Lloyds TSB Pushing New Online Security Protocol 228
An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
Good for them. (Score:2)
Though I wonder what happens if the internal clock on those hardware key generators gets slow? If the key is generated every 30 seconds, you'd think time would be an issue.
Re:Good for them. (Score:3, Insightful)
Re:Good for them. (Score:2)
I work for a bank and we have black-out periods about once a month to perform regular maintenance. This usually only occurs early Sunday mornings when ATM and online banking is at it's lowest utilization.
Re:Good for them. (Score:2)
Yes, every night at midnight. Sometimes it finishes by 3.45am, but it's usually always the stated 4am.
Re:Good for them. (Score:2)
...Done. I know it used to be like that, but I believe they haven't had this restriction for some time.
Re:Good for them. (Score:2)
Re:Good for them. (Score:2)
Re:Good for them. (Score:5, Informative)
Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.
Re:Good for them. (Score:3, Informative)
Re:Good for them. (Score:2)
Re:Good for them. (Score:3, Informative)
Ha ha ha ha ha. I used to work for them until a couple of months ago, and you will never find a more useless bunch of beaurocratic fools. They are anything but on the ball. They are, however, running scared. LTSB has suffered abnormally high losses due to fraud last year, and they're flailing around clutching at straws to try and find a solution. I told them that the "memorable phrase" thing wouldn't work for long, and wouldn't provide much extra security, but t
Re:Good for them. (Score:3, Interesting)
I think that the value of the "memorable information" stage is that it protects against the problem of someone from occasionally logging on at an insecure computer.
Say if I log on to my account once from an Internet cafe, where a rogue employee has installed key-loggers/screenshot-takers on the terminals. Say my memorable information is 10 letters long, there
Re:Good for them. (Score:2)
I think the best solution is single-use passwords. The password can be obtained from a secure source (phone, in person, etc.) and discarded after it has been used. A little inconvenient, but way better than dongles and doodads.
Ultimately, becaue a windows PC can be compromised in so many ways, you cannot trust your users
Re:Just don't send email. (Score:3, Insightful)
> external email to communicate with customers.
Why do you think that would help? Banks already tell their customers that they will NEVER send them emails requesting account information.
No. I said NO email. (Score:2, Insightful)
The phishing messages do NOT ask for account info.
The phishing messages say that there has been a problem with your account and that you need to login to fix the probem (click here).
But that isn't the real bank's site. It's a phishing site setup to look just like the real bank's site and it will collect their login info when they try to login.
Banks use email for all kin
I have four bank accounts... (Score:5, Interesting)
and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
Re:I have four bank accounts... (Score:2, Interesting)
Something tells me that someone already has a patent on this idea.
Re:I have four bank accounts... (Score:2, Interesting)
http://www.entrust.com/identityguard/index.htm [entrust.com]
1 credit card sized sheet is a lot easier to carry and a lot cheaper to produce than some hardware.
Re:I have four bank accounts... (Score:2)
I don't want to have to carry something around with me all the time. I suppose I could leave it at home, but then I wouldn't be able to log in from work, which sucks.
Re:I have four bank accounts... (Score:2)
Re:I have four bank accounts... (Score:2)
Re:I have four bank accounts... (Score:2)
What does living in America and having 20 credit cards have to do with each other?
As far as I know, there really isn't any need to carry more than a few, either VISA or MC incase a place takes one and not the other. Other than that, you've got a wallet full of redundancy.
I imagine if you're trying to apply for a loan, each card and its credit limit are going to coun
Re:I have four bank accounts... (Score:2)
Re:I have four bank accounts... (Score:2)
Re:Fob size (Score:3, Informative)
Here in the Netherlands you my bank uses a machine that you put your bank card into (it is a chip/pin card), you then tap in your pin and a 8 digit number displayed during the login sequence. The machine gives you a response that you enter back on the page.
You get challanged a second time when you commit all the transactions you have made during the session, you see the transactions and do another code/response cycle to commit them.
Yeah
Re:I have four bank accounts... (Score:2)
Clever people... (Score:5, Insightful)
Re:Clever people... (Score:2, Interesting)
Re:Clever people... (Score:2)
Substitute competition for clients as well and it sounds just like working at a convienience store
Re:Clever people... (Score:3, Interesting)
There is a very interesting article on this In Freakenomics analyzing the earnings of a Chicago drug gang. The interesting points:
1. The street level dealer would make more working at McDona
Re:Clever people... (Score:3, Insightful)
1) You're absolutely correct. Sorry about the -1, Troll you caught for your trouble.
2) That actually was my point. Even from a purely selfish point of view, running a phishing operation is only a win over getting a real job in the short run.
Re:Human Nature (Score:2)
A technical solutions is always better than a political one.
You can't legislate away crime. We've been trying for 5,000 years since the Code of Hammurabi. You simply cannot even prevent crime with capital punishment, locking them up, or giving them money to not commit crime. (Take Enron CEO's for example *coughs*)
These steps may reduce the overall crime level, but they can't stop people from simply
Re:Clever people... (Score:2)
Take the current 'skills shortage' in america. It is not the technical skills that are in short supply, it is the social office skills that say you get to work on time, work for whatever you are given, and do what you are told. It is often easier to impor
Two-Factor... (Score:4, Interesting)
Re:Two-Factor... (Score:3, Funny)
Re:Two-Factor... (Score:2)
I took an item back to a shop a year or so back and was crediting my credit card with the amount (as I used the card to buy the item) and I got the third degree from the credit card company. The transaction stalled and a couple of minutes later the phone by the checkout rang. Funniest thing! Asked me all the questions, password, pin number, favourite colour, shoe size, are you now, or have you ever been, a com
Re:Two-Factor... (Score:2)
How long before we have 5 things you know, 10 things you have and 6 things you are just so you can open your living room door? Will it really be any more secure? If someone wants your info bad enough, they'll get it one way or another. If they can't get it directly or indirectly from you, they'll simply find a backdoor, exploit, vunerability, something in the system that isn't as secure as the person. Social engineerin
Re:Two-Factor... (Score:2)
Token aka Keychain (Score:5, Funny)
Sounds good to me (Score:4, Insightful)
Dear Customer (Score:5, Insightful)
Regards,
Bank President
Re:Dear Customer (Score:2)
Synching (Score:3, Insightful)
Re:Synching (Score:5, Interesting)
What it does do, is keep track of how my token's clock seems to be drifting, based on where it calculates my token should be vs what I'm punching in.
My first entry after a week off has a moderate amount of slack - I can use a code that has rotated off within about 3 seconds of it vanishing. After a couple code entries, I have no slack at all - the servers have my token's drift pegged down to the tenth of a second.
Wrong (Score:2)
Re:Dear Customer (Score:2, Insightful)
When it comes to abstract logical ideas like password and whatnot, it's easy to be led astray.. people are much better with physical objects.
What's new with this? (Score:3, Informative)
Re:What's new with this? (Score:2, Informative)
The only thing that bothers me is that I can't have two (one at work, one at home), but that's just a minor bother.
I know (Score:2)
Re:What's new with this? (Score:2, Informative)
cheers,
Aad
I want mine implanted (Score:2, Funny)
Re:I want mine implanted (Score:2, Funny)
Bank guy: "Why is this guy's fob going on-off on-off so much?"
Re:I want mine implanted (Score:3, Funny)
citibank is worse (Score:2, Interesting)
https://www.citibank.co.in/infojsp/login/guestlog
A number of scams in Canada at ATM machines (Score:3, Funny)
Re:A number of scams in Canada at ATM machines (Score:2)
a camera being used to steal someones PIN
Same thing's been reported in the UK - I now run my hand over the "ceiling" of the machine, and do a quick visual check. Interesting you mention the "non-branded" ATMs - as far as I know the scam in the UK is to hit "proper" ATMs, install a camera and card-reader, etc. The non-branded machines tend to charge (~GBP1.50 for a GBP10 transaction), so people tend to avoid them unless they're desperate (at the bookies, living on a scheme miles from a bank, etc). I su
Re:A number of scams in Canada at ATM machines (Score:2)
Okay, I'm curious what "living on a scheme" is. Google isn't being too useful. I reckon it's either:
- some sort of assisted living building
- a building where the residents share common areas
- a typo
- getting by via an illegal scheme (fraud)
- some other obscure meaning
Re:A number of scams in Canada at ATM machines (Score:2)
1 - when you enter your pin ANYWHERE you need to cover the keypad and your hand so that only you can barely see what you are doing. this thwarts these morons.
2 - at an atm always grab the card scan port and pull before inserting your card. if its not a applique designed to scan and steal your card info it will not come off. if it does come off, you get a free cool piece of hardware to hack away at. (Btw, I have pe
An easy fix (Score:2, Funny)
Well duhh... why not use the obvious solution to prevent reading password information from the screen, like it's been done for ages: use * in place of readable characters. I for one, welcome our new multiple-choice password selection!
Please click your password:
(* replaced with x to please Slashdot junk filter)
Eat t
Phishing is still a problem (Score:5, Interesting)
1. The user gets an e-mail asking him to log on to the bank site.
2. The user enters the code from the keyfob into the phishing site
3. Phishing site logs into the real banking site using just harvested code
4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.
So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?
The fools do NOT understand 2 factor security. (Score:2)
You need a different channel, such as calling a phone number they have on file that the phisher would not be able to get from that communication.
Re:Phishing is still a problem (Score:3, Informative)
Re:Phishing is still a problem (Score:2)
Re:Phishing is still a problem (Score:2)
Maybe they set it up with two modes of operation one where it does the real phishing (
Re:Phishing is still a problem (Score:2, Informative)
The danger with phishing is people not realizing their information has been stolen, and that information is used at a later date.
Re:Phishing is still a problem (Score:2)
I think you pretty much hit the nail on the head there. Phishing could be stopped over night if people checked the identity of the site they were entering their details into. The problem is even banks don't take security seriously. One of the banks I delt with had a name mismatch on their web site certificate which was flagged up by the browser. I informed them of the problem and got basically a machine response. It was like that for at least 12 months - this was on the main web banking site of a fairly lar
Identity 2.0 (Score:2, Informative)
http://www.identity20.com/media/OSCON2005/ [identity20.com]
Those tiny, pesky bits. (Score:3, Funny)
That's why I always use large, generously sized bits in all the code I write.
In my experience, larger bits (mine are atleast 2-3 times the size of regular bits) are easier to see and less prone to problems like memory leaks and haxx00rrzing than their smaller counterparts.
On the other hand, they're more likely to fill up buffers and cause overflows than smaller bits.
Preventing screenshot loggers (Score:3, Interesting)
That's only slightly tongue-in-cheek. (Yes, I know that between all the holes in the OS and all the holes in user's heads that screen-loggers will get installed with admin privileges.)
As much as I hate DRM ("lets assume 100% of computer users are illegal content distributors" and inconvenience everyone), it seems that it could be useful as part of locking down a machine from copying selected types of data to unauthorized external locations.
The weakest link will always be the end user (Score:5, Insightful)
During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.
If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.
As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.
Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.
People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.
How about a different approach? (Score:2)
To me, those are both different aspects of the same issue and that issue. How do you correctly authenticate a person's identify from an anonymous terminal?
I don't believe you can. No matter how many security keys they have, they'll all be travelling over the same connection and all of them will be vulnerable to a man-in-the-middle attack. Anythin
Timed response. (Score:2)
Simple, the phisher/retailer won't have your phone number. So you enter a transaction, then receive a call within the next minute to confirm it.
It wouldn't get the phisher anything to make random confirming phone calls. The calls have to be within a reasonable
SMS (Score:5, Interesting)
If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.
Re:SMS (Score:2)
Getting PINs and passwords has already been figured out.
I moved from Ireland to Sweden; (Score:4, Interesting)
Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.
In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.
Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
Still vulnerable to man-in-the-middle attacks. (Score:3, Insightful)
This method doesn't provide any more security, just more toys to lose.
Now, if they tied those key-fobs to the cell network and you had to confirm the transaction that you entered via the Internet with a cell connection from the key-fob, that would be sufficient 2 factor security.
But that costs even more than the key-fobs they have now and the key-fobs make the use
SSL doesn't tell you enough. (Score:2)
SSL is achieved via certificates issued by an "trusted authority". But that does not mean that the site you are securely connected to has anything to do with the organization that you believe you are connected to.
my.eBaySecurity.com
Tell me how it does that. (Score:2)
That site (my.ebaysecurity.com) takes all your keystrokes and uses them to logon to ebay.com as you.
That is what a man-in-the-middle attack is. And don't bother telling me that every user should check every certificate from every site and make sure that the site name is a legitimate site for that organization. Just look at citibank to see the problems with that.
And if you
Re:Tell me how it does that. (Score:2)
You seem to be arguing both sides of the issue... in the grand-parent you said that single communication channel meant no security because of man-in-the-middle.
Now it seems like you are saying that using a second channel (verifying the site name
Sounds interesting (Score:2)
I have two Lloyds TSB bank accounts, and access both on-line via Linux & Firefox. Lloyds has always impressed me with their commitment to keeping the service available to all... unlike other banks who routinely restrict it to IE-only.
Anyway, interesting security measure. I'd like to try it out, but I doubt I'll be one of the 30,000... not being a major customer and all.
good old paper (Score:2)
For every transaction (wire you send) you enter the next LOOOONG string from your paper.
Phish this
RSA generators are cool, they are using it in the casino biz (and other risky biz) for ages. They are reliable if the software is working well on the other and. That and a password is GOOD security.
EDUCATION (Score:3, Informative)
I'm sure this nifty trick would do wonders and prevent people from falling into phishing scams.
How long before the first "man in the middle" scam (Score:2)
* You enter your details, which are automatically passed through to the real site to automatically login the scammers.
* Spoof site works as a proxy between you and the bank up until the point when you logout
* At that point it empties your account.
While this scenario is pretty complex to set up none of it is beyond the wit of most decent web-coders, and we have seen the scammers get progressivley more sophisticated over
There's already a deployed solution for this (Score:2)
I'm talking about ATM cards.
How about this: a small USB device with a magstripe reader, numeric keypad and a big notice saying "always enter your PIN on this keypad, never on your computer's keyboard".
This device will not verify the PIN number itself - it will just encrypt the
Magstripes are bad. (Score:3, Informative)
This is what smartcards are for. With a cryptographic smartcard, you can never directly read the key off it. It does the cryptographic ro
Re:There's already a deployed solution for this (Score:2)
The REAL problem (Score:4, Insightful)
How Zombie Phishers will beat tokens (Score:2)
1) Trojan on user's system will redirect to the browser to the phishing site
2) The trojan will also load a bogus certificate into the browser so no mismatched certificate warnings
3) The back-end of the phishing site will talk to a zombie farm
4) User will enter two-factor authentication to the phishing si
Ugh. Not another one. (Score:2)
I recently needed a large 6-figure check for a house closing. I walked into my bank armed only with my savings account number and expired driver's license. Their computers were down so they couldn't validate m
What my bank does (Score:2)
If you have it registered, when you do a transaction, you get a SMS from them with a number that you need to enter into the form before the transaction goes through.
If I ever end up with a mobile phone (and if I am still with the national), I will be enabling this feature myself.
printed one-time passwords (Score:3, Interesting)
Two-factor Coming to 1 Million Paypal Accounts (Score:4, Informative)
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
the solution is simple.... (Score:3, Interesting)
not that most of them will listen or bother to go through the "laborious boot process"... but those that do, will have a much more secure experience.
unless they use a proprietary dial up application, knoppix or another custom designed distribution could handle the network aspect nicely.
Isn't it the other way around ? (Score:3, Interesting)
To protect against phising doesnt it work the other way around ? What is required is a way for the user to be sure of the website's identity, not the opposite. No ?
LiveCD? (Score:3, Interesting)
Could some kind body explain why?
It can't simply be that the banks are dumb can it?
WiFi. Printers. Email. Time. (Score:3, Interesting)
Plus, printers, access to email, and the general inconvenience of rebooting (twice! once to Knoppix, once back to whatever) put me off the wh
Re:Time drift (Score:2)
Re:Time drift (Score:2)
The timing tolerance comes from inexactness in the manufacturing process. Most timing comes from crystal oscillators - essentially crystals grown in a vaccum chamber until the "correct" oscillation frequency is matched. For this, the more you pay the closer the tolerances are.
As termperatures change, the crystal's resonate frequency changes as well (as well as the current through the electronics). Modern systems
Re:this is getting ridiculous (Score:2)
Re:Why not smart cards? (Score:2)
I'm guessing they're not doing this because they don't want to end up having to support tens of thousands of windows users trying to get their USB devices working.