Slashdot Mirror
Lloyds TSB Pushing New Online Security Protocol
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
and two credit card accounts, all with different corporations
and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
every day http://en.wikipedia.org/wiki/Special:Random
As always, it's a shame that people with the cleverness and skill to devise new phishing tricks don't opt for the lower income and increased job security and satisfaction of being useful, instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
What I'm listening to now on Pandora...
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
Makes sense to me. The key to defeating a keylogger is a keychain.
Any step that is taken to isolate a feature of online security from your PC is going to make it more secure. It'll probably inconvenience people in a lot of situations though- say you're abroad and you've had your bags & wallet stolen, including your hard key. You won't be able to access your online account to get money transferred locally etc. Still, sounds good to me :o)
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.
Regards,
Bank President
With a camera being used to steal someones PIN #. I get the creeps every time I use one of those weird privately owned ATM machines in convenience stores in the middle of nowhere. Some of them even have spelling mistakes on their screens. What's next? "Thank you for withdrawing, your account is TEH PWNAGE"
~jennifer.k~
If these devices work like the RSA SecurID does, clock lagging is not a problem. Every time the customer logs in, the server accepts not just the current password, but also the next and previous x (10, for example) passwords. So if the clock is a bit off, it will still accept the password.
Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.
1. The user gets an e-mail asking him to log on to the bank site.
2. The user enters the code from the keyfob into the phishing site
3. Phishing site logs into the real banking site using just harvested code
4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.
So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?
During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.
If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.
As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.
Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.
People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.
If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"
Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.
In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.
Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
I use a SecurID at work, and it definitely does not allow me to use the previous 10 codes.
What it does do, is keep track of how my token's clock seems to be drifting, based on where it calculates my token should be vs what I'm punching in.
My first entry after a week off has a moderate amount of slack - I can use a code that has rotated off within about 3 seconds of it vanishing. After a couple code entries, I have no slack at all - the servers have my token's drift pegged down to the tenth of a second.
Why hasn't anyone questioned the root of the problem to begin with: people have spyware? The approach taken here is akin to handing out bullet-proof vests in a high crime area because there's a chance you *might not* die. I know that it's better than nothing, and IT security across the net is not entirely the banks' and financial institutions' fault, but if I were facing the ammount of pressure that they face from malware, then I'd at least try to put up a fight against the root cause. Kudos to the cleverness on their part to protect themselves and their clients, but I think the real problem of IT security is being largely ignored in favor of clever work-arounds.
The eternal struggle of good vs. evil begins within one's self.
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
RichM
Data Center Knowledge