Re: Banking on Stupidity

[prev] [thread] [next] [lurker] [Date index for 2006/12/21]

From: Philippe Bruhat (BooK)
Subject: Re: Banking on Stupidity
Date: 16:48 on 21 Dec 2006
Le jeudi 21 d=E9cembre 2006 =E0 11:14, Patrick Carr =E9crivait:
> On Dec 21, 2006, at 12:47 AM, Robert Spier wrote:
>=20
> >
> >My bank is instituting one of those newfangled secondary-verification
> >pages (where you re-verify things like your age, favorite color, or
> >the picture you picked.)  I'm pretty sure it doesn't do anything
> >useful except make it harder for me to scrape my bank account
> >details.  That's hateful by itself... but better....
>=20
>=20
> My one bank just instituted a new second step of security whereby I =20
> answer three security questions of their choosing THAT ONLY I KNOW =20
> THE ANSWER TO.

Second step of security is good. The password to access your account can
be snooped, guessed or otherwise phished. For example: multi-channel
banking requires numbers only in your password so you can input your
password over the phone, and your login is often your bank account
number. So it's easy to guess the length and form of the login. If
people can choose their numerical password (6 or 8 in length, most of
the time), then you can bet on easy passwords (dates: a 30 years span
gives about 11000 possible passwords) and brute force a login. Given
the number of clients of the largest banks (millions), you're bound
to find the login/password pair needed to break in. Without snooping,
phising or even if the user never ever connects (maybe the bank creates
online accesses by default, even if the clients don't require it).

That's an attack based on statistics.

A second level of security, for accepting transfer to unknown accounts,
creating new accounts, etc is then a very good way to protect you from
those attacks. Brute force won't work if you have only three guesses.

Basically, the first level of protection will give access to read-only
information. You may not like the fact that people know how much you
earn, but at least they won't be able to move the money around.

Still a slight problem: if you can move the money from one of your
accounts to another from which it's difficult to take the money back
(e.g. long-term savings plans), then someone can really bother you,
by making your money unavailable, without stealing it!

> I'm sorry, but hundreds of people know which elementary school I went =20
> to and what my mother's maiden name is. And most of them are deadbeat =20
> second cousins who are probably going to be the ones filching my hard-=20
> earned pennies in the first place.

Well, if the questions are dumb... they deserve the hate.

My bank sent me a small paper card, with a table of 2 digits pincodes.
Whenever I want to do something "risky" (e.g., transfering money to an
new bank account), they ask for the pincode at column x row y in the
table. When the table has been used, I just have to order a new one.

Naturally, phishers have created fake sites that ask you for several
numbers in your card. The user is still the weakest link.

Even when all banks will provide tokens such as SecurID cards, phishers
will create fake sites and try to use the small window during which
the one-time password is still valid to enter your account (think how
captcha are defeated by robots using humans to decypher the images).

--=20
 Philippe "BooK" Bruhat

 In the contest between simplicity and silence, silence hasn't got a pray=
er.
                                    (Moral from Groo The Wanderer #15 (Ep=
ic))
There's stuff above here

Generated at 20:02 on 28 Dec 2006 by mariachi 0.52