backtop

Blog: Internet Online Banking is a Pain in the Ass Now
Tom Corelis (Blog) - July 24, 2008 12:52 PM
Print E-mail del.icio.us 41 comment(s) - last by GaryJohnson.. on Aug 2 at 8:08 AM
New security measures make banking online even more inconvenient

Research for my recent article on banking online sent me down memory lane, in a way, and I found myself revisiting some of the frustrations I felt in a recent attempt to manage my finances on the web.

Many of you are probably aware of a recent, U.S.-wide implementation of a secret question/answer system, which compliments banks' more traditional username/password box. I say this because two out of the three banks I use – Citibank, as well as my local credit union – implemented this system at roughly the same time, and almost exactly the same way: by presenting me with a list of ridiculous secret questions, and making me supply secret answers. Three times each. (Additional research I did at the time revealed that there was, in fact, a large-scale initiative – though its name eludes me right now.)

The point of all this, of course, is to add an additional means of authenticating oneself (“two-factor authentication”) when the bank detects “unusual” activity. From my own experience, “unusual” seems to be a change in IP address – evidenced mainly by the fact that ever since I reactivated my Mint.com account, I now have to answer these annoying little prompts almost every couple of days.

Secret questions are an oddity, and what they ask runs the gamut of different possibilities. Herein lies the first problem: many of the questions are poorly thought out. At best, they simply don’t apply to the user. At worst, their answers are difficult and nuanced.

For example, here’s one of the choices I was presented: “What is the brand of car you learned to drive in?”  That’s hard to say – my driving lessons were evenly divided between two cars: my Mom’s Aerostar, and my Dad’s black Volvo. Moreover, I learned to drive a stick shift in my first car – a squirrelly little Honda Civic with the world’s most unforgiving manual transmission. See? Already, I have three answers. Further compounding this was petty semantics: should I put “Ford Aerostar” or just “Aerostar”? Which one was I more likely to enter if I forgot about the question completely? What if someone wants to answer “1992 Blue Ford Aerostar”? Should they be expected to remember the answer in both its complexity and the order of its descriptors, in addition to their login name (account number, in my case) and password?

Scrolling through the list of possible secret questions, I realized about half of them were either nuanced, like the example above, or simply too easy for someone to guess. The other half simply didn’t apply to me: “When was your first mortgage?” I’ve never owned a house. “What restaurant was your wedding rehearsal dinner held?” I’m unmarried. “What nickname did you have for your grandmother?” I never knew my grandmother – oh, and thanks for reminding me of that fact.

I ended up picking three questions that I had to pick my brain to answer, and all of the questions were nuanced in such way that the correct answer could take half a dozen different forms. One day I found myself locked out of my account until the system gave me a different question – a day later.

My second big problem was connecting these newly-protected accounts to third party services – Mint, namely. As my Mint account stopped working a few weeks prior due to these secret question hysterics, I had to reenter all this information into my Mint account. Once again, I was presented with the same list of questions and had to enter the same exact answers – except this time, if I entered anything wrong then my Mint account would stop working. Even worse: my bank refused to divulge the secret questions I had – somewhat whimsically – chosen. I ended up getting around this by recording my secret questions and answers as I encountered them over the next week, and then finally returning to Mint to fill them in.

While I understand the need for increased security, the product of these concerns is a system that is annoying, cumbersome, and impeding to functionality: We’ve solved the username/password problem, but the solution is so much worse that, frankly, I would rather we went back to passwords. The way I understand it, secret questions are primarily designed to thwart phishers and other attackers who only know your login credentials. What’s to stop these people from phishing for your secret question and answer as well? It would be very easy for all those fake “account maintenance” web pages add a couple of additional questions.

Besides, what if the victim’s attacker is a jilted lover? A divorced spouse? A once-trusted friend?

And, of course, let’s not forget how Paris Hilton’s T-Mobile was hacked.

Now, I don’t claim to be an expert in security – at least not in the “certified” sense. I do know a thing or two, however, as most anyone who’s heard the stories I tell can attest. You don’t have to believe me when I tell you that a secret question is the wrong answer to our current security woes – but I would advise believing esteemed security expert Bruce Schneier (“Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem…”), who presents a far more authoritative argument.

In a nutshell, Schneier accuses banks of backing a normal security protocol (a password) with a “much less secure protocol” (secret questions).

“It's a great idea from a customer service perspective – a user is less likely to forget his first pet's name than some random password – but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public,” he writes.

I agree. Neither of us have a good answer, however. I am a fan of passphrases, but those can be phished just as easily as a password. There are other forms of two-factor authentication: maybe we could standardize on a nifty little keychain that spits out a number once a minute. (Don’t lose your keys!) Or, perhaps, we could present our financial institutions with a thumbprint for use with a home-based fingerprint scanner – but again, this requires standardization, and probably more than a little expense.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
HSBC
By mjcutri on 7/24/2008 2:45:21 PM , Rating: 5
That is why I like HSBC's online banking system. You have a normal username and password, and then an addtional password that you have to key in on a "virtual" keyboard that moves around on the screen each time you visit. You can't use your normal keyboard for the second password so keyloggers won't be able to record your keystrokes, and the keyboard moves around each time, so mapping your mouse clicks won't work either. It is really a sophisticated yet simple security solution.




RE: HSBC
By Kougar on 7/24/2008 8:12:13 PM , Rating: 2
Mapping the mouse clicks? It is far more common for such malware to take screengrabs and record screenshots of your monitor's output than for them to map your mouse clicks. This would also defeat the virtual keyboard since they can play back the video or string together the screenshots they make of what you are seeing as you input the extra password.


RE: HSBC
By sxr7171 on 7/25/2008 4:38:17 PM , Rating: 2
If it only shows asterisks you should be fine right? That means no letters even for a second but pure asterisks.


RE: HSBC
By Kougar on 7/25/2008 6:39:07 PM , Rating: 2
No, because they watch what the mouse cursor is clicking on visually, they don't need to "map" anything to see that.

Imagine them looking at your monitor from beside you... it is the same thing. It's not uncommon for such malware to fully record the display as if it was a video feed. They can replay the video and see what buttons you clicked on, so asterisks don't stop that. Just like if someone was watching your keyboard over your shoulder. ;) Is it likely to happen, no, but there is malware out there that does exploit this method for years.

The fact of the matter is nothing is completely foolproof or 100% secure, the best security you can have is to ensure your PC is completely spy/malware free before even thinking of browsing anywhere.


RE: HSBC
By GaryJohnson on 7/26/2008 12:24:17 AM , Rating: 3
Wouldn't the recording and transmitting of so much video have a very noticeable impact on your PC's or internet connection’s performance?

And wouldn't receiving, storing, and watching so many of thousands of hours of video from the (ideally) thousands of computers which the malicious software was deployed to require serious bandwidth, hardware, and time?


RE: HSBC
By Kougar on 7/26/2008 10:46:10 PM , Rating: 2
I don't claim to be an expert, but there are ways to mitigate those potential problems. First, if the user already has an infected system and has broadband, I'm not so sure they would notice a compressed video feed being transmitted, especially if not done 24/7. Those people that would notice the activity would likely already know better.

If I was to design such a program, I would have it configured to only activate and begin to record if specific websites were opened up in the browser. Such as www yourbankhere.com, then it triggers the program to start recording in the background. Close the window, and the program stops recording. From what I've read, this is how some malware already operates, it waits to be triggered by key words or events by the user.


RE: HSBC
By AraH on 7/27/2008 6:18:43 PM , Rating: 3
quote:
And wouldn't receiving, storing, and watching so many of thousands of hours of video from the (ideally) thousands of computers which the malicious software was deployed to require serious bandwidth, hardware, and time?


i'm sure their costs would be covered by the amount of money they seize from your account...


RE: HSBC
By mindless1 on 7/28/2008 1:45:09 PM , Rating: 2
The fact is, such malware is almost unheard of. Name even one such *logger* that takes a continual video of your activities. I suspect such methods are avoided because people would catch on too quickly.


RE: HSBC
By Hawkido on 7/29/2008 1:49:36 PM , Rating: 2
Terminal Services

Correct me if I am wrong but all professional versions of MS OSs have this installed by default. All you need is the Trigger to make your computer notify the spyware host computer to fire up and view the users session. As to bandwidth, you can run Terminal Services over 56k, and on broadband it is unnoticable.

I am sure there are 10s if not 100s of similar software that can be scripted to install and run based off of system events. I have used many such products (not maliciously, of course!) Alot of firewall products also have web recorders on them.

So far, you are right there aren't many that I have heard of, mainly because there is no need. If most online services move the the floating virtual keyboard, then yes, you would find these type packages everywhere.

For example gas stations were not ubiquitous until the automobile had penetrated the market to a large degree. Need spawns ingenuity.


RE: HSBC
By GaryJohnson on 8/2/2008 8:08:15 AM , Rating: 2
Still they have to 'view' the session, which is impractical when you're talking about trying to obtain the thousands of account numbers these guys are interested in getting.


RE: HSBC
By Nik00117 on 7/26/2008 3:09:14 AM , Rating: 2
I agree, what this system is going to create is

"don't give anyone your username or password"
"don't give anyone your mothers madien name, your first pets name, which car you learned to drive in, and keep the restuartant that you had your wedding in a sercet, also please don't mention the address of the first house you lived in, your fathers occupation is also a sercet."

Yup, as I say too much secuirty for Joe Doe is simply a bad thing. I don't password protect my computer, Also if you gain physical access to my PC you can check my e-mails easily. The only time I turn on my laptop secuirty is when I'm on a trips. But it has the same info as my PC.

Quite frankly this creates headaches, which simply aren't required. "Sercet questions" aren't so sercet. For example

I can give you my dads first pets name, I can also tell you which car he first learned to drive in. On top of this I can tell you his mothers madien name. Now I haven't even forgotten the first house that he lived in. I also know which restuarant he got married in. I also know his SSN, DOB, First, Last, and middle name. I could easily create 100s of CCs in his name and have a ball shopping.

Therefore he is a secuirty risk since I know all of his information, Granted I am his son


RE: HSBC
By xRyanCat on 7/25/2008 2:01:48 AM , Rating: 2
Yeah... This is basically Runescapes bank PIN system...

My how technology tickles down...


RE: HSBC
By pugster on 7/25/2008 9:37:36 AM , Rating: 2
Exactly, I agree. Although we are inconvienced, we don't hear HSBC customers complain about their accounts being hijacked.


RE: HSBC
By kellehair on 7/25/2008 12:36:24 PM , Rating: 2
I find this system so annoying that I avoid accessing my HSBC account unless I absolutely have to. I guess it is secure though...


My solution
By cplusplus on 7/25/2008 7:49:44 AM , Rating: 3
The way I solved this problem is that I look at all the question, pick one of the relatively easy ones, and then purposefully choose the wrong answer. For example, if the question is "What high school did you go to?" instead of the name of my actual high school (Neuqua) I write the name of the other high school in my district (Wabounsie). It also helps that both of those are really uncommon names. So the information can't be obtained by looking me up, because it's wrong.




RE: My solution
By tastyratz on 7/25/2008 8:49:41 PM , Rating: 2
And just like the article says they are becoming increasingly insecure.
We already know 1 of your questions answers, care to share the rest?

The problem is not the passwords as much as it is the people. The more complex you make it the more you trade off insecure system bypassing. Doing things like leaving your password on a notepad at work, or even posting questions answers as examples on an easily google indexed site like dailytech.


RE: My solution
By djc208 on 7/26/2008 9:12:46 AM , Rating: 2
Wish someone at my job would realize that. I've got about 7 different passwords. One for the computer itself and the rest for the various programs I need to use. Each one has slightly different requirements so I end up with many different passwords that are required to be changed at different times. Forget the password and you spend the rest of your day trying to track down the IT guy who can re-set it vice getting work done. So most people have them written down someplace, so much for added security.

Our more secure systems are actually easier to deal with. Since it's an isolated network with secure terminals in secure locations there's just one password for everything.


RE: My solution
By cplusplus on 7/28/2008 4:42:11 PM , Rating: 2
By the way, that's not my question or my answer. I'm not that stupid. I used for example for a reason.