Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lloyds TSB Pushing New Online Security Protocol

Posted by Zonk on from the another-toy-for-the-keychain dept.

An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."

4 of 228 comments (clear)

  1. Token aka Keychain by brokenarmsgordon · · Score: 5, Funny

    Makes sense to me. The key to defeating a keylogger is a keychain.

  2. Dear Customer by Average_Joe_Sixpack · · Score: 5, Insightful

    Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.

    Regards,
    Bank President

  3. Re:Good for them. by GekkePrutser · · Score: 5, Informative

    If these devices work like the RSA SecurID does, clock lagging is not a problem. Every time the customer logs in, the server accepts not just the current password, but also the next and previous x (10, for example) passwords. So if the clock is a bit off, it will still accept the password.

    Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.

  4. Phishing is still a problem by ingo23 · · Score: 5, Interesting
    After reading the article, I figured out that even the rolling password will not help much with the phishing problem. Imagine the following scenario:

    1. The user gets an e-mail asking him to log on to the bank site.
    2. The user enters the code from the keyfob into the phishing site
    3. Phishing site logs into the real banking site using just harvested code
    4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.

    So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?