tongue-in-cheek. (Yes, I know that between all the holes in the OS and all the holes in user's heads that screen-loggers will get installed with admin privileges.)
As much as I hate DRM ("lets assume 100% of computer users are illegal content distributors" and inconvenience everyone), it seems that it could be useful as part of locking down a machine from copying selected types of data to unauthorized external locations.
Two wrongs don't make a right, but three lefts do.
> Instead, just publicly announce your policy that you will NEVER use
> external email to communicate with customers.
Why do you think that would help? Banks already tell their customers that they will NEVER send them emails requesting account information.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.
If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.
As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.
Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.
People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.
If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"
Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.
In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.
Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
RSA access tokens occassionally need to be 'resynched'. Many systems, like the RSA SecurID do this automatically when you login by accepting the last and previous 10 passwords or whatever. But, if a customer hasn't logged in for a long time, the token can become wayyyy out of sync. So, typically they have to have it resynched in some way. This could involve logging into some known-secure web page and entering in some user information and the current number on the token, or by calling support and telling them what the current number on the token is.
Phishing is possible for at least one password by posing as a 'resync' page or as support personnel. Additionally, if the phisher is sophisticated and has the right software and sufficient computing power, the phisher may be able to deduce the private 'seed key' so that he can get ALL the passwords.
It's important to remember that there is no such thing as an uncrackable security system.
My blog
Whenever you get a bank account, you should get a pamphlet saying "How to recognize SCAM emails".
I'm sure this nifty trick would do wonders and prevent people from falling into phishing scams.
As long as the info is travelling over one channel (your Internet connection to that bank), you're still vulnerable to a man-in-the-middle attack.
This method doesn't provide any more security, just more toys to lose.
Now, if they tied those key-fobs to the cell network and you had to confirm the transaction that you entered via the Internet with a cell connection from the key-fob, that would be sufficient 2 factor security.
But that costs even more than the key-fobs they have now and the key-fobs make the users FEEL more "secure" because they don't understand man-in-the-middle attacks.
Having worked somewhere that uses securid, I can tell it doesn't work that slickly. Granted it's not that horrible to have to call the helpdesk and have them resync the token using ace server, but it is annoying.
Ha ha ha ha ha. I used to work for them until a couple of months ago, and you will never find a more useless bunch of beaurocratic fools. They are anything but on the ball. They are, however, running scared. LTSB has suffered abnormally high losses due to fraud last year, and they're flailing around clutching at straws to try and find a solution. I told them that the "memorable phrase" thing wouldn't work for long, and wouldn't provide much extra security, but they went ahead with it anyway.
It'll be interesting to see if a widescale rollout of tokens (IIRC, they're rebadged SecurID) leads to a more sustained attack on the token generation algorithm. It's rumoured to have already been cracked, but there's precious little information available about it if it has been.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Why hasn't anyone questioned the root of the problem to begin with: people have spyware? The approach taken here is akin to handing out bullet-proof vests in a high crime area because there's a chance you *might not* die. I know that it's better than nothing, and IT security across the net is not entirely the banks' and financial institutions' fault, but if I were facing the ammount of pressure that they face from malware, then I'd at least try to put up a fight against the root cause. Kudos to the cleverness on their part to protect themselves and their clients, but I think the real problem of IT security is being largely ignored in favor of clever work-arounds.
The eternal struggle of good vs. evil begins within one's self.
I don't understand why US and UK banks make two factor authentication so complicated. A printed list of one-time passwords is excellent protection against keyloggers and requires no extra hardware. Banks in continental Europe have been using them for years, and users seem to be able to get along with them just fine.
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
RichM
Data Center Knowledge
I think that the value of the "memorable information" stage is that it protects against the problem of someone from occasionally logging on at an insecure computer.
Say if I log on to my account once from an Internet cafe, where a rogue employee has installed key-loggers/screenshot-takers on the terminals. Say my memorable information is 10 letters long, there would be.... 120 different combinations of the letters that could be asked for. That means that the information the attacker has from my one compromised login will be useful once every 120 successful logins. So the attacker would have to very lucky in timing his attack to coincide to when that combination of letters has come around again and would probably have to make a noticeably large number of unsuccessful login attempts, which would presumably cause access to be frozen.
Was that scenario part of the decision to use this feature, or was it purely to protect against keystroke loggers?
hand out Knoppix cds to friends and family members and tell them to pop it in and reboot whenever they want to engage in secure banking.
not that most of them will listen or bother to go through the "laborious boot process"... but those that do, will have a much more secure experience.
unless they use a proprietary dial up application, knoppix or another custom designed distribution could handle the network aspect nicely.
Science : Proprietary , Knowledge : Open Source
To protect against phising doesnt it work the other way around ? What is required is a way for the user to be sure of the website's identity, not the opposite. No ?
This won't be cryptographically safe until the data held on the card is not directly readable. So magstripe cards are insufficient for this. All it needs is for the user to have spyware installed which snoops the data from the magstripe card next time it's scanned. Then the attacker has the right code to encrypt with the bank's public key himself and do what he likes with.
This is what smartcards are for. With a cryptographic smartcard, you can never directly read the key off it. It does the cryptographic routines internally. The authentication can only ever succeed if the card is accessible at the time of the transaction so it can give the right 'answer' to the bank's 'question'. The 'question' of course is always unique to the transaction.
And besides, nearly everyone in the UK already has a smartcard from their bank.
Malike Bamiyi wanted my assistance.
Why don't the banks issue super-lightweight client LiveCDs to access their online banking services? The advantages of a special protected client environment with no permanent storage are so huge, I suspect that for some unknown reason the US banking industry actually wants to be phished.
Could some kind body explain why?
It can't simply be that the banks are dumb can it?
I though seriously about creating a custom Knoppix CD to do this kind of thing. I even got as far as successfully customizing a Knoppix build. Then I happened to get a laptop with WiFi. I couldn't be bothered to get Knoppix to work with it -- and the last time I checked, there was no way to run this card in Linux w/WPA turned on. So, the little pet project died.
Plus, printers, access to email, and the general inconvenience of rebooting (twice! once to Knoppix, once back to whatever) put me off the whole thing. AND I'm a reasonably technical person... I wouldn't dream of getting my Mom to try it.
If you stick to regular ethernet, and use a PDF writer, and require a USB key for storage... things become better. Still it would still be a long way from being an adequate solution for a bank to require everyone to use it.