backtop

Blog: Internet Online Banking is a Pain in the Ass Now
Tom Corelis (Blog) - July 24, 2008 12:52 PM
Print 41 comment(s) - last by GaryJohnson.. on Aug 2 at 8:08 AM
New security measures make banking online even more inconvenient

Research for my recent article on banking online sent me down memory lane, in a way, and I found myself revisiting some of the frustrations I felt in a recent attempt to manage my finances on the web.

Many of you are probably aware of a recent, U.S.-wide implementation of a secret question/answer system, which compliments banks' more traditional username/password box. I say this because two out of the three banks I use – Citibank, as well as my local credit union – implemented this system at roughly the same time, and almost exactly the same way: by presenting me with a list of ridiculous secret questions, and making me supply secret answers. Three times each. (Additional research I did at the time revealed that there was, in fact, a large-scale initiative – though its name eludes me right now.)

The point of all this, of course, is to add an additional means of authenticating oneself (“two-factor authentication”) when the bank detects “unusual” activity. From my own experience, “unusual” seems to be a change in IP address – evidenced mainly by the fact that ever since I reactivated my Mint.com account, I now have to answer these annoying little prompts almost every couple of days.

Secret questions are an oddity, and what they ask runs the gamut of different possibilities. Herein lies the first problem: many of the questions are poorly thought out. At best, they simply don’t apply to the user. At worst, their answers are difficult and nuanced.

For example, here’s one of the choices I was presented: “What is the brand of car you learned to drive in?”  That’s hard to say – my driving lessons were evenly divided between two cars: my Mom’s Aerostar, and my Dad’s black Volvo. Moreover, I learned to drive a stick shift in my first car – a squirrelly little Honda Civic with the world’s most unforgiving manual transmission. See? Already, I have three answers. Further compounding this was petty semantics: should I put “Ford Aerostar” or just “Aerostar”? Which one was I more likely to enter if I forgot about the question completely? What if someone wants to answer “1992 Blue Ford Aerostar”? Should they be expected to remember the answer in both its complexity and the order of its descriptors, in addition to their login name (account number, in my case) and password?

Scrolling through the list of possible secret questions, I realized about half of them were either nuanced, like the example above, or simply too easy for someone to guess. The other half simply didn’t apply to me: “When was your first mortgage?” I’ve never owned a house. “What restaurant was your wedding rehearsal dinner held?” I’m unmarried. “What nickname did you have for your grandmother?” I never knew my grandmother – oh, and thanks for reminding me of that fact.

I ended up picking three questions that I had to pick my brain to answer, and all of the questions were nuanced in such way that the correct answer could take half a dozen different forms. One day I found myself locked out of my account until the system gave me a different question – a day later.

My second big problem was connecting these newly-protected accounts to third party services – Mint, namely. As my Mint account stopped working a few weeks prior due to these secret question hysterics, I had to reenter all this information into my Mint account. Once again, I was presented with the same list of questions and had to enter the same exact answers – except this time, if I entered anything wrong then my Mint account would stop working. Even worse: my bank refused to divulge the secret questions I had – somewhat whimsically – chosen. I ended up getting around this by recording my secret questions and answers as I encountered them over the next week, and then finally returning to Mint to fill them in.

While I understand the need for increased security, the product of these concerns is a system that is annoying, cumbersome, and impeding to functionality: We’ve solved the username/password problem, but the solution is so much worse that, frankly, I would rather we went back to passwords. The way I understand it, secret questions are primarily designed to thwart phishers and other attackers who only know your login credentials. What’s to stop these people from phishing for your secret question and answer as well? It would be very easy for all those fake “account maintenance” web pages add a couple of additional questions.

Besides, what if the victim’s attacker is a jilted lover? A divorced spouse? A once-trusted friend?

And, of course, let’s not forget how Paris Hilton’s T-Mobile was hacked.

Now, I don’t claim to be an expert in security – at least not in the “certified” sense. I do know a thing or two, however, as most anyone who’s heard the stories I tell can attest. You don’t have to believe me when I tell you that a secret question is the wrong answer to our current security woes – but I would advise believing esteemed security expert Bruce Schneier (“Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem…”), who presents a far more authoritative argument.

In a nutshell, Schneier accuses banks of backing a normal security protocol (a password) with a “much less secure protocol” (secret questions).

“It's a great idea from a customer service perspective – a user is less likely to forget his first pet's name than some random password – but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public,” he writes.

I agree. Neither of us have a good answer, however. I am a fan of passphrases, but those can be phished just as easily as a password. There are other forms of two-factor authentication: maybe we could standardize on a nifty little keychain that spits out a number once a minute. (Don’t lose your keys!) Or, perhaps, we could present our financial institutions with a thumbprint for use with a home-based fingerprint scanner – but again, this requires standardization, and probably more than a little expense.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
HSBC
By mjcutri on 7/24/2008 2:45:21 PM , Rating: 5
That is why I like HSBC's online banking system. You have a normal username and password, and then an addtional password that you have to key in on a "virtual" keyboard that moves around on the screen each time you visit. You can't use your normal keyboard for the second password so keyloggers won't be able to record your keystrokes, and the keyboard moves around each time, so mapping your mouse clicks won't work either. It is really a sophisticated yet simple security solution.




RE: HSBC
By Kougar on 7/24/2008 8:12:13 PM , Rating: 2
Mapping the mouse clicks? It is far more common for such malware to take screengrabs and record screenshots of your monitor's output than for them to map your mouse clicks. This would also defeat the virtual keyboard since they can play back the video or string together the screenshots they make of what you are seeing as you input the extra password.


RE: HSBC
By sxr7171 on 7/25/2008 4:38:17 PM , Rating: 2
If it only shows asterisks you should be fine right? That means no letters even for a second but pure asterisks.


RE: HSBC
By Kougar on 7/25/2008 6:39:07 PM , Rating: 2
No, because they watch what the mouse cursor is clicking on visually, they don't need to "map" anything to see that.

Imagine them looking at your monitor from beside you... it is the same thing. It's not uncommon for such malware to fully record the display as if it was a video feed. They can replay the video and see what buttons you clicked on, so asterisks don't stop that. Just like if someone was watching your keyboard over your shoulder. ;) Is it likely to happen, no, but there is malware out there that does exploit this method for years.

The fact of the matter is nothing is completely foolproof or 100% secure, the best security you can have is to ensure your PC is completely spy/malware free before even thinking of browsing anywhere.


RE: HSBC
By GaryJohnson on 7/26/2008 12:24:17 AM , Rating: 3
Wouldn't the recording and transmitting of so much video have a very noticeable impact on your PC's or internet connection’s performance?

And wouldn't receiving, storing, and watching so many of thousands of hours of video from the (ideally) thousands of computers which the malicious software was deployed to require serious bandwidth, hardware, and time?


RE: HSBC
By Kougar on 7/26/2008 10:46:10 PM , Rating: 2
I don't claim to be an expert, but there are ways to mitigate those potential problems. First, if the user already has an infected system and has broadband, I'm not so sure they would notice a compressed video feed being transmitted, especially if not done 24/7. Those people that would notice the activity would likely already know better.

If I was to design such a program, I would have it configured to only activate and begin to record if specific websites were opened up in the browser. Such as www yourbankhere.com, then it triggers the program to start recording in the background. Close the window, and the program stops recording. From what I've read, this is how some malware already operates, it waits to be triggered by key words or events by the user.


RE: HSBC
By AraH on 7/27/2008 6:18:43 PM , Rating: 3
quote:
And wouldn't receiving, storing, and watching so many of thousands of hours of video from the (ideally) thousands of computers which the malicious software was deployed to require serious bandwidth, hardware, and time?


i'm sure their costs would be covered by the amount of money they seize from your account...


RE: HSBC
By mindless1 on 7/28/2008 1:45:09 PM , Rating: 2
The fact is, such malware is almost unheard of. Name even one such *logger* that takes a continual video of your activities. I suspect such methods are avoided because people would catch on too quickly.


RE: HSBC
By Hawkido on 7/29/2008 1:49:36 PM , Rating: 2
Terminal Services

Correct me if I am wrong but all professional versions of MS OSs have this installed by default. All you need is the Trigger to make your computer notify the spyware host computer to fire up and view the users session. As to bandwidth, you can run Terminal Services over 56k, and on broadband it is unnoticable.

I am sure there are 10s if not 100s of similar software that can be scripted to install and run based off of system events. I have used many such products (not maliciously, of course!) Alot of firewall products also have web recorders on them.

So far, you are right there aren't many that I have heard of, mainly because there is no need. If most online services move the the floating virtual keyboard, then yes, you would find these type packages everywhere.

For example gas stations were not ubiquitous until the automobile had penetrated the market to a large degree. Need spawns ingenuity.


RE: HSBC
By GaryJohnson on 8/2/2008 8:08:15 AM , Rating: 2
Still they have to 'view' the session, which is impractical when you're talking about trying to obtain the thousands of account numbers these guys are interested in getting.


RE: HSBC
By Nik00117 on 7/26/2008 3:09:14 AM , Rating: 2
I agree, what this system is going to create is

"don't give anyone your username or password"
"don't give anyone your mothers madien name, your first pets name, which car you learned to drive in, and keep the restuartant that you had your wedding in a sercet, also please don't mention the address of the first house you lived in, your fathers occupation is also a sercet."

Yup, as I say too much secuirty for Joe Doe is simply a bad thing. I don't password protect my computer, Also if you gain physical access to my PC you can check my e-mails easily. The only time I turn on my laptop secuirty is when I'm on a trips. But it has the same info as my PC.

Quite frankly this creates headaches, which simply aren't required. "Sercet questions" aren't so sercet. For example

I can give you my dads first pets name, I can also tell you which car he first learned to drive in. On top of this I can tell you his mothers madien name. Now I haven't even forgotten the first house that he lived in. I also know which restuarant he got married in. I also know his SSN, DOB, First, Last, and middle name. I could easily create 100s of CCs in his name and have a ball shopping.

Therefore he is a secuirty risk since I know all of his information, Granted I am his son


RE: HSBC
By xRyanCat on 7/25/2008 2:01:48 AM , Rating: 2
Yeah... This is basically Runescapes bank PIN system...

My how technology tickles down...


RE: HSBC
By pugster on 7/25/2008 9:37:36 AM , Rating: 2
Exactly, I agree. Although we are inconvienced, we don't hear HSBC customers complain about their accounts being hijacked.


RE: HSBC
By kellehair on 7/25/2008 12:36:24 PM , Rating: 2
I find this system so annoying that I avoid accessing my HSBC account unless I absolutely have to. I guess it is secure though...


My solution
By cplusplus on 7/25/2008 7:49:44 AM , Rating: 3
The way I solved this problem is that I look at all the question, pick one of the relatively easy ones, and then purposefully choose the wrong answer. For example, if the question is "What high school did you go to?" instead of the name of my actual high school (Neuqua) I write the name of the other high school in my district (Wabounsie). It also helps that both of those are really uncommon names. So the information can't be obtained by looking me up, because it's wrong.




RE: My solution
By tastyratz on 7/25/2008 8:49:41 PM , Rating: 2
And just like the article says they are becoming increasingly insecure.
We already know 1 of your questions answers, care to share the rest?

The problem is not the passwords as much as it is the people. The more complex you make it the more you trade off insecure system bypassing. Doing things like leaving your password on a notepad at work, or even posting questions answers as examples on an easily google indexed site like dailytech.


RE: My solution
By djc208 on 7/26/2008 9:12:46 AM , Rating: 2
Wish someone at my job would realize that. I've got about 7 different passwords. One for the computer itself and the rest for the various programs I need to use. Each one has slightly different requirements so I end up with many different passwords that are required to be changed at different times. Forget the password and you spend the rest of your day trying to track down the IT guy who can re-set it vice getting work done. So most people have them written down someplace, so much for added security.

Our more secure systems are actually easier to deal with. Since it's an isolated network with secure terminals in secure locations there's just one password for everything.


RE: My solution
By cplusplus on 7/28/2008 4:42:11 PM , Rating: 2
By the way, that's not my question or my answer. I'm not that stupid. I used for example for a reason.


The other way around
By PtJaa on 7/25/2008 1:19:12 PM , Rating: 2
My bank uses the cell phone authentication system: whenever I try to log in or to submit an order, they send a crypted sms message to my cell phone and I retype it to the computer.
This system is quite widespread here in Europe (at least in Czech Republic) and I consider it to be rather safe and phishing/malware proof - the only permanent password you use is the one you enter to your cell phone to decrypt the message.




RE: The other way around
By djc208 on 7/26/2008 9:02:46 AM , Rating: 2
Too bad the horrible cell phone companies in the US charge for each of those messages unless you get the right plan. So it would cost me $0.10 every time I wanted to log into my account. Not a big deal, but an annoying expense I don't need.


RE: The other way around
By ElFenix on 7/26/2008 10:33:33 AM , Rating: 2
my bank would call by default and the computer would say the numbers to you, texting is an option.

i think it's a pretty good system.


RE: The other way around
By matt0401 on 7/27/2008 12:09:03 AM , Rating: 2
I think this is horribly insecure. The entire point of using a password is to keep the key to access a mental and not a physical entity. What if someone with bad intentions steals your cell phone?

I think the ultimate answer is to simply keep strong, random passwords and to NEVER give out the passwords (no matter how inconvenient it may be not to at times). If one has difficulty memorizing the new password, they can keep a physical copy temporarily but only while necessary. It would be a good idea to get rid of this physical copy as soon as possible. I tried this after being the victim of password-guessers and haven't had any security issues at all in the past 5 or so years that I've been doing this.

Pertaining to the annoying secret answers banks employ, I'm lucky to not have had many issues with this. My bank lets users create their own secret questions and my credit card company hasn't ever prompted me for secret answers. Someone earlier in this topic mentioned Capital One giving them a hard time. I also use Capital One but I think the simpler Canadian system for paying bills online is the reason I don't have any issues with it. No routing numbers needed... just an account number as the recipient of the bill. People can hack and try hard as they like to find out your account number, but all they would be able to do is pay your bill for you. If anyone wants to do this they're more than welcome to. :P


My experience with this issue
By Raidin on 7/24/2008 3:53:08 PM , Rating: 2
In my experience, I've noticed that these questions tend to be a back-up authentication system for when the site can't confirm it's you based solely on your user name and password.

For example, my bank asked me if the PC I was using is my normal PC for checking my account, and I said yes. This choice prevents me from ever seeing those secret questions.

Now if I am at work, or elsewhere, it asks me if I want to add this PC to my confirmed list, and if I say no, I'm back to answering questions.

I suppose it's a necessity but the manner in which most banks, and most secure sites do this, is really silly as you mentioned in your blog. The simplest way to handle this is to just ask the user to submit his own question and his own answer to it, which one or two sites I've visited actually do. Hope the rest learn!

Now if only we could see a mass-marketed hand scanner or something for user authentication via USB or some sort of close-range secure wireless connection and be done with passwords for the most part.




By shigionoth on 7/24/2008 5:17:14 PM , Rating: 2
I'm pretty sure the questions are there because the site uses a cookie on your computer to verify your identity (if you have logged in previously and checked the box that tells the website it was your computer, it dropped a cookie on your computer.)


RE: My experience with this issue
By Hakuryu on 7/26/2008 2:45:24 PM , Rating: 2
I do online banking and bill paying for my great aunt, and Capital One was a nightmare for us.

When they first implemented these questions, they seemed to lose my aunt's bank information (she pays the credit card bill through her checking account). Now you would think I could just re-enter the bank information... but upon doing that, I got an error that the routing number wasn't a legit number (the same one I payed her bill with numerous times before).

Another time, I accidentally put in the wrong name for a secret question, on the day her bill was due, and got locked out of the system until she received a letter stating how to reset everything - after numerous telephone calls. So I had to pay 'over the phone' since I couldn't get into the system, and they had the gall to charge my aunt a fee for paying over the phone after locking her out.

This secret question issue almost forces you to write down all your questions and answers to avoid problems, mainly because of problems mentioned in the article. Not very secure when a criminal could find an answer sheet more easily than taking an account name and password from my head.


Basic Laws that make life easy
By LyCannon on 7/26/2008 5:04:34 PM , Rating: 5
1) People are stupid.
I know this sounds harsh, but the large majority of the people who use the internet really need to be educated. While there are some tremendously elaborate phishing schemes out there, with some basic (sometimes not so common) sense, these can be identified and avoided.

2) If a persons computer is compromised, no additional security on a website will matter. It's still game over.

3) Poor security schemes give a false sense of security that ultimately make the problem worse. If users feel more secure (illusional or not), their security awareness is also lowered. Lower awareness increases risk of attack and exploitation.

4) People are stupid. Please see item 1.




By dickeywang on 7/25/2008 11:37:19 AM , Rating: 3
You should try to open an account in Deutsche Bank. Their security system for the online banking works in this way: you will get a list of 100 password by mail, and whenever you want to do virtually anything through their online banking system (transfer money from your checking into saving account, pay your utility bill, or even just sending an email to the bank), you have to type in the specific password that is on the list. Basically you have to carry the paper with you everywhere otherwise you won't be able to do anything using their online banking system.




security
By Screwballl on 7/24/2008 2:00:34 PM , Rating: 2
so its a pain in the arse AND laden with security flaws... time to ride the bike to the bank and do it all in person.

http://www.dailytech.com/Study+Finds+Widespread+Fl...




The brand
By mattclary on 7/24/2008 3:25:37 PM , Rating: 2
The "brand" of the Aerostar = Ford

I have several accounts that ask these questions and they aren't really that vague if you pay attention to what they are asking. Not slamming the author, just giving my opinion.




Those darned questions...
By Aikouka on 7/24/2008 3:56:58 PM , Rating: 2
I actually understand your sentiment exactly. Whenever I have to fill out those darned questions, I'm always stuck with finding one that has an exact answer that I cannot write more than one way. But there's an inherent problem with that... those types of questions are the worst security-wise! The questions that usually fit this bill are "Father's Middle Name" "Mother's Maiden Name" "Favorite Movie" (for some that one doesn't count, but mine's been the same for over a decade). Some of the more annoying ones I've found are "What was the name of your high school?" and "What was your first car?" I remember having quite a bit of trouble with both of those as I wasn't sure exactly how I entered them.

So, most of this is information that some dubious person could easily get with some digging and a quick look at yer Myspace page. Although, it'd be nice if I could even log onto my web banking... ever since they changed to a username and password system, I have no idea what I even entered. The problem being that some sites are more restrictive than others, so say... my username here on DailyTech would be sufficient on one site but not another. The same goes for passwords, which I tried to come up with elongated versions to match, but even then sometimes it's picky.




Simple solution
By BBeltrami on 7/24/2008 4:54:08 PM , Rating: 2
I noticed the same thing at my financial institution, which also uses a canned list. The question I ask as I look over the list is, "Why can't I simply enter my OWN question?"




Ford Aerostar
By Sulphademus on 7/25/2008 9:02:06 AM , Rating: 2
I knew someone who had one of them: what a piece of crap!

You have my sympathy.




My solution to secret questions
By corduroygt on 7/25/2008 7:57:34 PM , Rating: 2
The answer to all my secret questions is my password. Still a single alphanumeric string to remember, and problem solved.




By Gorbachev on 7/27/2008 5:04:43 AM , Rating: 2
In Finland, we've had online banking for more than a decade. We completely stopped using cheques for money transfers in the early 1990's.

The first online banking was done through modems and a simple telnet-like terminal connection. Now every single bank has an internet based service, which is also accessible by cellphones. You can pay your bills from anywhere in the world with your phone.

The security measures are simple, yet extremely powerful.
If you want tried and true experience in this matter, go talk to people running the services for Finnish banks.

For instance in the Finnish branch of Nordea Bank, there's a "changing challenge" verification for logins and all payments. The bank sends a unique set of keys to all users, there's ~70 or so of them on the card + ~20 un-changing keys for verifying the payment.

You login with your personal ID number and provide the next un-used code from the card. Then for payment verifications you give another code from the challenge.

To my knowledge, this is yet to be hacked by any other means than elaborate social networking. It's not too inconvenient, it's extremely secure and you only need to remember your personal ID code because the card is useless without it.

There are variations of this challenge paradigm, but all banks have them. You get challenged once for logging in and once for verifying the payment.




Thats why
By FITCamaro on 7/24/08, Rating: 0
I would like to see
By Tryek25 on 7/24/08, Rating: -1
RE: I would like to see
By Crusty on 7/24/2008 3:58:23 PM , Rating: 2
The point is that it is far easier to obtain the answers to the security questions compared to guessing a complex password. So if an attacker already has your password, the secret questions aren't going to do much to stop them.


RE: I would like to see
By Sulphademus on 7/25/2008 9:04:12 AM , Rating: 2
What is your mother's maiden name?

Theres only about 5000 people out there who know that!

And forget it if you get any fame at all.


Remember passwords
By bobdelt on 7/25/08, Rating: -1
RE: Remember passwords
By FreeTard on 7/27/2008 5:36:39 PM , Rating: 1
Exactly.

To sum it all up in one sentence:

If you don't like Online Banking, don't use it.

What really sucks. When I buy a bottle of Advil, they put it in a box, then they put the plastic wrapper around the cap, then they put that foam type seal over the opening, and then they put that cotton inside! What's up with that? It takes me like an extra 30 seconds to open it!

I would have expected this blog on one of those less reputible sites where any ass-wad with a computer can share thier stupid thoughts.


RE: Remember passwords
By AssBall on 7/27/2008 11:17:22 PM , Rating: 2
quote:
If you don't like Online Banking, don't use it.


Most worthless mentality ever...

Next time actually read the blog, and when you can't understand the point of it, don't bother posting your drivel. It is you who are the ass-wad with a computer sharing his stupid thoughts.

To sum it all up in one sentence:
If you don't like his blogs do not read them.


"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher













botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki