Warning about trojans - especially if you are a Yorkshire Bank customer!

Bleurgh

anewhope wrote: »

Funny, mine no longer asks for the password in it's entirity and asks for three random characters..

The main problem I can see in using drop down boxes for anything other than numbers is the combination of capital and lower case letters, numbers and punctuation marks would be a massive amount, which would lead to a lot of confusion.

I'm guessing the changes YB are making require each customers account to be updated. They havent got to mine yet.

The drop down boxes are usually for use only with a password that is in lowercase letters and/or numbers. In the case of LLoyds TSB, this is an additional password. So your main account password can be a combination of complicated letters, numbers and allowed characters - the second password is purely for the mouse based verification.

Its a shame that YB still dont seem to have thought this out properly. If the login form is now asking for a randomization of the main password that is entered purely as text, it doesnt make their login much more secure. They just provide the fraudster with an anagram to solve. Considering the simple words people tend to choose as passwords - this wont prevent accounts being compromised via keyloggers. Its almost as if YB doesnt recognise keyloggers as a problem.

Its possible that they are concerned about asking their customers to remember yet another password, so have decided not to go with the more secure option.

With lloyds tsb they use the following procedure....

1. Enter internet banking account number - text based
2. Enter main password - text based
3. Select 3 randomly generated letters/numbers from your second password - Mouse based from a drop down list.

The selections made by the mouse cant be recorded by a keylogger.

YB use this method

1. Enter internet banking account number - text based
2. Enter main password - text based
3. Enter the answer to one of three "secret" questions - text based

Everything entered by the customer can be recorded.

According to anewhope, step two is being replaced with..

Enter 3 random letters / characters / numbers from main password - text based.

Which is still about 100 times less secure than the LLoyds TSB method. You also have more to remember with the YB method - account number, password and three sets of additional info. Thats 5 individual things to remember. Whereas with LLoyds TSB its just account number and two passwords.

td_007

mr_fishbulb wrote: »

True, but the point I was making earlier is there is only so much this can do. You can make yourself a harder target than the next guy by due diligence on your security, but as long as banks use one-factor authentication, we will all be at a higher risk.

Sure with 2FA you are putting up one more layer of security but there comes a time when one has to balance security with convenience.

Personally, I have never had a virus/spyware/trojan infection and in that respect adding more layers security just causes me inconvenience. If I am away without the card reader then it is as good as having passbook account (it is a bit of exaggeration but I am sure you get the point. ) Understandably banks have to cater for the majority and 2FA is an option.