Forgot your password?
typodupeerror
Security The Courts IT

Court Rules Passwords+Secret Questions=Secure eBanking 284

Posted by samzenpus
from the nobody-knows-your-mother's-maiden-name dept.
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
This discussion has been archived. No new comments can be posted.

Court Rules Passwords+Secret Questions=Secure eBanking

Comments Filter:
  • One-time pads (Score:4, Insightful)

    by Anonymous Coward on Wednesday June 08, 2011 @08:49PM (#36382414)

    We've been using one-time pads in Finland for a long time, and they do the job.

    What's the issue?

    • Re:One-time pads (Score:4, Insightful)

      by Anonymous Coward on Wednesday June 08, 2011 @08:52PM (#36382430)

      well. Here in the US we don't feel like spending money on security.

    • We've been using one-time pads in Finland for a long time, and they do the job.

      What's the issue?

      We're just trying to balance our checkbooks, not take over the world.

    • Re: (Score:3, Funny)

      by Anonymous Coward
      i don't want to buy an iPad, use it one time, then throw it away.
    • by wvmarle (1070040)

      It seems Europe in general is way ahead of the US when it comes to security in on-line banking.

      My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a n

      • by _xeno_ (155264)

        Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.

        You can buy those little random number generator tokens for several MMOs, such as World of Warcraft.

        I've got one for Final Fantasy XIV since it came with the collector's edition. (Yes, I regret that purchase.)

        My bank (well, credit union) doesn't offer it as an option, instead requiring you to answer three "security" questions instead.

        I really wonder when the US will catch up.

        So, there's your answer. We care more about our online security for video games than we do about the security of our banks.

        We have the technology to do better. (Well, maybe not

        • by wvmarle (1070040)

          I really wonder when the US will catch up.

          So, there's your answer. We care more about our online security for video games than we do about the security of our banks.

          I think you misstate that a bit. It's probably the games COMPANIES that care more about keeping their accounts secure than banks do - most of their customers don't really understand/know about/care much about online security. This may or may not have to do with liability (I suspect it does), where the game company stands to lose more than a bank in case of compromised accounts. Financially or in terms of goodwill or whatever.

          Their customers don't know much about on-line security. They shouldn't need to: le

    • We've been using one-time pads in Finland for a long time, and they do the job.

      What's the issue?

      I would love for you to explain to me how that would do you any good when your own system is compromised and an attacker can display anything they want on your screen. When you just entered your OTP you didn't just transfer $100k to the attacker did you? Ooops....

      • by Zarhan (415465)

        Osuuspankki (http://www.op.fi/) has introduced a "extra verification" for payments. It's not used on all payments, but if the bank detects something odd (for example, you wiring money to someone you've never done before, or large amounts), it sends an SMS to your cell phone with the information about the payment you just made and asks to type in the code you receive in the text message.

        So basically, if you have a rooted box, and you access your bank and think you are paying â30 for electricity bill and

        • by Zarhan (415465)

          ...and of course Slashdot doesn't support euro symbol when typed. I think you get the point anyway. Should have used HTML escape I guess for €

    • ....and even THEY are insecure enough that banks switched to two-way authentication (via computer + cellphone) here by now.

  • by timeOday (582209) on Wednesday June 08, 2011 @08:53PM (#36382440)
    I think this standard is OK, *if* the banks are liable for compromises (as they are with credit/debit cards). Obviously this isn't totally secure, but you have to consider everybody's wasted time when weighing alternatives.
    • by FatAlb3rt (533682) on Wednesday June 08, 2011 @09:14PM (#36382590) Homepage
      Unless the questions are like my bank's:
      Who is your favorite Disney character?
      What is your favorite color?

      You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?
      • by definate (876684) on Wednesday June 08, 2011 @10:07PM (#36382960)

        I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"

        This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.

        All good!

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          I was doing that with my bank (the 'mothers maiden name' answer I had, while technically correct, wasn't the obvious one), until one day when I had to call in and was informed that my answer was wrong. My mom has an account at the same bank, and somehow they had been able to 'fix' it; I have not been able to change it back. Nor did I ever get an answer as to why the change was made.

          • by definate (876684)

            WOW! That's not good. So, they ENFORCED bad security on you. By revealing something which could be found out.

            That's insane.

      • by Idbar (1034346)
        That actually depends on how do YOU answer those questions and if you want them to be easy.

        The questions should serve as mnemonic such that if they ask for your favorite color you may as well go with tomatoandpepperred or a favorite Disney Character go with mysonlovesthemousewithbigears.

        The problem is that people want something quick and easy to remember which normally turns into Red or Mickey
      • I've never seen those types of questions, do you have a reference for those? I always see things like "Childhood best friend" "oldest siblings middle name" "3rd grade teacher" ETC
  • This has a name (Score:5, Insightful)

    by IICV (652597) on Wednesday June 08, 2011 @08:53PM (#36382448)

    There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.

    And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

  • good (Score:4, Interesting)

    by waddgodd (34934) on Wednesday June 08, 2011 @08:59PM (#36382486) Homepage Journal

    From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.

  • by snuf23 (182335) on Wednesday June 08, 2011 @09:20PM (#36382636)

    I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

  • Calm down (Score:5, Insightful)

    by Charliemopps (1157495) on Wednesday June 08, 2011 @09:31PM (#36382716)
    Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

    What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
    • Re:Calm down (Score:4, Insightful)

      by memyselfandeye (1849868) on Wednesday June 08, 2011 @09:54PM (#36382872)

      Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.

      Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

      What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

      I agree, I mean, it's not like banks want to you easily move money out of an account anyway.

    • Re:Calm down (Score:5, Insightful)

      by Rockoon (1252108) on Wednesday June 08, 2011 @10:10PM (#36382988)

      If your banks security sucks, switch

      Switch to another insecure bank? The problem is that this shitty security is industry standard.

      And if you don't mind me asking... What was the name of your first childhood pet?

      • My banks security is:
        Username is a 12 digit random number, provided by the bank.
        Password is 12 characters at least 2 numbers and 1 special character.
        3 unsuccessful attempts locks the account.
        Unlocking the account requires a call to customer service who then hangs up and calls me back.
        At that point they ask me what my pass code is.
        I had to provide the pass code, in person, in writing at the bank when I opened the account.
        If I log in from a new IP address, the bank auto-dials my house... I then have to punch
        • They call you back ... and you then hand a random caller at the right time your details? There must be a missing step...
          • by jroysdon (201893)

            They, as in the person you were just speaking to. Can you not recognize a voice you spoke to less than 30 seconds prior? It's not like some random caller calls you back, it's the person you just spoke with.

      • by _xeno_ (155264)

        And if you don't mind me asking... What was the name of your first childhood pet?

        Ah-ha, I didn't actually use the name of my first childhood pet!

        Because her name was "Meg" and that was too short, since apparently you must answer with at least five characters. So instead I use the name of my second childhood pet.

        Except his name was "Max" and that's also too short.

        And I'll never tell you about my third childhood pet, a black cat name Licorice! ...oops. I wonder if I can change the answers to my security questions? I guess I'll need to go get a fourth childhood pet now, and make sure to na

  • by Kohath (38547) on Wednesday June 08, 2011 @09:53PM (#36382866)

    The company suing the bank had seen the bank's security measures. They had the opportunity to judge whether the bank's security measures were secure enough for them. The bank should win unless the precautions were unreasonably weak.

    You would think everyone involved would be insured against these kinds of losses.

    • What's more, the bank account was compromised because of the account holder's lousy security that ended up with them getting keyloggers on their computers. Why should the bank be liable for that?

  • I worked in a business where we built point-of-sale terminals.

    The banks are already crazy-serious about certifying devices that talk to their systems.

    When you think that the future is everyone and their phone conducting banking operations and that most of those devices have multiple known exploits, you expect things will only get worse.

  • If you have a business account where the bank won't cover losses from fraud; if your bank doesn't implement effective security measures; if you have some reason to stay with that bank anyway; if you feel compelled to sign up for online banking:

    Use a dedicated computer. They're cheap. You can afford to have one computer that's off limits for web surfing, online videos, dancing cursors and so on. For extra credit put it on a separate LAN segment, and of course you should have disabled Autorun anyway. Set it up so it can only connect to your bank's web site and to Windows Update.

    • by PPH (736903)

      Set it up so it can only connect to your bank's web site and to apt-get.

      FIFY

    • by cathector (972646)

      +1 dedicated computer.
      that's exactly what i'm setting up for my mom for her personal online banking - a netbook running linux with strong injunctions from me to use it and only it for banking, in combo with separate email accounts for & only for banking. i admit i haven't done the same for myself, but i plan to soon. ordinarily there's no way any linux distro could survive in the hands of my mom, but if it's only used for connecting to a couple of sites, perhaps it has a chance.

  • The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"

    And who's fault is that? At what point does a bank's responsibility for a users poor choice of system end?

    • by fnj (64210)

      Wrong rhetorical question. I think what you meant to ask was "when are the fat corporate pricks who market incompetently designed operating systems which no professional of reasonable competence would want his name associated with - when do we hold them accountable?"

  • by Wolfling1 (1808594) on Wednesday June 08, 2011 @10:43PM (#36383244) Journal
    I've worked at a bank where $30,000 was sent overseas by accident in a testlab incident. A testlab!

    Banks are monumentally incompetent at securing their environments, so each individual needs to become accountable for the security of anything that takes place outside the bricks and mortar of their bank. Mmy strategy is to distribute my funds across a few different banks.

    No password sharing minimises the risks, and distribution minimises the impact.
  • But it is not the fault of the banks. Governments around the world, including in the US, are very committed to spying on all of their citizen's networked interactions whenever they wish. Establishing much more perfect security including near unbreakable encryption is the last thing that governments wish to see. So if the banks had much more perfect security software then it would quite likely be illegal to use in most countries. If it has government back doors then it is that much less secure.

  • A decision by a U.S. District Court is not even binding within the same jurisdiction of that court. Yes, other District Court judges might give the decision some weight; but they are not required to do so.

    Only when the U.S. Circuit Court of Appeals upholds a decision from a District Court in that circuit does the decision become binding on all the District Courts in that circuit. Even then, the decision is not binding in other circuits. To be binding throughout the U.S. requires a decision from the U.S.

  • What are banks for? (Score:5, Interesting)

    by taucross (1330311) on Wednesday June 08, 2011 @11:15PM (#36383448)
    If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?
  • If you don't think a bank offers enough security, don't use online banking.

    • If it doesn't take much more than your name and bank account number to open an online banking account, just "not using" it isn't going to increase your security.

  • I want my bank and other financial institutions to give me two different username/password combinations. One for [partial] read only access, and another for actual transactions. This would allow me to use services such as mint.com or quicken to aggregate my account information, but not actually give them the power to make any changes to my account.
  • Allow me to elaborate on the timeline of bank phishing, why this is horribly insecure and how even one time pads failed. I've spent my time in the early/mid 2000s working on this problem for some bigger banks in Europe, and if anyone feels like challenging this court's decision, I'll gladly come as expert witness, just to make this judge look like the clueless person he obviously is.

    The first and foremost reason why this is insecure is that all these "security" (I'll use the term loosely here) schemes fail

  • Might as well call it a "fake judge". Magistrates are the courtroom equivalent of a "maintenance programmer", brought in to handle the menial stuff that real judges don't want to deal with. We're letting one of these guys decide a huge issue like this? Not good, not good at all.

  • First off, if your machine is controlled by your adversary your probably fucked one way or another regardless of what your bank does if you give your attacker enough time. Also I run windoze 7... feel free to troll me.

    With that out of the way I highly recommend using keepass or something similar, not only do you get the obvious benefit of stronger and unique passwords but if a form wants answers to secret security questions, just pick a question, any of them it doesn't matter, and use a long random hex key

  • by Kim0 (106623) on Thursday June 09, 2011 @02:02AM (#36384330)

    What you see on your screen may be fake, and what the bank sees you type may be fake too.
    The only thing that may not be faked are your identification to the bank, when using one-time-pad.

    The obvious solution, which is too deep for bankers and judges, is to secure all the necessary information.

    In practice this means having something looking like a calculator which shows each transaction,
    having cryptographic secure two-way communication to the bank via the net, and being tamperproof.
    A sort of two-way code calculator.

  • by houghi (78078) on Thursday June 09, 2011 @02:13AM (#36384366)

    The bad thing about a precedent is that it will fix at a certain time. Imagine they find something that is secure as we know it, while still being usable. That would be effective today.

    Tomorrow some smart person finds a way around that security, making it insecure.

    Now the banks will say the day after tomorrow in a lawsuit: We did what was required, while the customer will say that security was not enough.

  • by drolli (522659) on Thursday June 09, 2011 @04:13AM (#36384952) Journal

    which involves old/new olives. Funnily the judge does not try to verify by himself but call somebody who is a trade of olives and knows about the topic of old/new olives.

  • Here in Sweden (Score:4, Interesting)

    by jools33 (252092) on Thursday June 09, 2011 @05:05AM (#36385264)

    Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.

Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec

Working...