One-Time Pads To Protect Electronic Bank Access 345
dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"
Ultimate security (Score:2, Funny)
Re:Ultimate security (Score:5, Insightful)
Funny as it sounds, just wait till someone get a hold of your identity, you'll be poor and deeply in debt. Scammers are very good and obtaining credit, it helps that they don't fear the repercussions of being unable to pay.
Being poor is no reason to not protect your identity. You'll just get more funny looks.
Re:Ultimate security (Score:5, Insightful)
Answer: You don't. You tell the idiots who accepted somebody else as you that they're shit out of luck getting any money out of you and they'd better start looking for the guy who took them to the cleaners.
Which they should have done in the first place.
Of course, it's a hassle TELLING all these people that...
Nothing New. (Score:5, Informative)
Login & Password.
And then for EACH transaction an TAN (TransActionNumber) which was a one time password that they mailed to you in a batch of I think 25.
So in order to complete a transaction you not only needed the username and Password but also a TAN.
More secure than they do it here, where you just log in and then it's a free for all.
Re:Nothing New. (Score:3, Insightful)
Sorry, been playing too much Thief 3 lately.
But my password is as secure as I make it, so is my login (which I chose and is just as obscure as my password). Both exist only in my head.
The problem inherent with one-time passwords and TAN schemes is that people print them out and stick them on th
Re:Nothing New. (Score:3, Interesting)
What is the utility of doing that since they are ONE TIME. Why would you ever want to post it up after it was used once? Presumably they are "scratch off" so merely putting the booklet up won't make it obvious what the passwords actually are. And then they STILL need your real password first.
Re:Nothing New. (Score:5, Informative)
It's been a while since my nice [ubs.com] bank has switched from the TAN system to the calculator/login device + chip card, but if I remember it right, it's not only the TAN that authenticates you, it's your user name (or more precisely, your account number - after all, we're in Switzerland, the home of number accounts) and a password of your own choice, plus the current TAN, used only once. This seems to me to be a pretty good system, as you prove your identity by:
With the login device I am using now, you need to:
Knowledge of any one of these is useless, you need to know all of them, so I think the system is pretty secure. Frankly, I was slightly mystified to read that US banks rely on only one token of authentification
Re:Nothing New. (Score:3, Interesting)
Re:Nothing New. (Score:3, Interesting)
Re:Nothing New. (Score:2)
Hmmm, here in the US I need a digital password that I supply and a physical card with a piece of authorization mailed from the bank for each transaction. Many places require authorization with a physical signature if you don't use the card, and use one of their pre-supplied (mailed to me by the bank) slips of paper with their routing information on it.
Re:Nothing New. (Score:3, Insightful)
Thief would need my account-no. (ok, that's _pretty_ easy), my card and my card-pin (different to my internet banking pin). And, I can use some fancy home-banking apps (even available for linux).
Re:Nothing New. (Score:2)
Your account number is public (many business put their account number on their website so it is easier for you to pay them), and you keep your password (something you know) and your TAN list (so
Re:Nothing New. (Score:2)
Nowadays you can choose your own username and password (a vast improvement as you're less likely to write it down) and have the option of either getting TANs printed and mailed (you have to show the postman ID) beforehand, OR sent by text message (again, your GSM number is confirmed via a code sent via registered and to-be-IDed-for mail).
The neat thing about the TANs
Change is a comin'... (Score:3, Insightful)
What security (Score:2)
In my bank the online banking site allows me to check the balance and that's about it. Doesn't leave too much to the intruder.
I can also contact the bank via e-mail and ask to change address or anything else, but that would require a phone call confirmation as well.
Re:What security (Score:3, Informative)
Keep in mind folks, that in the US, electronic funds
Re:What security (Score:3, Insightful)
I've always wondered what keeps someone from simply taking a check you've written (to them possibly) and then using t
Re:What security (Score:2)
Are you sure there's no signature or any additional requirement? My bank required me to show up in person and sign two forms, present the ID and all, to do the wire transfer.
Like the poster before me noted, what'
Re:What security (Score:3, Interesting)
Like the poster before me noted, what's to prevent someone from simply looking at your check and copying the data?
Nothing.
Re:What security (Score:3, Interesting)
My regular bank is a branchless bank in Canada, they're website offers quite a bit of functionality including transferring money to other accounts.
But what really concerns me is *physical* security. I have a small bank account with CIBC (another Canadian bank). I needed about a thousand bucks off my account, so rather than using the atm, i went inside, handed the teller my flimsy
Our Bank (Score:2, Insightful)
Re:Our Bank (Score:2)
And thank God Sean Connery turned down the role of Gandalf in Lord of the Rings, as well as turning down the role of Morpheus in The Matrix. (True: He was offered both parts! Scary!)
Not a one-time pad (Score:5, Informative)
Re:Not a one-time pad (Score:5, Informative)
But it's difficult to remember dozens of strong passwords -- so many sites now require them.
Whatever. You simply need a pattern combined with "phrases" that only you know. For instance, your phrase could be "Jack and Jill went up the hill", so your password would be, "JJW!TH". Then you add a number to it that you can remember, for instance, the last four of your phone number reversed. So JJW!TH9834. Now throw in something unique from each site you visit. Take Google, perhaps Jack and Jill don't go up the hill, they go to Google: JJW!TGGL9834. Or on Hotmail, perhaps Hotmail went up the hill: HMW!TH9834. Mix and match for various web sites.
Easy to remember, extremely difficult to break. Secure enough for most anything us common folk would do - including online banking - and not such a hassle as carrying around scratch-off cards or RSA keys everywhere you go.
Re:Not a one-time pad (Score:2)
I agree with the second statement, but not the first. I think it *could* be easy, for certain types of people, but not John & Jane Doe. Coming up with a phrase-based password is something I think everyone can aspire to. But add in site-specific randomness and you'll quickly hit "post-it note passwords" - random, secure passwords pasted right on the monitor.
However, I do agree passwords are much more convenient than some kind of physical or electronic
Re:Not a one-time pad (Score:4, Funny)
*Sighs*
*Proceeds to change all my passwords starting with the bank account*
Re:Not a one-time pad (Score:4, Interesting)
For my parents/grandparents (Score:5, Funny)
Still not as good as your technique, but easy enough for them to remember and not as bad as what they were using.
Mom: (entering password) click, click
Me: "That's an awfully short password mom, what're you using?"
Mom: "My birthdate: 1217"
Me: "AAAUUUGGGHHH!"
Mom: "What's wrong with that? I don't give it out."
(Note: Birthdate changed to protect the innocent.)
Re:Not a one-time pad (Score:3, Insightful)
The goal of initiatives like this is to make decent security the only easy way. It is worth increasing the hassle a bit, even for users like you, if it drastically increases th
Re:Not a one-time pad (Score:3, Interesting)
NOPE
The best idea is a password of whatever persuation and a x509 certificate used for SSL which is ussed by the bank in the sign on process. As a result you are always asked two passwords one of which cannot be set to "remember" - your SSL cert store and your bank username/password. This combines luser authentication with machine authentication. As a result you have to steal the machine used by Joe Average in order to use his/her bank account. This
In the Netherlands too.. (Score:2, Informative)
Much better in Saudi Arabia (Score:4, Interesting)
Re:Much better in Saudi Arabia (Score:5, Funny)
Re:Much better in Saudi Arabia (Score:2, Insightful)
I am reminded of an article several months ago on spoofing fingerprint readers. The gelatin technique [schneier.com] is likely the one most Slashdotters remember, but for some, it was sufficient to blow on the detector. c't [heise.de] has lots more fun details, but these have both been on Slashdot before.
Re:Much better in Saudi Arabia (Score:5, Informative)
Biometrics are highly inaccurate/insecure. We break them all the time. I myself would never use anything important that was secured with only a biometric. Even a 4 digit limited error PIN would be more secure.
Re:Much better in Saudi Arabia (Score:3, Informative)
Something you have, something you know, something you are. Two out of three is considered good security.
Biometrics is something that you *are*. There are implementation issues, sure, but people are far too hard on it as a method of authentication.
Re:Much better in Saudi Arabia (Score:2)
So all a mugger who steals your card has to do, to get access to all the money in your account, is: cut your finger off and take the finger to the ATM?
And you like this system?
Re: (Score:3, Informative)
Re:Much better in Saudi Arabia (Score:3)
I used to think that (Score:3, Interesting)
While the idea may be great, I've yet to be convinced of either the streng
Re:Much better in Saudi Arabia (Score:3, Informative)
Matter of economics (Score:2)
As much as I'd love to see this implemented at every bank
And why would you legislate it? (Score:4, Insightful)
The fact that nobody is paying for more security in the free market is a pretty good indication that people don't really want it in the first place.
Re:And why would you legislate it? (Score:3, Insightful)
A sound argument if the market is aware of more secure methods and the limitations to the current methods. However, even most technical people would simply suggest to choose a strong, unique password for sensitive sites.
Re:Matter of economics (Score:2)
Misleading headline (Score:3, Informative)
It's about time... (Score:3, Insightful)
One caveat I had about this article was this....
"Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said."
This is a pretty bold statement coming from the director of technology risk at eBay. eBay has pretty much become the breeding ground for scams and frauds. With millions of items up for auction at any one time this doesn't make any sense. I believe I read an article several months back that eBay estimated that at any one time about 3% of their auctions are fradulent. A small number in comparison to the number of auctions that are ongoing. Doing a totally unscientific experiment, I averaged about 3,000,000 ongoing auctions at eBay, and took the 3% of fraud auctions = 90,000 auctions. I would imagine atleast an average of $100 per auction completion. That puts it at $9,000,000 at any one time and that's only from eBay. This also doesn't acocunt for auctions that were performed outside of eBay as the P-P-P-powerbook [slashdot.org] one was so performed. Also, imagine the thousands of other financial banks and credit card companies doing business online. And let's not even get started on Paypal.
*Notice.. this was a totally unscientific experient performed by myself.
I think that when putting these numbers all together would make a strong case for such two-factor authentication. I don't mind a second step if it's going to save me money if someone really wants into my banks, eBay acocunts, etc...
Re:It's about time... (Score:2)
Mod me down :)
It's cliche, but... (Score:5, Insightful)
You want to give these folks RSA dongles? They don't even see the security implications of putting their entire credit line on their keychain [speedpass.com] with not even a PIN for validation.
The two problems are simple: People here won't understand it, and they won't care.
Why this works in Europe is beyond me, but I'm sure there are plenty of cliche anti-American rants to help explain it.
Ok, I'll bite... (Score:2, Insightful)
Re:Ok, I'll bite... (Score:3, Interesting)
I guess you're right... it's not that much tougher to slide a stolen credit card (swipe a swiped card?) through the slot, than it is to wave a Speedpass over a sensor. Makes me think again about that wallet full of cards... thank goodness they're already maxxed out.
Re:Ok, I'll bite... (Score:3, Insightful)
Providing trusted communication becomes a whole lot more difficult. Smart cards make it sim
Re:It's cliche, but... (Score:2)
Re:It's cliche, but... (Score:2)
The local supermarket is packed with MIT students, faculty and staff -- and they have as much trouble with those ATMs as everyone else. (Supposedly Stallman shops there, but I've never had the privilege of watching him use one. He'd probably be complaining that the system pr
Re:It's cliche, but... (Score:3, Informative)
swiss vs us ebanking
UBS Swiss Ebanking [www.ubs.ch]
UBS US Ebanking [ubs.com]
how ebanking works for me [www.ubs.ch] sorry but everyone who doesn't understand this should not be allowed to have ebanking
i don't know why you americans let yourself be fisted by corporations like this!!!
maybe you are all masochists
Re:It's cliche, but... (Score:2)
I like the HSBC system in the UK (Score:3, Interesting)
To log in you need to enter:
- A 12 chacacter alphanumeric code as your username (given to you on a card when you sign up)
- Your date of birth
- Three digits from your security number, and it's different digits on each subsequent visit. For example on one visit you'll be asked for the 1st, 2nd, & 3rd digit. The next visit you might be asked for the 4th, 6th & last.
I have a lot of respect for the HSBC. Their customer service is also second to none - with my US bank I frequently find myself getting passed around between different customer service reps and having to tell my story from the beginning each time. Not so with the HSBC, they know my name before I've even spoken, and they never lose track of me no matter how many people I get passed along to.Maybe I should be more concerned, but... (Score:4, Insightful)
There really isn't a lot of damage that someone could do with my online banking account.
I can't transfer funds to an account that is not mine.
The information that is available online about me and my account is less than what is available on a check. I guess I should be more concerned about that, but I have no control of my checks once I have used them to pay for something.
My Debit card information is not available online.
About the best someone can do with my account is see my balance.
Re:Maybe I should be more concerned, but... (Score:3)
Re:Maybe I should be more concerned, but... (Score:2)
Online banking is a "feature" that I could subscribe to, but it is one that I have opted out of.
My bank charges US $5 per month for this service.
Most of my bills can be paid online via VISA / MC. I choose that route.
One time password not one time Pad. (Score:5, Informative)
a One-time pad is an encryption algorithm.
The two have basically nothing to do with each other.
A one time pad:
Generate a random pattern of bits of the same length as the plaintext. XOR the two. The resulting ciphertext and the random field are now both requried to re-generate the plaintext (to call one the ciphertext and one the key is wrong too. they are both statistically equivalent).
Both are also completely useless by themselves, and truly totally, provably, unbreakable.
This is the only form of unbreakable encryption.
The moment you use a pad more than once, though, it ceases to be a one-time pad, and is breakable.
Re:One time password not one time Pad. (Score:2)
If the transaction is actually encrypted with the one time password before it's tranmitted, then it might even provide an additional barrier against breaching SSL.
Re:One time password not one time Pad. (Score:5, Informative)
Adding your login to the database of one-time passwords and displaying the first login password:"499" is the counter, "dh0391" is the seed. Combined with the password, you can generate additional logins from any computer, on- or offline. Generating additional login passwords:And logging in:The beauty of this is that you can turn it on and safely login as root using a telnet session as replay attacks won't work since the password has already been used. Of course, "safely" here only applies to password reuse as a telnet session doesn't prevent other problems, such as man-in-the-middle attacks. Because this uses a standard algorithm, you can even generate new login passwords as needed from a PDA -- it doesn't have to be generated directly on the host system. So if you're SSHing to your server to fix a problem and you're in some internet cafe, you don't need to worry about keystroke loggers picking up the password. Type it in via plaintext as it'll never get reused.
Re:One time password not one time Pad. (Score:2)
Re: (Score:3, Interesting)
Recent trend in Portugal... sort of (Score:5, Informative)
There's no standard, and they seem to be having some dificulty balancing user-friendliness with security.
The current "hip" thing is to require a login/password pair, followed by things like:
- Enter the the sixth and second numbers of your ID card/passport (random positions)
- Enter your numeric PIN using the randomly placed JavaScript keypad
- Use the code-matrix card (provided by the bank) and enter the value in square 4C
- Confirm every money-moving operation with digits in random positions from a fixed (long) code given to you by the bank. Said code is regenerated every month.
I don't thinks there's any bank here using plain login/password auth. There were attempts to use personal x509 certs, but most users had trouble installing them or using them.
simple economics (Score:3, Insightful)
Besides, what can you do from most US online bank systems? Check balances, transfer funds from one type of account to anther (savings to checking), or maybe even transfer to another member of the same bank? These are all very traceable and means that really stupid criminals will get caught.
It's probably much easier to just steal credit card numbers.
I'm more concerned about internet shopping... (Score:5, Interesting)
...why are we still using a system that relies on you trusting every single person you give your credit card details to? It would be perfectly possible to generate a one-time authorisation code for each transaction...
Re:I'm more concerned about internet shopping... (Score:3, Interesting)
Re:I'm more concerned about internet shopping... (Score:3, Interesting)
Re:I'm more concerned about internet shopping... (Score:2)
Experience with one time passwords (Score:2)
Usage is easy: punch in a selfdefined 4 digit PIN-code and the calculator-thingie returns an 8 digit password code. What's more: when doing transactions one will be presented with a 6 digit code that one has to punch into the ActivCard, which then returns a 6 digit confirmation-code that one has to key in in order for the transaction to take place.
It sounds like a lot, but it rea
one time pads vs. one time passwords (Score:3, Informative)
A "one-time password" means a password that is used once and discarded. This password is typically used only for authentication purposes. By contrast, a "one-time pad" is used for encryption purposes.
One-time pads are almost never useful for typical internet situations because they are very easy to misuse and very insecure when misused. They also don't solve any problem worth solving -- conventional encryption is already strong enough that the added security of a one-time pad has no value in typical internet situations.
One-time passwords, on the other hand, do potentially have some value, because the currently available password authentication systems are quite weak compared to the strength of the corresponding encryption systems.
Poland (Score:2)
There's a virtual (online only) bank here in Poland that has used one-time pads for the last couple of years.
My current bank uses a secure token [vasco.com] to protect online access.
Stronger security isn't always better security (Score:5, Insightful)
From my perspective, if someone breaks into my account, it's a hassle, but not a huge deal: My account is insured, and I get my money back. I'd rather deal with the inconvenince of this happening once or twice in my lifetime than having to deal with carrying and using a password generator for my entire life.
From the bank's perspective, it is probably cheaper to lose some money to accounts being compramised than to implement better security across the board. That translates to lower costs (or better interest) for me the customer, which is also nice. I'm fairly confident this is true, because were it better (cheaper, more convenient) to have stronger security, my commercial bank (always wanting to make a buck) would be doing that instead.
Your house would be more secure if you had bullet-resistent windows, steel-reinforced cross-bar doors, one-time pad electronic access, and 24/7 security guards, but most people the find much "weaker" deadbolt/key combination to be the BETTER solution.
BofA is Trusted?!?!?!? (Score:2)
I don't trust banks that fire their programmers to hire people working offshore for $2.50/hr- there's just WAY too much potential for abuse there. After all, why would your bank card data be secure, when any one of their offshore programmers can get away with many hundreds of years worth of salary by selling your identity on the black market?
Sweden (Score:2)
Retinal Scans (Score:2)
Constructed passwords. (Score:4, Interesting)
For example, I dredge up the number 42 (the answer to Life, the Universe and Everything) and some nonsense word. Let's say it's "snert". Pump it through the construction process and I come up with "first47snertt". Not exactly intuitive, but I'm just adding the number of letters in "first" (5) to my number and the last letter ("t") to the end of the nonsense word.
The result is a pretty strong password. No cracking program is going to have the word in it's dictionary and knowing my password to First National isn't going to tell you that my password to Discover is "discover50snertr". Since "snert" is nonsense anyway, there's no way to tell where the letters come from; you could be sticking the third letter in "Discover" onto the beginning and your nonsense word could be "nertr". There are no rules to how to construct the password, but you want to have an obscure way for the base password to modify the gibberish in the rest so knowing one password will not give you the rest. It saves me the trouble of remembering a lot of strong passwords. Of course, if someone got ahold of several of my passwords and spent enough time on them, they could probably figure out the routine, but that's not as dangerous as using the same password.
And yes, that's just an example. It's not the process I use to construct my own passwords. Trust me, you don't want to know.
Bank of America (Score:3, Interesting)
I use this bank, and I always put in my wrong userid and passwd so that I can enter them on a secure page. If someone is interested in thousands of bank accounts go ahead and register www.bankfoamerica.com or something similar, and mass mail people to make sure their account is correct or whatever. People will follow the link. You can simply grab their info and redirect them to the proper server with little hastle from anyone.
I've called and told them about this, and they told me that "We are a bank, we take security very seriously, thank you very much". This was when I called them to find out the real balance of my credit card. I had 2 balances with $1,200 difference between them. They told me it was a cache problem in my browser, even thought I used 3 different browsers, under 2 different usernames on my system. They didn't seem to understand that a) https data is not cached between browsers, nor b) https data is not cached between different users. Oh yeah, this is also after they started talking to me about my last purchases on my cc without confirming _any_ form of identification besides my cc number.
I feel as though I have an OK workaround by putting in the wrong info the 1st time, but if anyone else uses Bank Of America, I would suggest a call to them.
Re:Bank of America (Score:4, Informative)
Your login/password is sent to an "https" address. It is being sent encrypted. Look at the source and see for yourself.
You can't really go by what you see in the URL because that is the address you're looking at, not the address that the form data is posted to.
Most browsers will warn you when you try to send something that's not secure. Most likely you've disabled that warning, as almost everyone does. If you turn it back on, you will notice that the browser won't warn you when you try to login because it is encrypted.
Not one time pads! (Score:2)
Pick your own! (Score:2)
Now I just have to worry about someone with a SSN equal to my ran
American bank security solution (Score:3, Funny)
Same in the Netherlands (Score:3, Informative)
Additionally, if you want to transfer any money, you have to input a number from a list they send you through the mail. This list is printed while it's in the envelope (like some US banks do for overdraft statements and such) so no people other than the recipient ever see it. When you get close to using the last number, they send you a new list automatically.
Since they moved the whole system to the Internet, things are pretty much the same. You can log in and check your balance wherever you are, but you can only transfer money if you have your transfer-code-list with you. To me, this feels like the perfect system; in-your-way security restrictions only on the stuff that really matters.
Real security difference? (Score:2)
But is the one-time pad (plus fixed password) used by ZKB really any less secure than the UBS calculator? The one-time pad sheet is easier to carry around than the calculator.
By the way, the bank you call 'crappy' (Z
What I REALLY hate (Score:2)
And Windows 2003 complained that @bob&bob$ *! was too simple a password because it didn't contain a number.
I am surprised nobody has mentioned (Score:3, Interesting)
One time pad != one time password (Score:4, Informative)
I hate to be a pain in the ass about semantics, but the article headline is a bit misleading. It states One-Time Pads To Protect Electronic Bank Access. The article is about one-time passwords. I'm no crypto expert, but I've done my fair share of reading. A one-time pad is the closest thing available to perfect, unbreakable encryption. The idea is that two pads are generated of completely randomly generated characters, one is used to encrypt the characters (via modulo divide/add/xor, whatever) and immediately destroyed. The other is used to decrypt the message. As long as the pads contain truly random numbers, and they are never reused or recovered, the encryption will never be broken (because the cyphertext is a completely random string of characters).
A one-time password, while usually a pretty good key, is just not the same -- especially if we're talking a 64-bit key with a known encryption scheme. It can be very good, but never even close to the former.
Anyway, like I said earlier I'm not a cryptographer, but a enthusiast (at one time)...but I found that the header in the article was misleading.
Swedish banks (Score:3, Informative)
If you use the swedish bank "Sparbanken" (one of the largest) you got your own RSA half-creditcard sized code generator. You enter your social security id (birthdate with 4 unique digits attached) to the bank to give the basic identification and the bank gives back a 9 digit code you enter into your RSA code generator (after entering a 4 digit access PIN code) and then get another 9 digit code that you enter into the browser to the bank.
It might sound like a lot of work, but it really goes in less than 30 seconds in most cases. Plus, you do the same procedure (get code enter code in rsa device, enter in browser to bank) everytime you want to pay a bill. Although you can stack up 20-30 payments or more and sign them just once, so it's not a procedure that really bothers anyone.
And of course all the communication is over https/ssl and all.
Just to give some more details on how it works
There is better security out there. (Score:5, Informative)
Yep, I'm a programmer for one of them.
First of all, your login to our on-line banking system is a randomly generated unique 8 digit number. It's on your ATM card and it's your user ID number for the bank. You also have to remember your 6 digit PIN. But what if you forget your PIN? Well we can't give it to you. Why, because we use one half of a public private key encryption to save only the encrypted version of your PIN. And just to be safe we throw away the private key so even WE can't see what your PIN is. If we ever get hacked (and people try but they've never gotten through. And yes, we've caught them and put them in jail) in any case, if we ever do get hacked they can only see the encrypted version of your PIN and the private key to decrypt them is nowhere to be found.
So you forget your PIN. How do you get a new one? You call us and verify who you are via at least 2 or 3 different ways (I won't tell you how). Then we mail you (yes, snail mail) a new temp PIN to the address your checking account goes to. You can log in ONCE with that temp pin and you are required to change your password after the first login. By the way, if you log in 3 times incorrectly then we lock your account and notify people in the bank that this may be a hack attempt. Good thing we also log the IP address each of those login attempts were coming from.
By the way, when you first signed up you gave us a secret question like "When dad bought that farm in Kentucky he also bought some cattle. What was the name of the first cow that he bought?" You wrote the question yourself which makes it even harder for a hacker to guess what that question is. And when you applied for on-line access you gave us the answer "Matilda". That answer is also encrypted with a one way public-but-no-private-key on our servers. So when you log in with your temp password we're going to ask you the question that only you know the answer to.
I havn't even gotten to physical security. Believe me, don't even try to physically get to our servers, or even to the printers that print your statements. That is, if you could even find the buildings (There are no signs on teh building that say who we are) Add to that triple redundent servers and databases that are located in physically different locations over 200 miles apart so even a terrorist attack on one city won't destroy your bank records. AND those records are backed up and stored in yet another physical location.
And I could talk about all the auditing that the SEC does on us to make sure that our systems are secure, our data is redundently backed up, failover systems work and so on.
So yes, most banks have far more security than you can imagine. You may feel safe again.
Cellphones and banking (Score:5, Informative)
Not only does my bank use one time passwords, the card they're on is a scratch-off card. This gives me 2 additional levels of protection. Not only does it prevent someone from peeking at my card, but it let's me verify that I made each transaction. I don't need to keep track of the last number I used, it keeps track for me. And I don't need the card unless I'm actually moving money around - all I need is my login and password.
The web interface on my bank is incredible - I can check on all transactions since I opened the account.I can set up sub-accts on the fly, issue debit cards to each of them, and my debit card works great online - so I can keep track of those internet purchases. Between-bank money transfers take a max of 1 day, usually same-day if I make it before 17.30, transfers within my bank are instantaneous - really handy for lending my brother some money *fast*.
And the icing on the cake, the thing that made me go to this bank - instant text-message updates on my current account. I get a transfer - I get an SMS, I buy something - I get an SMS. It's incredibly fast (I usually get the SMS before they hand me the reciept to sign) and incredibly useful. I know how much money I have, how much money I spent that day. It really helps to stem the spending sprees that plastic seems to lend itself to.
And all this, from my local, Polish bank.
Not an "one-time pad"... (Score:3, Interesting)
Somebody (the createo od the title) is obviously shaky on crypto.
Its up to the banks... (Score:3, Insightful)
If I speculate about the causes of the differences (from country to country) of bank security, I think about the following:
It's just in the US. (Score:5, Informative)
All the banks I use in Poland provide one-time passwords for anything important. There are no checks in use, but you can use electronic money transfers to pay for just about anything (this is being introduced as "BillPay" in the US and advertised as big news).
I guess the US was first to develop a mature banking industry with credit cards and checks. This has worked so well (back in the 70's) that banks were not under pressure to innovate.
Effectiveness (Score:3, Interesting)
Say someone has created such a site - what prevents them from harvesting one time passwords or even challenge/response data this way and using them for fraud immediately? Say the user tries to perform a transfer on the fake interface, provides their transaction number or challenge/response token - the fraudster just uses these details straight away on the real site. The keys they've stolen are fully valid as far as I can see - even the timed challenge/response, if they use it quickly enough. The user would eventually notice that their transaction never happened, but by then they've been robbed. Am I missing something?
Sloppy reporting. (Score:4, Informative)
A one-time-pad is in no way the same as a one-time-password. The only thing common between the two is that they're both used only once.
A one-time-pad is a random string as long as the message you want to send, shared between sender and recipient. The sender encrypts the message by xoring with the one-time-pad and the recipient decrypts by doing xoring the ciphertext with his copy of the one-time-pad. The pads must then never be used again, and must be securely destructed to prevent people who have a copy of the ciphertext from getting hold of them. Unconditionally secure, but often impractical due to the key-handling issues.
A one-time-password, like those Banks here in Europe typically either issue to you on a sheet of 50, or in the form of a calculator-like device that generate them from the current time, a secret pin and a cryptographic hash serves a quite different purpose;
The idea is that if you force people to have long, complicated passwords, then they either write them down, use the same password on multiple sites, or both.
By using an additional one-time password, the bank makes sure that there's *two* things identifying the user logging in. One, the user knows the secret pin. (which is typically simple 4-digit or so.) and two, the user is in posession of the sheet-of-codes/calculator-thingie.
Increases security quite a bit, because it's no longer a threat if someone for example hacks the users computer and installs a keylogger or similar device. Sure that attacker will then learn the pin, but the attacker will then *also* need to break into the house of the victim or otherwise acquire the list of one-time-passwords. So at the very least you've eliminated the large group of attackers which have no physical proximity to the victim.
Re:One time credit card #s - (Score:3, Informative)
AMEX dropped this service last month.
Re:One time credit card #s - (Score:2)
I don't understand... (Score:3, Funny)