Boarding Pass Hacker Targets Bank of America 160
Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.
Crux (Score:5, Insightful)
This is the loophole that we use in our demonstration. Through deceit, we convince the user to enter her security question, and thus get the SiteKey image.
No matter what kind of security system you devise, you cannot take out the human element. The Internet seems like magic to people - it knows them, it knows things about them, people can find them from all over the planet. The average user is not curious enough to learn how this is accomplished, paranoid enough to distrust anything at first glance, or savvy enough to protect themselves. Bank of America is kidding itself if it thinks the SiteKey is any kind of deterrent to a hacker.
Re:Crux (Score:4, Insightful)
Re:Crux (Score:5, Insightful)
Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.
Re: (Score:2)
Re:Crux (Score:5, Insightful)
The deceit is simply a man in the middle attack, and we all know this is not a new thing.
I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.
Some history here. BOA's main website: http://www.bankofamerica.com/ [bankofamerica.com] was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ [bankofamerica.com] you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.
OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.
When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)
Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?
My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.
When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.
Re: (Score:2, Insightful)
>OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its
>asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com]
>[bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.
You are not supposed to! You should change banks. I would, (and have). Now I use a credit union
BOA turning off cards (Score:2)
I'll counter your anecdote with one of my own. I've used my BOA Visa check card, Visa credit card, and MasterCard credit card extensively for the past two years. That's included travel to multiple foreign countries (admittedly all European or North America
Re: (Score:2)
Just today my bank (USAA), who have already:
today forced me to answer a 'security' question in addition to the above "Who was your first employer".
None of this really adds to the security of my account, and is quite annoying.
If banks *REALLY* want to take security seriously, why don't they issue client-side SSL certs??? If I can ge
Re: (Score:2)
Actually, it isn't visible to the end user, but these two security precautions actually DO protect you. They don't protect you from phishing scams, but they DO protect you from database divers. You see, under the old system, you are sending your account number over the internet, it is being stored in various locations (your web browser's cache possi
Re: (Score:2)
There is a fundamental thing that people forget - there is nothing in the technology of securid that prevents it from a MitM attack. The reason why it works in th
Re:Crux (Score:4, Informative)
vi C:\windows\system32\drivers\etc\hosts
i 192.168.1.100 www.mybank.com
Re: (Score:3, Funny)
vi: command not found.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
vi c:\windows\system32\drivers\etc\hosts[enter] (why the quotes?)
Go192.168.1.100 www.mybank.com^[:wq[enter]
If you're going to edit someone's host file, you may as well make it look proper.
I Can't .. stop .. myself (Score:4, Funny)
Re:Crux (Score:5, Interesting)
methods should be able to figure out almost immediately how to defeat this system.
At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.
Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/sec
By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W
The only thing that BoA should perhaps correct is the statement:
"If you recognize your SiteKey, you'll know for sure that you
are at the valid Bank of America site. Confirming your SiteKey is
also how you'll know that it's safe to enter your Passcode and click the Sign In button."
This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"
Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies
Mother of all possible Man in the Middle attacks (Score:2)
If anyone ever figures out a way pull a "Man in the Middle" on the Windows Update Service, then, to quote "Dandy" Don Meredith [wikipedia.org]: Turn out the lights, the party's over.
BoA = smarter than this blogger (Score:4, Insightful)
I agree. In fact, I would go further and say that the author of this blog should actually be quite embarassed and ashamed of this post. His "amazing discovery" is actually the whole point of sitekey. Yes, you can be a man in the middle and get the sitekey images yourself. Congratulations. You and everyone else already thought of that.
And guess what, your man-in-the-middle now has to make a sitekey request to bank of american for *every potential victim* and as a result, BoA will easily identify your IP block as running a MITM scheme.
So in other words, this blogger is an idiot. He hasn't defeated sitekey at all. Set up a MITM site, make ten requests, and now you're out of business and the ten accounts that you phished are locked.
Re: (Score:2)
And guess what, your man-in-the-middle now has to make a sitekey request to bank of american for *every potential victim* and as a result, BoA will easily identify your IP block as running a MITM scheme.
So proxy through a zombie PC - lord knows that there are millions of owned boxes lurking around, all on residential IP blocks.
Re: (Score:2)
That's what you'd think, but incompetent security never ceases to amaze. I know of a web site by one of the worlds largest financial companies that has an obvious MITM vulnerability. By what's said on the site they already know about it and either can't understand the very simple issue(for someone who understands the basics of cryptography) or they're ignoring it for some incomprehensible reason.
Digital Certificates (Score:2, Interesting)
Re: (Score:2)
About bank security (and not "how to protect from phishing"): Banco do Brasil also have another technology to ensure an user is who it claims to be. When you connect the first time to their internet
Re: (Score:2)
Now the authentication attempts must be done in real time, which raises the bar substantially. Among other things, this will make it more obvious to the bank when a number of bad authentication attempts are happening from one source IP (or one botnet)
It also means that when the bank discovers a phishing page
Picture? (Score:2, Funny)
Picture? what picture?
Yawn (Score:2)
How about trojans that change your order, send the bogus order to the bank while displaying the one you entered instead? Or... wait, that's been around for about 6 months now, too.
Re: (Score:2)
As long as the only channel between bank and user is the computer, there is no security.
Re: (Score:2)
Re: (Score:2)
The chance to be a target for phishers when you are using online banking is also no issue. Just as much as the chance that it's dark at night is no issue. It simply is dark at night and you are a target for phishing if you use online banking.
See the diffe
Good for him! (Score:5, Interesting)
Re: (Score:3, Interesting)
This is one of those occasions where you have to admire someone's pluck... I guess he has an overwhelming desire to be hassled by the US Government. This is important work, but it's definitely going to get the black suit, dark sunglasses crowd in a tizzy.
Re:Good for him! (Score:5, Funny)
*hears a knock on the door, and answers*
Him: "Ahh, Agent Doe! Nice to see you! They sent you out for this one huh? Your standard crew."
AS: "Yep."
Him: "Can I interest you in some coffee, tea or a soda-pop while they are working?"
AS: "Sure, I'll have some coffee"
*He gets the coffee ready as the other agents go to his computer*
Him: "Sit down, sit down! Here's your coffee"
AS: "Thanks. So, everything's going well I take it?"
Him: "Yeah, I'd ask if you heard about my latest trick, but that's probably why you are here."
AS: "Yes, it is."
Him: "So, how's the wife and kids?"
AS: "Not bad. Jane is in basketball now."
Him: "Middle school"
AS: "College"
Him: "Really? I can't believe it's been that long. It seems like just yesterday you were telling me about her being born!"
*more idle chatter, eventually several black suits come down carrying computer equipment.*
AS: "Well, it was nice chatting with you again."
Him: "Likewise. See you next week, same time?"
AS: "Sure, what do you have planned now?"
Him: "C'mon, and spoil the surprise?"
AS: "Alright, see you next week."
Re: (Score:2)
There was always a little harassment. They always wanted to talk to Henry about this or that. They'd come in with their subpoenas and warrants and make me sign. But mostly they were just looking for a handout, a few bucks to keep things quiet, no matter what they found.
I am thrilled with this guy as I was when he did this with the NWA boarding pass security risk [slashdot.org] before. Again, it's great to have someone out there like this pointing out the insecure methods
Bank of America?!? (Score:5, Informative)
Here's an example on how B of A does business:
This guy just wanted to check to see if a check was good! [sfgate.com]
You can bet B of A will go after this hacker guy.
Thank You For Posting That (Score:2)
This pushed me over the edge. The fact that they humiliated an innocent man like that and then refused to even help him clear his name afterwards is reprehensible.
I am finished banking at Bank of America.
Re: (Score:3, Funny)
"Two-factor" authentication lame implementations (Score:3, Insightful)
All of my financial websites (bank, credit cards, etc.) have all gone to "two-factor" authentication.
Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?" I always answer these with random passwords, which I put in my password safe along with the real password. Unless you do that, these are actually less secure than just having a secondary password, because others can find out that stuff.
I know every business wants to do this cheaply and half-assed; it's the American Business Way. To do it "right" would probably take SecurID's or somesuch other token, which would get ugly for the customer after accumulating a couple of dozen different ones.
I've heard in comments here about banks that send you a list of code numbers, one-time-use, in the postal mail, and you use them up as you log in. That would be a good, cheap way to do two-factor that actually increases security.
Re:"Two-factor" authentication lame implementation (Score:3, Insightful)
Re:"Two-factor" authentication lame implementation (Score:2)
That isn't two-factor authentication. That is something you know and something else you know. Two-factor requires something you now, and something you have (a smart card, onetime password, RSA SecurID fob, etc.). (Not blaming you, simply pointing out how lame most businesses are).
Re:"Two-factor" authentication lame implementation (Score:2)
Multiple passwords more secure? (Score:2)
Maiden's Mother, pet, highschool, etc...
That way the phisher, even if he gets your primary password still has to hope he gets enough of the secondaries to get the one that pops up when he tries to access the system.
Sometimes in the military we have a set of 'challange phrases' and 'response phrases' that have to match up or alarms happen. That way somebody trying to fool the system can't just
Re: (Score:2)
That's a lie, because I know for a fact that not all banks (including some major national chains) use them. Which is fine by me, I'm happy to take responsibility for my own security by choosing strong a password and verifying the SSL cert before I log in.
Re: (Score:2)
mandated by the federal government to do this
I have a dim memory of seeing that in the geek news somewhere a while back. I assumed that's why the financial corps were implementing these measures.
[/me digs...] Here we go: U.S. Regulators Require Two-Factor Authentication for Banks [schneier.com]
One of the commenters to that post says that the regulators did not blindly require two-factor authentication, though that's how a lot of folks interpreted it (including, I bet, some banks). However, it seems like they can implement "security questions" or somesuch and
Re:"Two-factor" authentication lame implementation (Score:2)
The stupid thing is that they already have given me one of these things. My bank has given me credit cards and debit cards that have 2 factor authentication already in them. It takes 1) the card and 2) a PIN to use said card. (Yes, I know that the magn
The real problem of online banking (Score:4, Insightful)
You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.
Re: (Score:2)
You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.
Exactly. I have a phone, can't we use that as the second channel?
Re: (Score:2)
And what about those customers that don't have a cell?
Re: (Score:2)
Re: (Score:2)
Like I said, it's generally a very good idea. The problem is, appearantly the damage done by those attackers isn't high enough to warrant the additional expense to develop something like that.
Re: (Score:2)
Re: (Score:2)
People cost money. A lot of money. And since banks have been laying off personnel since the advent of online banking, they can't simply switch back. It's also not simply a matter of grabbing some peopl
Re: (Score:2)
We can, and some banks in Germany offer this already. The scheme is called mTAN (mobile transaction number). Postbank [postbank.com], one of the prime target of phishing attacks, was the first to offer it. First, the customer has to register a mobile phone to be associated with the bank account. The registration process is somewhat long-winded but needs to be passed only once; obviously it needs to be secure against manipulation and abuse.
Once a phone has bee
Re: (Score:2)
That move on their side was a good one. A very good one. It's not easy to defeat this security scheme. Without thinking it over, the only security hole I see is the user, who doesn't read the whole text message but only uses the key to sign.
But when you sign something you don't read, you deserve what you get...
Still, pretty much every security feature has been broken so far. I somehow don't fear to
Re: (Score:2)
The BoA website is beautiful and quite fast when I use the public terminal in the bank branch. But, at home, it is the ugliest slowest most poorly designed piece of crap I have ever accessed more than once. Like many corporate sites, I strongly suspect that the design was designed by some young geeks who have never accessed
Re: (Score:2)
Stop distributing internal security details damn right now!
Re: (Score:2)
Re: (Score:2)
What is needed is a second path of verification that is independent of a possibly infected machine. It does not mean total security (since you could happen to have two compromised devices), but the chances for that are damn small. Small enough to consider it "good" security.
Another poster in this subthread indicated how the German Postbank does it now, wi
Re: (Score:2)
But generally you're right. Our banks are already switching to "shorter" and abbreviated domain names simply because it's asking for trouble when you force your customer to type in the whole friggin' bank name.
It would already help a lot if you'd get a crash course on basic security when you request your online banking data. At least it would put the "here's your bank, please send us all your info" spamphishers out of biz.
Better, but still false security (Score:3, Insightful)
Re: (Score:2)
There's a very simple way to do online banking that avoids all phishing scams
1)Only log in from 1 computer
2)Use go
Re: (Score:2)
Re: (Score:2)
I agree with you, I hate "security questions". At least most sites that use them let you specify the answers when you create the account, so I can treat it like an additional password and put in something random that's not related to the question asked.
Not better. In a sense, it's worse (Score:2)
What makes it worse is that people think there's some additional security and might get careless as long as they think the key is secure. Think airbags and the fallacy that you can take a higher risk 'cause you're safer now.
::sigh:: (Score:2)
Someone is bound to do it eventually...I can assure you all if a company does not buy him up soon, the government will.
Re: (Score:2)
I think the days of the mad hacker becoming a security consultant are long passed. Nowadays, they seem to go the criminal prosecution route, and then no cookie for you.
Cheers
Re: (Score:2)
When are companies gonna get smart and actually HIRE this fucker?
They're not going to hire him, because he's a loose cannon. The next thing an employer will find is a hack of their own site security on his webpage.
He has no scruples, or responsibility. He's the equivalent of an attention whore grey-hat hacker, while hiding behind the "someone needed to expose this" front. Although close, it's not like the Month-of--bugs. They are not doing it for notoriety, as this guy appears to be doing. His credibility would be much higher if he wasn't using political messages a
Re: (Score:2, Informative)
Re: (Score:2)
His professor (Markus Jacobsson) is going along with this, as part of an anti-phishing group [indiana.edu] at Indiana University. Are you sure you know what you're talking about? If you do, it would probably help to explain it, since from where most of us stand this guy looks as though he's doing everyone a service, and going about it the right way, or at least a perfectly acceptable way which has the benefit of calling attention to some of the more suspect practices in the indu
Re: (Score:2)
But maybe he did this one right. I'll read TFA, but it initially looked like another "look at me!" stunt.
Re: (Score:2)
Good for him! It shows some actual research.
A bit less than it appears (Score:5, Insightful)
The obvious problem with SiteKey is the chicken-and-egg problem of getting the image to the server in the first place. There's some step where you're communicating in a fashion where you trust the server enough to give them your SiteKey, which they later show back to you. It's tied to a single computer, via a cookie, so if you log in from a different computer you need to send a new SiteKey or get them to send yours back to you, on the new computer.
So this attack only works if you can get the user to give up not only the password but also the "security question" (one of the dumbest bits of security I've ever seen; it's like a password only you can look it up.) Easy enough, if the user isn't alert (and they usually aren't.)
SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."
Re: (Score:2)
In fact, everyone I've talked to who needs one of these "guess the picture" schemes to login to their bank wishes they would go away. If, one day, they stopped seeing the sitekey thing, most folks would be relieved, not suspicious.
Re: (Score:2)
Re: (Score:2)
This brings up a rather interesting question: Suppose Bank Of America decided to come up with a better way of securing their web transactions than the SiteKey system. When this new thing popped up on my screen instead of t
Who can remember their authentication images? (Score:5, Interesting)
Within the last six months, three banks and two brokerage houses I use have all gone to the use of these authentication images. In each case, the only way to select the image is to go through slow-loading screen after slow-loading screen of apparently random images.
I can choose my own password, but it is virtually impossible to "choose" my image, so they're not very memorable to me. I certainly can't choose the same image at all five sites, which is what I'd like to do. (That's insecure for a password, but I don't think it's insecure for an authentication image; it's not as if one bank were going to try to pretend to be a different bank).
One of them also wants you to give them a little phrase that goes below the picture. Ah, I thought, I'll use my phrase to describe the picture, that way I'll know if the picture is incorrect. Wrong, I couldn't do it. I had to enter the phrase before I got to choose the picture. Well, I thought, OK, I'll just change it. The picture was of (let's say) soccer ball. So I went to the screen that lets you change your passwords and personal information, entered "soccer ball" as my phrase... and was then taken to a screen where I was required to select a picture, again. And the soccer ball wasn't one of the choices. I clicked through about ten screens of five-by-five pictures trying to find the soccer ball and couldn't find it. Was it just because they were randomly selecting from a huge collection of images? Or do they actually enforce changing the image? I don't know. All I know is that I now am supposed to remember my password AND the phrase "soccer ball" AND a picture of a kangaroo.
If the picture were wrong, would I notice? I might have a vague sense of unease, but I wouldn't be sure. Not unless I wrote them all down.
just picture a kangaroo playing soccer .. (Score:2)
Re: (Score:2)
original, though? (Score:2, Informative)
I like (Score:2)
That doesn't seem all that secure to me...
Bank of America's security needs improvement (Score:2, Informative)
Why not use referrer? (Score:5, Insightful)
Essentially this means that banks would be requiring everyone to physically type (or bookmark) their banks login page and that would be the ONLY way to get there. I suppose it could be modified to accept a referrer of the banks own domain so you could click a "Login Here" button.
I know power users can spoof their referrer using a browser setting and malware could do the same, but at least that would be another layer. What am I missing here?
MOD parent ill informed! (Score:3, Interesting)
If I were bofa, I would be looking at browser quirks, and using those to authenticate the HTTP_USER_AGENT environment variable. Browser says that they're IE? include a little activeX that only works in IE and examine output, or send some javascript. For each browser, set up a suite of these hacks and serve a few with each page. If the browser doesn't respond with the correct output of the quirk (pipeped
The Weakest Link (Score:5, Interesting)
Wouldn't it be nice if you could give someone (e.g. PayPal, known by some for removing money back out as fast as they put it in) Deposit-Only account numbers. Like the Roach Motel, the money checks in, and it don't check out.
Or Limited Transfer Out numbers. (Allow AOL, and AOL only, to automatically debit monthly payments for amounts not exceeding your monthly bill, and only valid for 6 transactions before you give them a new number.)
Personal Checks, each one of which has a One Time Only account number on it that is worth nothing to a thief who tries to forge a hundred duplicates of the check you just gave him.
The archaic current system could, I believe, be made much more secure by this simple change alone.
Note to IP thieves: This constitutes Prior Art, and you're not allowed to patent it now.
Re: (Score:2)
Huh? (Score:2)
Comment removed (Score:3, Informative)
Stupid online banking security problems (Score:5, Insightful)
Looking at what banks can do to improve security:
- Stop putting the "lock" icon on your login form. Users should look for the lock on the toolbar or part of browser frame. (chase.com, others)
- Stop using non secure login pages (not where the login form is being submitted to) (chase.com, usbank.com, wachovia.com)
- Stop using marketing emails from strange marketing addresses. This just gets people used to bank emails from weird places.
- Make a secure bookmarkable banking page. (my bank does not do this, I get an error screen if going to bookmark)
- Simplify navigation and operation and unify systems. (my bank does not do this, if I log out on one part of the site, I'm not logged out from the "very secure" part)
Bank sites driven by marketers [washingtonpost.com]
Re: (Score:2, Interesting)
The first time I saw it, I figured my box was compromised and didn't type anything. After confirming its presence on a known-clean box, I saw the same thing. I contacted (via meatspace visit to my local branch and) confirmed that my box wasn't compromised and that this is by design, and the excuse
Passmark is also mind-bogglingly stupid... (Score:3, Interesting)
All three ask me to pick a common object and give it a name.
Of course I'm going to call it what it is.
Calling it something obtuse makes the whole thing harder to keep track of.
Each one asks me up to 6 security questions.
These are in case my computer gets "unregistered" or if I try to get to an account from not-my-computer.
They're not all the same. The answers are not one-word slam dunks. If they were, they would be no good.
Because they're not easy and obvious, I have to remember up to 18 obtuse answers.
If I get one wrong, even by one character, I'm kicked off until I call someone.
The banks claim this is a government law that makes them do this.
Please don't say "get one bank".
Re: (Score:2)
Bzzzzzzzt. (Score:2)
Re: (Score:2)
Possible Solution? (Score:2)
http://www.jamesward.org/wordpress/2007/02/05/mut
I'd love to hear the
BofA (Score:2, Funny)
The sad irony is that my teller CLAIMED that they use the same computer security as the FBI and the CIA. My response was, "No WONDER we're losing the war!"
rhY
Here we go again (Score:2)
The solution is simple: Issue each client a tamper-proof USB dongle with a private key, similar to the smart cards you have in your cable boxes. When visiting the bank's website, the Browser/OS/USB dongle itself will ask the user for a PIN. Like ATMs, the dongle can lock out if the PIN is keyed in in
Maybe I'm ignorant or so (Score:2, Informative)
I live in Belgium and several banks here have switched to a card reader device [vasco.com]
You just have to type in the number of your physical bank account card, then banks site generates a 8 digit passkey.
pop in your bank card, type in the generated passkey, type in your pin code and type in on the site the passkey the little device generates.
Voila... i'm banking... on any pc i want...
every time i make an online banktransfer, i have
Re: (Score:2)
You might guess that I'm not a gold bug, and that I'm in favor of free banking. Good guess!
Re: (Score:2)
The modifications might entail stuff like changing links to keep you on the phisher site.
You enter information into the phisher site, the phisher server feeds this information(while capturing it) to the real site. The real site responds, giving the i