Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Lloyds TSB Pushing New Online Security Protocol 228

An anonymous reader writes "Looks like the two-factor bandwagon is beginning to roll in UK banking. The BBC is reporting that Lloyds TSB is issuing hard-tokens to 30,000 customers in an attempt to curtail phishing." From the article: "Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times."
This discussion has been archived. No new comments can be posted.

Lloyds TSB Pushing New Online Security Protocol

Comments Filter:
  • Their IT department seems to be on the ball.

    Though I wonder what happens if the internal clock on those hardware key generators gets slow? If the key is generated every 30 seconds, you'd think time would be an issue.
    • Re:Good for them. (Score:3, Insightful)

      by chiller2 ( 35804 )
      Next up, perhaps they can fix it so their online banking isn't offline between 12am and 4am. Not everyone is tucked up in bed at that time!
      • Are you saying it's off-line EVERY NIGHT from 12-4?
        I work for a bank and we have black-out periods about once a month to perform regular maintenance. This usually only occurs early Sunday mornings when ATM and online banking is at it's lowest utilization.
        • Are you saying it's off-line EVERY NIGHT from 12-4?

          Yes, every night at midnight. Sometimes it finishes by 3.45am, but it's usually always the stated 4am.
      • Next up, perhaps they can fix it so their online banking isn't offline between 12am and 4am. Not everyone is tucked up in bed at that time!

        ...Done. I know it used to be like that, but I believe they haven't had this restriction for some time.

    • Re:Good for them. (Score:5, Informative)

      by GekkePrutser ( 548776 ) on Friday October 14, 2005 @11:00AM (#13791124)
      If these devices work like the RSA SecurID does, clock lagging is not a problem. Every time the customer logs in, the server accepts not just the current password, but also the next and previous x (10, for example) passwords. So if the clock is a bit off, it will still accept the password.

      Furthermore, once the password is accepted the server will then know exactly how far off the clock in the keyfob is and change its 'expected' timeslot accordingly. This only goes wrong if the customer doesn't log in for extremely long times, which shouldn't happen much anyway.
      • Re:Good for them. (Score:3, Informative)

        by Suppafly ( 179830 )
        Having worked somewhere that uses securid, I can tell it doesn't work that slickly. Granted it's not that horrible to have to call the helpdesk and have them resync the token using ace server, but it is annoying.
        • The RSA keys used for online banking work very well for me. I use mine all the time, and I've never had a problem. While it doesn't defeat every possible attack, it makes me a harder target than the next guy, and I'll take that!
    • Re:Good for them. (Score:3, Informative)

      by Tet ( 2721 )
      Their IT department seems to be on the ball.

      Ha ha ha ha ha. I used to work for them until a couple of months ago, and you will never find a more useless bunch of beaurocratic fools. They are anything but on the ball. They are, however, running scared. LTSB has suffered abnormally high losses due to fraud last year, and they're flailing around clutching at straws to try and find a solution. I told them that the "memorable phrase" thing wouldn't work for long, and wouldn't provide much extra security, but t

      • Re:Good for them. (Score:3, Interesting)

        by JJC ( 96049 )

        I told them that the "memorable phrase" thing wouldn't work for long, and wouldn't provide much extra security, but they went ahead with it anyway.

        I think that the value of the "memorable information" stage is that it protects against the problem of someone from occasionally logging on at an insecure computer.

        Say if I log on to my account once from an Internet cafe, where a rogue employee has installed key-loggers/screenshot-takers on the terminals. Say my memorable information is 10 letters long, there

    • Personally, I can't see any software/hardware solution actually solving the problem, because ultimately there are interface levels that can be sniffed. Ultimately there is a UI somewhere.

      I think the best solution is single-use passwords. The password can be obtained from a secure source (phone, in person, etc.) and discarded after it has been used. A little inconvenient, but way better than dongles and doodads.

      Ultimately, becaue a windows PC can be compromised in so many ways, you cannot trust your users
  • by way2trivial ( 601132 ) on Friday October 14, 2005 @10:40AM (#13790950) Homepage Journal
    and two credit card accounts, all with different corporations

    and I'm looking at the size of that thing, and going, DAMN, I hope they don't all send me such huge fobs...
    • Yeah, it would be nice if we only have to carry around one of the tokens and could use it for all sites (or all sites that we designate).

      Something tells me that someone already has a patent on this idea. :)
    • Agreed. I'm a LloydsTSB user, and I like the fact that it's just a password, username, and then 3 drop down boxes to select randomised characters from a second password (memorable info).
      I don't want to have to carry something around with me all the time. I suppose I could leave it at home, but then I wouldn't be able to log in from work, which sucks.
    • Be glad that you are not living in America. I have about 20 credit cards and several bank accounts. I'll need a backpack for all the keyfobs...
      • Be glad that you are not living in America. I have about 20 credit cards and several bank accounts. I'll need a backpack for all the keyfobs...

        What does living in America and having 20 credit cards have to do with each other?

        As far as I know, there really isn't any need to carry more than a few, either VISA or MC incase a place takes one and not the other. Other than that, you've got a wallet full of redundancy.

        I imagine if you're trying to apply for a loan, each card and its credit limit are going to coun
        • Perhaps it's our consumerist culture, where people actually see a credit card as some sort of status symbol, and collect them? I can see why displays of wealth are status symbols, but displays of debt? The mind boggles.
    • Have your issuing bank contact the Key-Fob-DRM dept at Apple. Just install a FairPlayFob in your iPod instead. Yes, this is a dreamy idea, but that would make it so much better if alll your fobs were running in software on the your nano. Just spin the track wheel to pick out the correct one.
  • Clever people... (Score:5, Insightful)

    by Otter ( 3800 ) on Friday October 14, 2005 @10:40AM (#13790952) Journal
    As always, it's a shame that people with the cleverness and skill to devise new phishing tricks don't opt for the lower income and increased job security and satisfaction of being useful, instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.
    • The funny (sort of) thing about crime is that criminal jobs suck. Take being a drug dealer. Your clients won't pay you. You get calls at all hours of the day and night. Your competition wants to shoot you and the police will give you 5 to 10. If you put this much effort into running a convience store you would be rich.
      • Your clients won't pay you. You get calls at all hours of the day and night. Your competition wants to shoot you and the police will give you 5 to 10.

        Substitute competition for clients as well and it sounds just like working at a convienience store :)
      • The funny (sort of) thing about crime is that criminal jobs suck. Take being a drug dealer. Your clients won't pay you. You get calls at all hours of the day and night. Your competition wants to shoot you and the police will give you 5 to 10. If you put this much effort into running a convience store you would be rich.

        There is a very interesting article on this In Freakenomics analyzing the earnings of a Chicago drug gang. The interesting points:

        1. The street level dealer would make more working at McDona
      • by Otter ( 3800 )
        The funny (sort of) thing about crime is that criminal jobs suck.

        1) You're absolutely correct. Sorry about the -1, Troll you caught for your trouble.

        2) That actually was my point. Even from a purely selfish point of view, running a phishing operation is only a win over getting a real job in the short run.

    • instead of being destructive pricks whose only long-term result is making everyone else's life more difficult.

      A technical solutions is always better than a political one.

      You can't legislate away crime. We've been trying for 5,000 years since the Code of Hammurabi. You simply cannot even prevent crime with capital punishment, locking them up, or giving them money to not commit crime. (Take Enron CEO's for example *coughs*)

      These steps may reduce the overall crime level, but they can't stop people from simply
    • Of course several things have to happen first. There has to be a job available. The person applying for the job has to have the social skills to work in an office setting, and must be productive nearly every day, not just when he or she feels like it.

      Take the current 'skills shortage' in america. It is not the technical skills that are in short supply, it is the social office skills that say you get to work on time, work for whatever you are given, and do what you are told. It is often easier to impor

  • Two-Factor... (Score:4, Interesting)

    by WhoDey ( 629879 ) on Friday October 14, 2005 @10:41AM (#13790956) Homepage
    ...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
    • You have a problem with people hacking into your cell phone account and paying your bill for you?
      • You have a problem with people hacking into your cell phone account and paying your bill for you?

        I took an item back to a shop a year or so back and was crediting my credit card with the amount (as I used the card to buy the item) and I got the third degree from the credit card company. The transaction stalled and a couple of minutes later the phone by the checkout rang. Funniest thing! Asked me all the questions, password, pin number, favourite colour, shoe size, are you now, or have you ever been, a com

    • As time goes by, security will improve. But will it actually make a noticable difference?

      How long before we have 5 things you know, 10 things you have and 6 things you are just so you can open your living room door? Will it really be any more secure? If someone wants your info bad enough, they'll get it one way or another. If they can't get it directly or indirectly from you, they'll simply find a backdoor, exploit, vunerability, something in the system that isn't as secure as the person. Social engineerin
      • I have yet to meet a front door lock which cannot be circumvented. Crowbar usually works quite well, failing that a battering ram, and if nothing else works just go through the windows instead.
  • by brokenarmsgordon ( 903407 ) on Friday October 14, 2005 @10:41AM (#13790959)
    Makes sense to me. The key to defeating a keylogger is a keychain.
  • Sounds good to me (Score:4, Insightful)

    by stunt_penguin ( 906223 ) on Friday October 14, 2005 @10:43AM (#13790975)
    Any step that is taken to isolate a feature of online security from your PC is going to make it more secure. It'll probably inconvenience people in a lot of situations though- say you're abroad and you've had your bags & wallet stolen, including your hard key. You won't be able to access your online account to get money transferred locally etc. Still, sounds good to me :o)
  • Dear Customer (Score:5, Insightful)

    by Average_Joe_Sixpack ( 534373 ) on Friday October 14, 2005 @10:44AM (#13790988)
    Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number.

    Regards,
    Bank President

    • This is much, much easier to track down and prosecute than password fishing. Number one, in order to have credbility, the address will have to be in the country. No one is going to send their keyfob to Gambia or Russia. Second, the cops will just keep an eye on the address, and bust in once they have enough evidence, and find a guy with a pile of key fobs in front of him.
    • Synching (Score:3, Insightful)

      RSA access tokens occassionally need to be 'resynched'. Many systems, like the RSA SecurID do this automatically when you login by accepting the last and previous 10 passwords or whatever. But, if a customer hasn't logged in for a long time, the token can become wayyyy out of sync. So, typically they have to have it resynched in some way. This could involve logging into some known-secure web page and entering in some user information and the current number on the token, or by calling support and telling
      • Re:Synching (Score:5, Interesting)

        by RollingThunder ( 88952 ) on Friday October 14, 2005 @11:49AM (#13791526)
        I use a SecurID at work, and it definitely does not allow me to use the previous 10 codes.

        What it does do, is keep track of how my token's clock seems to be drifting, based on where it calculates my token should be vs what I'm punching in.

        My first entry after a week off has a moderate amount of slack - I can use a code that has rotated off within about 3 seconds of it vanishing. After a couple code entries, I have no slack at all - the servers have my token's drift pegged down to the tenth of a second.
    • by endus ( 698588 )
      Dear Customer, Your RSA issued token access has officially been revoked due to security concerns. Please mail the token to the address below along with your account number and secret password. Regards, Bank President Admittedly, still possible, but less likely. The best way around it would be to just make it policy not to send your password ever (obviously) but also to never mail your token anywhere. There is no reason that the bank ever needs the token back once they activate it, so you just tell your
    • Re:Dear Customer (Score:2, Insightful)

      by mindstrm ( 20013 )
      Yes, true, but this requires the person to give up their own ability to access the bank online... something people will likely be a bit more serious about.

      When it comes to abstract logical ideas like password and whatnot, it's easy to be led astray.. people are much better with physical objects.

  • by Z00L00K ( 682162 ) on Friday October 14, 2005 @10:46AM (#13791005) Homepage Journal
    Swedish banks has been using a code-gadget much like a calculator for years now!
    • by rylin ( 688457 )
      http://www.vasco.com/products/product.html?product =48 [vasco.com] is what SEB gave me roughly 5 years ago IIRC.
      The only thing that bothers me is that I can't have two (one at work, one at home), but that's just a minor bother.
    • HSBC has a good system. On the first page they ask for your online banking ID. On the second page they ask for your date of birth and then three numbers out of your 8-digit security number that you were able to choose when you signed up. The exact position of the three digits varies at random every time you log in. They've had this for about five years. Same goes for their online digital TV banking service too.
    • Mmm, Dutch banks don't seem to have that problem. I have a small calculator for which I need my debit card and a pin code to generate a time dependent 8 digit number which has only single use validity. I can't figure why people trust username password stuff for their banking....

      cheers,
      Aad
  • There is too much junk on my key ring already. I want mine implanted in the palm of my hand - with, of course, an on/off switch. While I'm dreaming: it should also a dna sensor so that it regularly checks for my red blood cells with oxygen, thus ensuring that if my hand is cut off, the implant won't work for more than a few minutes.
    • by Anonymous Coward
      I want mine implanted in the palm of my hand - with, of course, an on/off switch.

      Bank guy: "Why is this guy's fob going on-off on-off so much?"
    • It should also start blinking when you approach 30 years of age so the sandman know when it is time to kill you.
  • citibank is worse (Score:2, Interesting)

    by chap_hyd ( 717718 )
    i need to click in my password ..what a crazy stuff
    https://www.citibank.co.in/infojsp/login/guestlogi n.jsp [citibank.co.in] lucky that still left the old type in interface
  • by jkind ( 922585 ) on Friday October 14, 2005 @10:55AM (#13791086) Homepage
    With a camera being used to steal someones PIN #. I get the creeps every time I use one of those weird privately owned ATM machines in convenience stores in the middle of nowhere. Some of them even have spelling mistakes on their screens. What's next? "Thank you for withdrawing, your account is TEH PWNAGE"
    • a camera being used to steal someones PIN

      Same thing's been reported in the UK - I now run my hand over the "ceiling" of the machine, and do a quick visual check. Interesting you mention the "non-branded" ATMs - as far as I know the scam in the UK is to hit "proper" ATMs, install a camera and card-reader, etc. The non-branded machines tend to charge (~GBP1.50 for a GBP10 transaction), so people tend to avoid them unless they're desperate (at the bookies, living on a scheme miles from a bank, etc). I su

      • living on a scheme miles from a bank

        Okay, I'm curious what "living on a scheme" is. Google isn't being too useful. I reckon it's either:

        - some sort of assisted living building
        - a building where the residents share common areas
        - a typo
        - getting by via an illegal scheme (fraud)
        - some other obscure meaning

    • those are easily defeated with some common sense security that you should be using anyways.

      1 - when you enter your pin ANYWHERE you need to cover the keypad and your hand so that only you can barely see what you are doing. this thwarts these morons.

      2 - at an atm always grab the card scan port and pull before inserting your card. if its not a applique designed to scan and steal your card info it will not come off. if it does come off, you get a free cool piece of hardware to hack away at. (Btw, I have pe
  • From the summary: "But newer keyloggers now also take screenshots"

    Well duhh... why not use the obvious solution to prevent reading password information from the screen, like it's been done for ages: use * in place of readable characters. I for one, welcome our new multiple-choice password selection!

    Please click your password:

    • xxxxxxxxxxxxxx
    • xxxxxxxxxxxxxxxxx
    • xxxxxxxxxxxxxxx
    • xxxxxxxxxxxxxxxx
    • xxxxxxxxxxxxxxxxx
    • xxxxxxxxxxxx
    • xxxxxxxxxxxxxxx

    (* replaced with x to please Slashdot junk filter)
    Eat t

  • by ingo23 ( 848315 ) on Friday October 14, 2005 @11:01AM (#13791135)
    After reading the article, I figured out that even the rolling password will not help much with the phishing problem. Imagine the following scenario:

    1. The user gets an e-mail asking him to log on to the bank site.
    2. The user enters the code from the keyfob into the phishing site
    3. Phishing site logs into the real banking site using just harvested code
    4. Phishing site performs a transaction on the real site and ask the user for a code again to confirm the transaction.

    So the users have false sense of security, bank still loses money (on top of the devices cost) and who is going to pay for it in the end? You think the bank is going to eat the cost?

    • When BOTH factors are sent over the SAME CHANNEL you do NOT increase the security of the system.

      You need a different channel, such as calling a phone number they have on file that the phisher would not be able to get from that communication.

    • If the fob's anything like the RSA Secure-Key cards then the code will change every 30 seconds. That dramatically limits the window of opportunity for a thief. Under the current system they can phish for thousands of username/password combinations and use them at their leisure.
    • But that's not really phishing.. that's a man in the middle attack, and is already prevented in theory by SSL certificates.

      The danger with phishing is people not realizing their information has been stolen, and that information is used at a later date.
  • Identity 2.0 (Score:2, Informative)

    This is pretty cool, but as someone else noted, a lot of accounts means a lot of fobs. The CEO of Sxip did an entertaining presentation on these types of issues. One piece that would be relevant is the idea of separating the credentialing from the site.

    http://www.identity20.com/media/OSCON2005/ [identity20.com]
  • by GillBates0 ( 664202 ) on Friday October 14, 2005 @11:06AM (#13791180) Homepage Journal
    ...has been to defeat so-called 'keyloggers', tiny bits of software which can be used by hackers...

    That's why I always use large, generously sized bits in all the code I write.

    In my experience, larger bits (mine are atleast 2-3 times the size of regular bits) are easier to see and less prone to problems like memory leaks and haxx00rrzing than their smaller counterparts.

    On the other hand, they're more likely to fill up buffers and cause overflows than smaller bits.

  • by G4from128k ( 686170 ) on Friday October 14, 2005 @11:07AM (#13791186)
    Just turn on the broadcast flag so the visual data can't be copied.

    That's only slightly tongue-in-cheek. (Yes, I know that between all the holes in the OS and all the holes in user's heads that screen-loggers will get installed with admin privileges.)

    As much as I hate DRM ("lets assume 100% of computer users are illegal content distributors" and inconvenience everyone), it seems that it could be useful as part of locking down a machine from copying selected types of data to unauthorized external locations.

  • by rufey ( 683902 ) on Friday October 14, 2005 @11:16AM (#13791252)
    I used to work for a certificate authority (disclaimer: it wasn't Verisign), and the weakest link in any security is always the end user.

    During my tenure, we were issued hardware tokens that had our individual cert on it, and we could use the cert for any number of things (such as email authentication, email signing, logging into online banking, encrypting and storing documents using an electronic vault, etc). But it was also inconvenient as we had to be using a machine that could read and utilize the USB token.

    If you had physical access to someone's hardware token, it wasn't difficult to use it to pretend you were someone else. End users select very week passwords, usually have the passwords to their tokens written down on post-it notes stuck to their screen or on their desk, and people in general are just too trusting.

    As other posters have mentioned, you could ask a end user to USPS their hardware token to you with their password and all other relevent information, and many end users would probably do it without question.

    Why hasn't digital certificates become more mainstream? Its still too inconvenient in many cases, and, it doesn't fix the weakest link - the end user.

    People today demand convenience, and having to carry around a physical hardware token to do things on-line just is not convenient, especially when you find yourself in front of a computer that doesn't have USB, doesn't know how to read the USB token, or doesn't have the appropiate software to utilize the hardware token in the first place.

    • What are we really talking about here? Is it someone making online purchases with your credit card? Or is it someone tranfering your money out of your bank account?

      To me, those are both different aspects of the same issue and that issue. How do you correctly authenticate a person's identify from an anonymous terminal?

      I don't believe you can. No matter how many security keys they have, they'll all be travelling over the same connection and all of them will be vulnerable to a man-in-the-middle attack. Anythin
  • SMS (Score:5, Interesting)

    by photonic ( 584757 ) on Friday October 14, 2005 @11:20AM (#13791283)
    My bank [postbank.nl], used to rely on both a password and a 'TAN'-code, which is a number that is usable only once. They would send you a list of say 20 numbers by certified mail and every time you make a transaction you would use one number. The new system uses SMS to send the code. To make a transaction you log in to your account, fill in all the details of the money transfer and press the send button. You then receive a SMS some 15 seconds later, copy the number in your browser and you're done. The good thing is that you can access your account from anywhere, since you are carrying your mobile anyhow.

    If a bad guy would somehow crack my password he could only check my account (bad for my privacy, but not the end of the world). To empty my account he would have to get my password, my mobile and its pin-code.

    • So a bad guy mugs you for your account card and mobile, hoping to sell both on the black market.

      Getting PINs and passwords has already been figured out.
  • by Biotech9 ( 704202 ) on Friday October 14, 2005 @11:20AM (#13791285) Homepage
    In Ireland, you had a PIN number, a password, and several security questions like "Where were you born?" "what are the last 3 numbers of your contact phone number?"

    Not too bad, but as the article says, easy to get over a period of time, if you have keyboard loggers.

    In Sweden, A system that is apparently years old, you get a secure key-fob from www.vasco.com, and that's it. you enter your account number, then activate your key-fob, enter your PIN into that, then 2 4-digit random numbers from the login screen, then it will give you a single 6-digit number to enter into the login screen, and that's it. Plus the website (SEB bank) is perfectly happy with IE OR firefox, safari, camino.

    Scandinavia is the Mac of the social world, they do everything years ahead of the rest of the pack.
    • As long as the info is travelling over one channel (your Internet connection to that bank), you're still vulnerable to a man-in-the-middle attack.

      This method doesn't provide any more security, just more toys to lose.

      Now, if they tied those key-fobs to the cell network and you had to confirm the transaction that you entered via the Internet with a cell connection from the key-fob, that would be sufficient 2 factor security.

      But that costs even more than the key-fobs they have now and the key-fobs make the use
  • I have two Lloyds TSB bank accounts, and access both on-line via Linux & Firefox. Lloyds has always impressed me with their commitment to keeping the service available to all... unlike other banks who routinely restrict it to IE-only.

    Anyway, interesting security measure. I'd like to try it out, but I doubt I'll be one of the 30,000... not being a major customer and all.

  • For wire transmissions my bank is using a printed (& sealed) sheet of numbers for years.

    For every transaction (wire you send) you enter the next LOOOONG string from your paper.

    Phish this :)

    RSA generators are cool, they are using it in the casino biz (and other risky biz) for ages. They are reliable if the software is working well on the other and. That and a password is GOOD security.
  • EDUCATION (Score:3, Informative)

    by Spy der Mann ( 805235 ) <spydermann DOT slashdot AT gmail DOT com> on Friday October 14, 2005 @11:47AM (#13791506) Homepage Journal
    Whenever you get a bank account, you should get a pamphlet saying "How to recognize SCAM emails".

    I'm sure this nifty trick would do wonders and prevent people from falling into phishing scams.
  • * Spam e-mail redirects you to the spoof site. Presents identical page to the real site.
    * You enter your details, which are automatically passed through to the real site to automatically login the scammers.
    * Spoof site works as a proxy between you and the bank up until the point when you logout
    * At that point it empties your account.

    While this scenario is pretty complex to set up none of it is beyond the wit of most decent web-coders, and we have seen the scammers get progressivley more sophisticated over
  • There is already system featuring two factor authentication (something you have + something you know) fully deployed and already distributed to millions of bank customers. They keep the token in their wallet and remember the password.

    I'm talking about ATM cards.

    How about this: a small USB device with a magstripe reader, numeric keypad and a big notice saying "always enter your PIN on this keypad, never on your computer's keyboard".

    This device will not verify the PIN number itself - it will just encrypt the
    • Magstripes are bad. (Score:3, Informative)

      by labratuk ( 204918 )
      This won't be cryptographically safe until the data held on the card is not directly readable. So magstripe cards are insufficient for this. All it needs is for the user to have spyware installed which snoops the data from the magstripe card next time it's scanned. Then the attacker has the right code to encrypt with the bank's public key himself and do what he likes with.

      This is what smartcards are for. With a cryptographic smartcard, you can never directly read the key off it. It does the cryptographic ro
    • The problem is that it doesn't work with every browser on every platform, even in cybercafes. SET already failed for similar reasons.
  • The REAL problem (Score:4, Insightful)

    by Datamonstar ( 845886 ) on Friday October 14, 2005 @12:06PM (#13791687)
    Why hasn't anyone questioned the root of the problem to begin with: people have spyware? The approach taken here is akin to handing out bullet-proof vests in a high crime area because there's a chance you *might not* die. I know that it's better than nothing, and IT security across the net is not entirely the banks' and financial institutions' fault, but if I were facing the ammount of pressure that they face from malware, then I'd at least try to put up a fight against the root cause. Kudos to the cleverness on their part to protect themselves and their clients, but I think the real problem of IT security is being largely ignored in favor of clever work-arounds.
  • I forsee tokens being only a short term solution. This is an arms race, and I predict that should 2-factor authentication with tokens become widespread, that the criminals will respond in the following way:

    1) Trojan on user's system will redirect to the browser to the phishing site
    2) The trojan will also load a bogus certificate into the browser so no mismatched certificate warnings
    3) The back-end of the phishing site will talk to a zombie farm
    4) User will enter two-factor authentication to the phishing si
  • I hate all these new security schemes. ING Direct just changed the way you have to log into their web site and it is a pain. What I really don't get are why there must be infinite levels of security to log into my bank's web site but the most minimal security involved in me walking into the bank.

    I recently needed a large 6-figure check for a house closing. I walked into my bank armed only with my savings account number and expired driver's license. Their computers were down so they couldn't validate m
  • My bank (national australia bank) has an optional service where you register your mobile phone number with them.
    If you have it registered, when you do a transaction, you get a SMS from them with a number that you need to enter into the form before the transaction goes through.

    If I ever end up with a mobile phone (and if I am still with the national), I will be enabling this feature myself.
  • by idlake ( 850372 ) on Friday October 14, 2005 @12:32PM (#13791917)
    I don't understand why US and UK banks make two factor authentication so complicated. A printed list of one-time passwords is excellent protection against keyloggers and requires no extra hardware. Banks in continental Europe have been using them for years, and users seem to be able to get along with them just fine.
  • by miller60 ( 554835 ) on Friday October 14, 2005 @01:11PM (#13792276) Homepage
    Two-factor authentication was a big part of the recent eBay-VeriSign deal. The headlines all mentioned eBay buying VeriSign's payment processing unit for $370 Million. But the agreement also calls for eBay to buy up to 1 million two-factor authentication tokens from VeriSign for use on Paypal [netcraft.com]. eBay will start rolling out the two-factor authentication tokens to Paypal and eBay users in 2006, including marketing and security programs designed to "promote customer adoption."

    This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.

  • by KillShill ( 877105 ) on Friday October 14, 2005 @01:22PM (#13792378)
    hand out Knoppix cds to friends and family members and tell them to pop it in and reboot whenever they want to engage in secure banking.

    not that most of them will listen or bother to go through the "laborious boot process"... but those that do, will have a much more secure experience.

    unless they use a proprietary dial up application, knoppix or another custom designed distribution could handle the network aspect nicely.
  • by file-exists-p ( 681756 ) on Friday October 14, 2005 @01:25PM (#13792395)

    To protect against phising doesnt it work the other way around ? What is required is a way for the user to be sure of the website's identity, not the opposite. No ?

  • LiveCD? (Score:3, Interesting)

    by chris_sawtell ( 10326 ) on Friday October 14, 2005 @05:10PM (#13794335) Journal
    Why don't the banks issue super-lightweight client LiveCDs to access their online banking services? The advantages of a special protected client environment with no permanent storage are so huge, I suspect that for some unknown reason the US banking industry actually wants to be phished.

    Could some kind body explain why?
    It can't simply be that the banks are dumb can it?
    • I though seriously about creating a custom Knoppix CD to do this kind of thing. I even got as far as successfully customizing a Knoppix build. Then I happened to get a laptop with WiFi. I couldn't be bothered to get Knoppix to work with it -- and the last time I checked, there was no way to run this card in Linux w/WPA turned on. So, the little pet project died.

      Plus, printers, access to email, and the general inconvenience of rebooting (twice! once to Knoppix, once back to whatever) put me off the wh

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...