From: Robert Spier Date: 05:47 on 21 Dec 2006 Subject: Banking on Stupidity My bank is instituting one of those newfangled secondary-verification pages (where you re-verify things like your age, favorite color, or the picture you picked.) I'm pretty sure it doesn't do anything useful except make it harder for me to scrape my bank account details. That's hateful by itself... but better.... when trying to register for the new system (required for logging in) I get the following beautiful error: Usernames are required for login, however, username registration is currently unavailable. We apologize for the inconvenience and ask that you try again later. ARGH! Of course, this is also the same bank that has their test system at http://www.mybank.com/ and production at https://www.mybank.com/ hateful people -- and hateful software. -R
From: David King Date: 06:33 on 21 Dec 2006 Subject: Re: Banking on Stupidity > when trying to register for the new system (required for logging in) I > get the following beautiful error: > Usernames are required for login, however, username registration is > currently unavailable. We apologize for the inconvenience and ask > that you try again later. At least it didn't see only the first error or only the second error and bail out (for instance, by simply replying that a username is required, or only that the registration system is unavailable). Sounds like this was planned downtime, but if it was, they would have done well to list that schedule on the error page. > Of course, this is also the same bank that has their test system at > http://www.mybank.com/ and production at https://www.mybank.com/ ...wow. Does http:.../ at least redirect to https:.../ ? > hateful people -- and hateful software.
From: Robert Spier Date: 07:30 on 21 Dec 2006 Subject: Re: Banking on Stupidity At Wed, 20 Dec 2006 22:33:26 -0800, David King wrote: > > > when trying to register for the new system (required for logging in) I > > get the following beautiful error: > > Usernames are required for login, however, username registration is > > currently unavailable. We apologize for the inconvenience and ask > > that you try again later. > > At least it didn't see only the first error or only the second error > and bail out (for instance, by simply replying that a username is > required, or only that the registration system is unavailable). > Sounds like this was planned downtime, but if it was, they would have > done well to list that schedule on the error page. They're usually pretty good at announcing planned downtime. This doesn't appear to be one. Of course, I can't log in to check my account at all right now, and because this is a credit union, they don't have 24/7 phone people. Sigh. > > > Of course, this is also the same bank that has their test system at > > http://www.mybank.com/ and production at https://www.mybank.com/ > > ...wow. Does http:.../ at least redirect to https:.../ ? Oooh, it does now. It used to be that http:// showed a username and password box (identical to the one on https) -- except your username and password didn't work. But now http:// has a link to https:// instead of a field. Progress! That's only been an issue for 5 years. > > > hateful people -- and hateful software.
From: Robert Rothenberg Date: 09:51 on 21 Dec 2006 Subject: Re: Banking on Stupidity On 21/12/06 05:47 Robert Spier wrote: > My bank is instituting one of those newfangled secondary-verification > pages (where you re-verify things like your age, favorite color, or > the picture you picked.) I'm pretty sure it doesn't do anything > useful except make it harder for me to scrape my bank account > details. That's hateful by itself... I'd argue that it's useful for defending against key-loggers and other shoulder-surfing trojans. If they ask a random question each time you log in, then knowledge of what you answered for the last question should be of no use. There there is having to enter passwords with the graphical keyboard that uses javascript: the security value of that is debatable, but the interface is hateful.
From: Rafael Garcia-Suarez Date: 09:59 on 21 Dec 2006 Subject: Re: Banking on Stupidity On 21/12/06, Robert Rothenberg wrote: > There there is having to enter passwords with the graphical keyboard that > uses javascript: the security value of that is debatable, but the interface > is hateful. Especially when you have some kind of CPU-hungry flash animation keeping being displayed by firefox on top of the javascript interface. But it seems that my bank has fixed that a few weeks ago...
From: Nicholas Clark Date: 10:16 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Thu, Dec 21, 2006 at 10:59:03AM +0100, Rafael Garcia-Suarez wrote: > On 21/12/06, Robert Rothenberg wrote: > >There there is having to enter passwords with the graphical keyboard that > >uses javascript: the security value of that is debatable, but the interface > >is hateful. > > Especially when you have some kind of CPU-hungry flash animation > keeping being displayed by firefox on top of the javascript interface. > But it seems that my bank has fixed that a few weeks ago... I don't deal with my bank online. I have no idea what hate they have there, but for the odd times that a cash machine doesn't cut it, I'll use the counter service and avoid them increasing their profits by reducing their service to automated systems. Meanwhile I'll just hate cash machine software for using an extra screen to ask "would you like a receipt with that" when it had space on the previous menu to split an option into two, one "with" and one "without" And extra screens at the front of the sequence that ask "would you like a free balance enquiry?" And any cash machine showing a windows dialogue box. Nicholas Clark
From: Abigail Date: 10:29 on 21 Dec 2006 Subject: Re: Banking on Stupidity --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 21, 2006 at 10:16:36AM +0000, Nicholas Clark wrote: > On Thu, Dec 21, 2006 at 10:59:03AM +0100, Rafael Garcia-Suarez wrote: > > On 21/12/06, Robert Rothenberg wrote: > > >There there is having to enter passwords with the graphical keyboard t= hat > > >uses javascript: the security value of that is debatable, but the inte= rface > > >is hateful. > >=20 > > Especially when you have some kind of CPU-hungry flash animation > > keeping being displayed by firefox on top of the javascript interface. > > But it seems that my bank has fixed that a few weeks ago... >=20 > I don't deal with my bank online. I have no idea what hate they have ther= e, > but for the odd times that a cash machine doesn't cut it, I'll use the > counter service and avoid them increasing their profits by reducing their > service to automated systems. >=20 > Meanwhile I'll just hate cash machine software for using an extra screen = to > ask "would you like a receipt with that" when it had space on the previous > menu to split an option into two, one "with" and one "without" > And extra screens at the front of the sequence that ask "would you like a > free balance enquiry?" > And any cash machine showing a windows dialogue box. What's also hateful is that different banks have different screens,=20 and a different buttons to push for the same question. It's not so difficult for people with normal vision, but it extremely limits the usability for blind people. I've blind friends who can only use a few number of cash machines (that is, a few cash machines, not cash machine from a few banks), because they have received training for those machines, and would be at a total loss at any other. And they need to get new training when the screens change. Not that anyone bothers to inform them... Abigail --7iMSBzlTiPOCCT2k Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFFimIdBOh7Ggo6rasRAnSDAJ9IWZF8PXUeTskFZnyhaycvaxlpwQCgniJS as2YUyZKV1ju7vlMcT+pe4w= =olre -----END PGP SIGNATURE----- --7iMSBzlTiPOCCT2k--
From: Jonathan Stowe Date: 12:02 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Thu, 2006-12-21 at 11:29 +0100, Abigail wrote: > I've blind friends who can only > use a few number of cash machines (that is, a few cash machines, not > cash machine from a few banks), because they have received training for > those machines, and would be at a total loss at any other. The nearest bank to where I live has two completely different machines next to each other which can be confusing to me let alone someone with a visual impairment.
From: Ricardo SIGNES Date: 14:02 on 21 Dec 2006 Subject: Re: Banking on Stupidity * Abigail <abigail@xxxxxxx.xx> [2006-12-21T05:29:49] > It's not so difficult for people with normal vision, but it extremely > limits the usability for blind people. I've blind friends who can only > use a few number of cash machines (that is, a few cash machines, not > cash machine from a few banks), because they have received training for > those machines, and would be at a total loss at any other. All the ATMs around here have 1/8" jacks for headphones for instructions. I've always assumed that these were really helpful, but I've never tried to listen. Maybe next time, I will...
From: Jonathan Stowe Date: 14:29 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Thu, 2006-12-21 at 09:02 -0500, Ricardo SIGNES wrote: > All the ATMs around here have 1/8" jacks for headphones for instructions. I'd always assumed that the jacks were for the convenience of the card-skimmers downloading all the card details they had stolen and avoided any machines that had them :-O
From: Robert Rothenberg Date: 16:35 on 21 Dec 2006 Subject: Cash machine hate (was Re: Banking on Stupidity) On 21/12/06 10:16 Nicholas Clark wrote: > Meanwhile I'll just hate cash machine software for using an extra scree= n to > ask "would you like a receipt with that" when it had space on the previ= ous > menu to split an option into two, one "with" and one "without" > And extra screens at the front of the sequence that ask "would you like= a > free balance enquiry?" > And any cash machine showing a windows dialogue box. My favourite hate is when it you go through several menu steps only to be= told it cannot do what you asked (no =A310 notes or it cannot print recei= pts), have it spit out your card and start over again.
From: Chris Devers Date: 19:58 on 21 Dec 2006 Subject: Re: Cash machine hate (was Re: Banking on Stupidity) On Dec 21, 2006, at 11:35 AM, Robert Rothenberg wrote: > My favourite hate is when it you go through several menu steps only =20= > to be > told it cannot do what you asked (no =A310 notes or it cannot print =20= > receipts), > have it spit out your card and start over again. My current favorite is the neighborhood gas station that, presumably =20 for good, fraud-avoiding reasons, has recently implemented a policy =20 of requiring that you enter your ZIP code when using the automated =20 credit card payment. The first time I saw this, a couple of weeks ago, there was no =20 signage indicating that they're doing this now, nevermind for what =20 reason[s], so when the question came up my "marketing alert, feed 'em =20= fake data" reflex kicked in, I put in a dummy value for the question =20 ("90210" or something), and it locked into a 5 minute routine of, =20 presumably, querying the credit card company, asking if this is the =20 right ZIP, waiting for the credit card company to mull it over for a =20 bit, wait for the credit card company to pop off for a coffee / =20 beer / piss / whatever, get back a response, tell me that ZIP value =20 is invalid, spend a couple of minutes sitting idly so that I too =20 could pop off for a coffee / beer / piss / whatever, then go back to =20 the first screen so that I could start all over again. Lovely. Last night it did more or less the same thing again, with some fun =20 variants. For one thing, it was one of the first uncomfortably cold =20 nights we've had, and I was wearing a thin jacket & gloves. I knew to =20= feed it the honest data this time, but because of the cold, and =20 because the UI for these gas stations system seems to be sluggish on =20 a warm day and grudgingly dragged out of hibernation on cold days, =20 every keypress is only acknowledged 5-10 seconds later, but if you =20 know the drill you should be able to just plunge through. Except for =20 when you make a typo when typing the damned ZIP code. So you reach =20 for the big, promising, yellow "CANCEL" button. And it responds, with =20= the same 5 minute do nothing, get your coffee / beer / piss / =20 whatever break routine, and you get to glare at it bitterly, =20 shivering all the while, noticing with frustration the pale grey =20 "Clear" button that presumably is this system's term for "backspace", =20= and you get your chance to spend several minutes contemplating the =20 error of your ways, staring at the clouds of your breath, despondently. I had previously Hated the new automated checkout systems at the =20 supermarkets: (cons) slow, cumbersome, inflexible, and with a cloying =20= voice instruction system; (pros) everyone hates them even more, so =20 there's never a line. But at least supermarkets are climate-controlled. --=20 Chris Devers=
From: Patrick Carr Date: 16:14 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Dec 21, 2006, at 12:47 AM, Robert Spier wrote: > > My bank is instituting one of those newfangled secondary-verification > pages (where you re-verify things like your age, favorite color, or > the picture you picked.) I'm pretty sure it doesn't do anything > useful except make it harder for me to scrape my bank account > details. That's hateful by itself... but better.... My one bank just instituted a new second step of security whereby I answer three security questions of their choosing THAT ONLY I KNOW THE ANSWER TO. I'm sorry, but hundreds of people know which elementary school I went to and what my mother's maiden name is. And most of them are deadbeat second cousins who are probably going to be the ones filching my hard- earned pennies in the first place. Pat i hates "security"
From: Roger Burton West Date: 16:18 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Thu, Dec 21, 2006 at 11:14:28AM -0500, Patrick Carr wrote: >I'm sorry, but hundreds of people know which elementary school I went to and >what my mother's maiden name is. And most of them are deadbeat second cousins >who are probably going to be the ones filching my hard-earned pennies in the >first place. "MegaGloboBank thinks I went to the EskupatObs3 Elementary School." R
From: Patrick Carr Date: 16:25 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Dec 21, 2006, at 11:18 AM, Roger Burton West wrote: > On Thu, Dec 21, 2006 at 11:14:28AM -0500, Patrick Carr wrote: > >> I'm sorry, but hundreds of people know which elementary school I >> went to and >> what my mother's maiden name is. And most of them are deadbeat >> second cousins >> who are probably going to be the ones filching my hard-earned >> pennies in the >> first place. > > "MegaGloboBank thinks I went to the EskupatObs3 Elementary School." Yes yes, that's all well and good, but _I_ have to remember it to. It reminds of working at a certain federal agency, where the passwords had to be so complicated and so frequently changed that nearly everyone had theirs on a post-it note on their computer. Pat
From: Robert Rothenberg Date: 16:57 on 21 Dec 2006 Subject: Re: Banking on Stupidity On 21/12/06 16:25 Patrick Carr wrote: > On Dec 21, 2006, at 11:18 AM, Roger Burton West wrote: > [..] >> "MegaGloboBank thinks I went to the EskupatObs3 Elementary School." > > Yes yes, that's all well and good, but _I_ have to remember it to. ... You can use mnemonics or word-association to remember it, e.g. for Third National Bank you could use the school your 3rd wife (or husband) attended, or the name of the third street over from the school, or the name of the deli three doors down from the school, etc. You could probably safely write down password hints on a sticky note. Keep in mind who that these questions are meant to protect your account from: keystroke loggers and shoulder surfers.
From: jrodman Date: 19:18 on 21 Dec 2006 Subject: Re: Banking on Stupidity On Thu, Dec 21, 2006 at 04:57:03PM +0000, Robert Rothenberg wrote: > On 21/12/06 16:25 Patrick Carr wrote: > > On Dec 21, 2006, at 11:18 AM, Roger Burton West wrote: > > [..] > >> "MegaGloboBank thinks I went to the EskupatObs3 Elementary School." > > > > Yes yes, that's all well and good, but _I_ have to remember it to. ... > > You can use mnemonics or word-association to remember it, e.g. for Third > National Bank you could use the school your 3rd wife (or husband) attended, > or the name of the third street over from the school, or the name of the > deli three doors down from the school, etc. Fantastic, so now I have a second (and third and fourth?) password that the interface doesn't treat like a password. And if I lose it, MegaGloboBank will insist that if I cannot remember my mother's maiden name, that I cannot possibly be me. Even if I'm there in person or whatever. -josh
From: Philippe Bruhat (BooK) Date: 16:48 on 21 Dec 2006 Subject: Re: Banking on Stupidity Le jeudi 21 d=E9cembre 2006 =E0 11:14, Patrick Carr =E9crivait: > On Dec 21, 2006, at 12:47 AM, Robert Spier wrote: >=20 > > > >My bank is instituting one of those newfangled secondary-verification > >pages (where you re-verify things like your age, favorite color, or > >the picture you picked.) I'm pretty sure it doesn't do anything > >useful except make it harder for me to scrape my bank account > >details. That's hateful by itself... but better.... >=20 >=20 > My one bank just instituted a new second step of security whereby I =20 > answer three security questions of their choosing THAT ONLY I KNOW =20 > THE ANSWER TO. Second step of security is good. The password to access your account can be snooped, guessed or otherwise phished. For example: multi-channel banking requires numbers only in your password so you can input your password over the phone, and your login is often your bank account number. So it's easy to guess the length and form of the login. If people can choose their numerical password (6 or 8 in length, most of the time), then you can bet on easy passwords (dates: a 30 years span gives about 11000 possible passwords) and brute force a login. Given the number of clients of the largest banks (millions), you're bound to find the login/password pair needed to break in. Without snooping, phising or even if the user never ever connects (maybe the bank creates online accesses by default, even if the clients don't require it). That's an attack based on statistics. A second level of security, for accepting transfer to unknown accounts, creating new accounts, etc is then a very good way to protect you from those attacks. Brute force won't work if you have only three guesses. Basically, the first level of protection will give access to read-only information. You may not like the fact that people know how much you earn, but at least they won't be able to move the money around. Still a slight problem: if you can move the money from one of your accounts to another from which it's difficult to take the money back (e.g. long-term savings plans), then someone can really bother you, by making your money unavailable, without stealing it! > I'm sorry, but hundreds of people know which elementary school I went =20 > to and what my mother's maiden name is. And most of them are deadbeat =20 > second cousins who are probably going to be the ones filching my hard-=20 > earned pennies in the first place. Well, if the questions are dumb... they deserve the hate. My bank sent me a small paper card, with a table of 2 digits pincodes. Whenever I want to do something "risky" (e.g., transfering money to an new bank account), they ask for the pincode at column x row y in the table. When the table has been used, I just have to order a new one. Naturally, phishers have created fake sites that ask you for several numbers in your card. The user is still the weakest link. Even when all banks will provide tokens such as SecurID cards, phishers will create fake sites and try to use the small window during which the one-time password is still valid to enter your account (think how captcha are defeated by robots using humans to decypher the images). --=20 Philippe "BooK" Bruhat In the contest between simplicity and silence, silence hasn't got a pray= er. (Moral from Groo The Wanderer #15 (Ep= ic))
From: Phil Pennock Date: 05:45 on 25 Dec 2006 Subject: Re: Banking on Stupidity On 2006-12-21 at 17:48 +0100, Philippe Bruhat (BooK) wrote: > Even when all banks will provide tokens such as SecurID cards, phishers > will create fake sites and try to use the small window during which > the one-time password is still valid to enter your account (think how > captcha are defeated by robots using humans to decypher the images). My bank in NL uses challenge-response; card goes into a reader, unlocked with PIN, 8-digit challenge and 6-digit response. It's vulnerable to MitM attacks but I use vaguely trusted client machines and check that the SSL cert is signed by the same CA as it was the previous time and I look carefully at the URL in a vague attempt to spot homoglyph attacks. The challenge-response is similar to the Cryptocard RB1 in challenge-response mode, if anyone's used those. My bank in the USA uses passwords and has already managed to screw me around in other ways such that I want to change banks. Offlist, anyone got any recommendations for a US bank which actually has something bearing a passing resemblance to competent online security? -Phil
Generated at 10:25 on 16 Apr 2008 by mariachi