Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.
I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.
I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.
I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.
If you were blocking sigs, you wouldn't have to read this.
Banks are protected from their mistakes by the US Federal Reserve.
Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.
That makes me absolutely apeshit; do NOT force me to choose one of your crappy questions! Let me write my own question, and my own answer.
Whenever I get to write my own question, the question is always a mnemonic for a password...Secure, and easy to remember, since the question implies the answer uniquely, and you don't get any "Did I abbreviate my hometown name in the 'What was the name of your high school question?'" problems.
The thing I do if they force the question, is use a stock response for all questions of that type, which is, itself, password like. E.g my first pet was: Wc@e%rddt^y, whereas my first car was" L!kj%nb^
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I have my personal bank account at Scotiabank in Canada, and I have a MasterCard credit card with another company.
On my bank's website, all I need to have is my banking card number and a password, and that's about it for the security features. If I were an average user, I could easily be fooled by a forged website reproducing my bank website and asking me for personal information. Fortunately, THERE'S A WARNING ON THE FRONT PAGE, right beside the month's special promotion and the [Contact Us] link, telling me that the bank never sends an EMail with an enclosed link to their online banking website...
On the other hand, on my credit card company website, they first asked me for a security picture and a security passphrase, and they told me at first that, whatever the page I'm on on their website, once I'm logged in, I should see both the picture and the security passphrase. Also, when I login, I have to use a username and a password, so someone who knows my credit card number could not know what username I have on the website, and they ask me for my home phone number or my city of residence or my mother's maiden name... And the only thing I could do on this website is to view my credit card statement, WITHOUT my credit card number nor any information that could lead to identity theft...
So I think my bank is WAY behind the market on the security technologies side, since someone could transfer all my money to another bank account and they only ask for two very simple informations in order to be able to do that...
Their credit card accounts don't seem to (or didn't - I've had my account online for about 8 years or so now). Not sure about their checking. They DO have an annoying login though. If you've never logged in on this computer before, you have to answer 2-3 extra questions before logining in, and then after logging in they present you with a "sitekey" which you're supposed to verify is correct (and reenter your password). Thing is, in God only knows how long of accessing that site, the sitekey has NEVER been incorrect. And if it was, what would I have do? There's not "show me another sitekey" option, or "this is not my sitekey". It's just here: type in your password if this is right.
For my main accounts I use Wachovia, which is also annoying with the usernames. What idiot decided to make it a requirement that you have numerical digits in your username for goodness sakes!?!? I'm good at picking out passwords. My passwords are damned hard to remember BECAUSE they're good. Don't stack on remembering which username I use on each site too . . .
"People who think they know everything are very annoying to those of us who do."-Mark Twain
I once had to cash a check at the post office. I got about 25-30 retries before they were satisfied that the signature was actualy the same as the one they had to verify against. They even held it up against the glass, so I could copy it.
Once my school said that I falsified my dads signature and they needed confirmation, so I took it home and came back with the same signature on it. The fact that they were two real ones or two fake ones they had no idea of knowing.
People unfortunatly have most of the time no real perception about security. They see it as a hinder
Don't fight for your country, if your country does not fight for you.
This means that it's hard for any intruder to actually do something even if they are able to crack the encrypted channel between me and my bank.
The use of username/password or a non challenge/response technology are definitely insufficient since they are open for man in the middle attacks and other attacks.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Even if the banking site is secure, your average user is taking a huge risk doing banking on any PC hooked up to the internet. They just don't understand what is running on their PC. They have no good way to identify that there is malware running, or identify what the malware is doing.
Even if the site is perfect, it cannot protect you from the malware that infect many PCs.
I use random password like strings for the answers to those questions also. It's too easy for just about anybody who knows me to guess the correct answers to those questions. You don't even have to know me, you can just check out my facebook profile. My first highschool is obvious, because there is only 1 in my hometown.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Your viewpoint isn't so much as a generation thing as a naivety thing.
Who cares if the transaction between yourself and your bank is "100% secure" and the encryption can't be broken without 1 million years of brute force attacking - if someone has installed a keylogger on your computer and now has your username, password and whatever other stuff the bank requires you to have to log in?
Then there's the fact that these systems likely aren't 100% secure - the algorithms may work perfectly, but if the design of the system (which was created by one or more flawed humans) is faulty, then you have problems. You shouldn't be so worried about your teller making a mistake counting out your money so much as you should be worried that the teller has just slipped out $150 when you asked for $100, and pocketed the $50.
which is totally what she said
You're not thinking outside your (rather small) box. The answer is to make the account harder to guess. Let users choose their own account name, and you won't be able to guess that "SamJones" is a valid account. You could try "SammyTheMan", but at least the range of possible logins has just increased by an order of magnitude. Maybe, for those users who really have no creativity and try to insist on using FirstnameLastname, the bank could require that your login be FirstnameLastnameBirthmonthBirthday. "SamJones0413" is two-and-a-half orders of magnitude harder to guess than "SamJones".
If you did want to solve the problem of account lockout, you could try this: the first time an incorrect password happens, lock the account for 0.1 seconds. For every subsequent attempt, increase the lockout time by 10. After 3 bad guesses, you'd have to wait almost 2 minutes. After four guesses: 16 minutes. Five guesses: 2+3/4 hours. Six guesses: a day and 3 hours. Seven guesses: a week and a half. Eight guesses: 3+1/2 months. So, on the one hand, if the account does get DOS'd, it's merely "relatively" DOS'd to some extent; on the other hand, if Evil Hacker really wanted to DOS the account to a great extent, then it would be inconvenient for Evil Hacker, who might actually wait 2 minutes for the fourth guess but probably won't wait 16 minutes to enter the fifth guess. The Innocent End User, checking her account at the end of the day, might not even know that it had been semi-DOS'd.
Lots of creative ways you can solve these problems. I came up with this in the time it took me to type this post. I'm sure others have more ideas.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Is that this study is 2 years old. If you are going to present a security review it has to be relevant, and can only be relevant if it is fairly recent. I have first hand knowledge of how many iterations a website can go through (let alone a bank's website) in that amount of time.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
A while back I emailed my bank about several critical holes on their website. Their response: because the actual banking takes place through a third-party, the access logs that are publicly available on the site, the ability to manipulate the content of the website through javascript, the ability to alter login forms, and the ability to hijack the CMS' admin sessions are non-issues.
I have a new bank now.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
I had some collection agency calling me for two months. For the first four weeks, I would get a call with nobody on the other end. The computer dropped the call.
The I got the recorded message admitting who they were and asking for someone who had the same last name as me. If I held the phone for the "live person," the call would drop. I tried calling multiple times only to have my call dropped or get a recording that nobody was there. My daughter took two live person calls and told them they had the wrong house, but the calls kept coming.
Finally, I called and went through all the direct extension combinations until I reached a human. I immediately went up the food chain to the supervisor level. I had to threaten them with the Ohio Attorney General's office. The calls finally stopped.
I got three or four harassing calls a day for two months from somebody picking out numbers at random from a phonebook based on last name. If it isn't illegal, it sure as hell ought to be.
Given how many banks employ Wish It Was Two-Factor authentication, I'm not surprised at all.
The concept of two-factor authentication is stupidly simple: Something you have, and something you know.
Somehow, banks (and credit card companies) seem to be confusing this with "two things you know" -- which actually isn't one bit more secure than "one thing you know".
The reality is, all the technology to do this right exists. It is trivial to do. But banks don't want to pay for it. (Which, in itself, is a WTF -- I'll gladly pay some extra for an RSA key auth scheme for my bank, so if the concern is that most users wouldn't notice or care, that gives you an excuse to get more money out of the ones who do. But instead, you just leave everyone somewhat less secure and more irritated than with PayPal.)
Don't thank God, thank a doctor!
Why is this just about banks then? Plenty of other websites have access to credit and debit card details (and debit cards don't have the same level of protection as debit cards), and generally have weaker login requirements than most banks, though you'd probably suggest that they should have stricter security as well. If my bank didn't have the moronic irrelevant security questions then I'd probably still be using the system today, but instead I've just decided not to bother with it as it has caused me a fair bit of hassle to set it up, and in the end I received very little benefit from it when I tried to log into it a few months later and had forgotten the answers to the irrelevant (to me) security questions. If I have to write down the answers to the questions then that weakens the security significantly.
What forms of 2 factor authentication would you propose for a public computer btw? Some kind of USB dongle or something? What if the cafe didn't allow those? The risk might be reduced with a 2 factor system, but I still think it's better to avoid banking on a public terminal. Not to mention that I'd rather have a car that has a simple key/lock system that can be picked or copied, than one that requires my fingerprint (people have had their hands cut off just so that thieves can steal their car), or in this case perhaps the woman could have got mugged after leaving the cafe so that the thieves could get the USB dongle or whatever.
which is totally what she said
Factor 1: pin number. This is something you know. Usually 4 digits, but may be arbitrary. Probability of guessing: 1/ 10^k where k is the number of digits. If digit count is variable, this makes it even more fun since 0004 and 4 are then different values.
Factor 2: CryptoCard token or similar. You push a button and it gives you the next number in a pseudorandom sequence that was pre-seeded. The computer on the other end knows the next few numbers in the sequence (the exact number probably varies depending on configuration) and if the number you enter isn't one of those, it rejects the login attempt. No number can be used twice. Probability of a successful guess: about 1 / 50,000 - 1/200,000, depending on the bank's level of paranoia about skipping numbers without a resync. :-)
Total probability: 1 / 500,000,000 - 1/2,000,000,000 depending on paranoia level for number skipping and assuming a 4 digit PIN....
Even better, I think the resync process is also basically protected against identity theft unless you have the pin number, since you can't substitute a different token and get two numbers in a sequence that would be valid for the original token, IIRC, and the resync doesn't buy you anything other than a few more tries to guess the PIN number.
Check out my sci-fi/humor trilogy at PatriotsBooks.