hacked in even with rapportalliance-leicester

jamesd

joe134, it is possible for that sequence of events to happen. Once the account information is known it would be possible to perform additional consistency checks on the stored computer information, using that in conjunction with any cookie. This can be done in addition to any initial checking that would bypass the need to initially enter the personal information. For example, their system could supply a magic number to be stored in the cookie on your computer and could compare the one stored on your computer to the one in their records. They would want your account details first to look up the correct magic number. So this sequence might be:

1. Get account ID from cookie (and perhaps verify saved IP hash and browser type match).
2. Present the picture and key phrase and ask for PIN.
3. Preliminary checks passed, get magic number for this account and compare it to magic number in cookie, if fails test perform additional checks by asking for personal info.

There are various ways to prove that it's your computer (CPU serial number and hard drive serial number for example) but web sites normally don't have access to those. Instead they can suspect that it may not be your computer if there's a big change in the IP address you're connecting from or the browser ID string. Connecting from an IP address in Nigeria might be a clue to possible trouble, say. Neither can prove its you but either can imply that it might not be you and prompt more questions. It's possible to track this on their servers and/or to write it into cookies stored on your computer. That local storage can be useful if the cookie file is stolen because the information in it might not be consistent with the system attempting to use it. Say remember browser was IE particular version in cookie, could prompt for more information if browser is Safari.

masonic

jamesd wrote: »

...So this sequence might be:

1. Get account ID from cookie (and perhaps verify saved IP hash and browser type match).
2. Present the picture and key phrase and ask for PIN.
3. Preliminary checks passed, get magic number for this account and compare it to magic number in cookie, if fails test perform additional checks by asking for personal info.

When I log in, the sequence is (1), then (3), then (2). I only ever get asked for personal info *before* the PIN, never after. I agree that the 'computer recognition' is flawed, but the claim being made is that joe134's personal info question was the only thing that stopped his account being accessed, which isn't consistent with the normal order of events.

Edit: Also, now, apparently, no cookie is required for (3) (all cookies should be cleared before logging in according to A&L), so exactly how (3) is being done with any accuracy is anyone's guess. I imagine if you were on a large university campus where you'd share an IP address with hundreds of other people, they'd all be able to bypass (3) if they used the right OS and browser.

jamesd

Removing cookies might be suggested to remove anything in a stored cookie that could confuse this hypothetical step 3. Or as generic guidance to try to make people put in their own customer ID instead of relying on what's stored, which might be from another person in a household with an account.

Personally, if A&L prohibits me from logging on without installing their software, they will find me changing account instead of complying with their instruction. I'm not impressed with the quality of the information provided by them in this exchange, particularly the lack of a description of what IP address was being used when the supposed unauthorised login attempt happened. Before even suspecting my own system I'd want to have some clue that it actually is a problem on my system.