Password Tools - Invalidate Banks T's and C's

Stompa

fwor wrote: »

That was my initial reaction to it, but I suspect on reflection they are being deliberately vague. They are choosing to interpret "entrusting your data to a third party" and "entrusting your data to software written by a third party" as the same thing.

In fact they probably have a valid point. Software such as KeePass may be Open Source, but most people use the publicly available binaries instead of downloading the source code and compiling it themselves. I doubt that it would be hard for a programmer with bad intent to work their way into a position on the maintenance team for KeePass, and then get their own infected binary published (with valid MD5 hash, not that anybody checks those anyway) and be away on their toes ~long~ before anyone realised.

That's a good point. I do sometimes wonder how many (if any!) people actually go to the bother of compiling the code themselves. Of course even that would be fairly pointless unless they also had the capability of checking through the source itself for any suspicious looking code.

Eco_Miser

fwor wrote: »

That was my initial reaction to it, but I suspect on reflection they are being deliberately vague. They are choosing to interpret "entrusting your data to a third party" and "entrusting your data to software written by a third party" as the same thing.

Everyone*, of necessity, entrusts their data to software written by a third party, namely their browser. I consider this to be a greater potential security risk than a password manager, especially one which has been explicitly blocked from the internet by my firewall, which should take care of any rogue coding in the pm.


[* Everyone who uses internet banking, and has not written their own browser to do so, that is]

oldfella

masonic wrote: »

Both aggregation services and password managers keep an encrypted vault containing your login information on your computer. Both require you to hand over your details to a piece of software running on your computer, but neither involve sending your details off to some remote location. There shouldn't be a distinction made between aggregators and password managers, because exactly the same risks apply to both.

maybe not exactly - a password manager has no reason to access the Internet and therefore will be stopped by your firewall. An aggregator has to access the Internet to work, and therefore has to have permission to talk to the external world.

masonic

Eco_Miser wrote: »

Everyone*, of necessity, entrusts their data to software written by a third party, namely their browser. I consider this to be a greater potential security risk than a password manager, especially one which has been explicitly blocked from the internet by my firewall, which should take care of any rogue coding in the pm.

Yes, but the banks indemnify you against losses resulting from vulnerabilities in modern browsers. I advocate using better security in spite of the banks recommendations, but in doing so you put yourself at risk of not having that protection if the bank finds out what you are doing

oldfella wrote: »

maybe not exactly - a password manager has no reason to access the Internet and therefore will be stopped by your firewall. An aggregator has to access the Internet to work, and therefore has to have permission to talk to the external world.

It depends on the firewall and the password manager. Those people using the standard windows firewall probably wouldn't see anything blocked (even the default firewalls in the newest versions of windows seem to let a lot of things through that perhaps they shouldn't). Password managers with browser integration could also have access to the internet through the browser API (for example roboform and lastpass, which externally store and synchronise passwords between different computers). More advanced firewalls in 'expert' type configurations might pick that up, but it would be undetected for the vast majority of people.

savetilibleed

masonic wrote: »

Password managers with browser integration could also have access to the internet through the browser API (for example roboform and lastpass, which externally store and synchronise passwords between different computers).

Wow makes KeePass look safe. Unless and until something like KeePass becomes acceptable by banks and much more popular, then gets targeted due to its popularity.

Undisputedtruth

masonic wrote: »

Both aggregation services and password managers keep an encrypted vault containing your login information on your computer. Both require you to hand over your details to a piece of software running on your computer, but neither involve sending your details off to some remote location.

The lovemoney's website says otherwise:

"Where is my lovemoney.com data stored?

All your profile data is securely housed in an internet server hosting space that provides enhanced physical security, fire protection and electronic shielding.
Access details for online bank accounts are not stored alongside your lovemoney.com profile information; rather these are stored on our account aggregation partner Yodlee's infrastructure. This arrangement provides an added level of security as there is a clear separation of the storage of personal details and account details. Yodlee's servers are located in the USA and are covered by the US-EU Safe Harbor Agreement."


At least I can say for sure where my password manager keeps its data file.

masonic wrote: »

There shouldn't be a distinction made between aggregators and password managers, because exactly the same risks apply to both.

I would disagree here. Especially when you could add several security layers with password managers. For example, putting Keepass in a Truecrypt folder and then storing them in an USB drive with biometric access. By having the ability to choose my own security products is far more safer than using aggregators where you are at the mercy to the third parties.

If I were to support your argument then I could say there shouldn't be a distinction made between aggregators, password managers and accessing online accounts without the use of aggregators/password manager devices, because exactly the same risks apply to all.

I see that you have made notable points such as denying the usage of a password manager in the event of financial losses. Perhaps this is good advice as sometimes banks' logic can be questionable at times but I would prefer to be totally honest as part of my probity. Could the bank accept my argument that I have taken reasonable steps to secure my information?

masonic

Undisputedtruth wrote: »

The lovemoney's website says otherwise:

Yes. well that's one example of a 'bad' aggregator, which does store the data on a third party server. The examples discussed earlier in the thread do not host your data externally.

I gave two examples of password managers in my last post that also store the data on a third party server, but other password managers do not.

Therefore, since there are examples of both password manager and aggregator that store data remotely, but also examples of both password manager and aggregator that keep data locally, you have to be careful which product you choose to use. Nevertheless, the same risks apply to both password manager and aggregator and you do not need to expose your data to a third party website when using either aggregator or password manager, providing you choose the right product.

I would disagree here. Especially when you could add several security layers with password managers. For example, putting Keepass in a Truecrypt folder and then storing them in an USB drive with biometric access. By having the ability to choose my own security products is far more safer than using aggregators where you are at the mercy to the third parties.

You are always at the mercy of third parties unless you write your own OS and software yourself. A password manager is not, in and of itself far safer than an aggregator: there are good ones and bad ones, but the same risks apply to them all. It's about choosing a solution that has sufficient security. An aggregator can be as secure as a password manager. Where they fall down is the bank is more likely to be able to find out that you are using an aggregator, unless it is very good at disguising itself when it accesses your accounts.

If I were to support your argument then I could say there shouldn't be a distinction made between aggregators, password managers and accessing online accounts without the use of aggregators/password manager devices, because exactly the same risks apply to all.

I don't believe a distinction should be made between aggregators, password managers and nothing, with the small proviso that you choose a product that is sufficiently secure. However, there is a difference in the risks, most notably that a good PM/A should protect you somewhat from having your details intercepted, at the expense of providing a stored password database that could be specifically targetted. IMHO, a good PM/A is slightly better than nothing.

I see that you have made notable points such as denying the usage of a password manager in the event of financial losses. Perhaps this is good advice as sometimes banks' logic can be questionable at times but I would prefer to be totally honest as part of my probity. Could the bank accept my argument that I have taken reasonable steps to secure my information?

If I were the victim of fraud, I wouldn't risk hundreds or thousands of pounds by coming clean about something I used that could deny me getting refunded on the basis of a technicality.

Undisputedtruth

masonic wrote: »

I gave two examples of password managers in my last post that also store the data on third party server, but other password managers do not.

Therefore, since there are examples of both password manager and aggregator that store data remotely, but also examples of both password manager and aggregator that keep data locally, you have to be careful which product you choose to use. Nevertheless, the same risks apply to both password manager and aggregator and you do not need to expose your data to a third party website when using either aggregator or password manager, providing you choose the right product.

But the thread started with reference to the lovemoney website. A number of posters have made references to Keepass where you have more control in saving the location of your password file.

I use lastpass, it's a great prduct, but I use another product for securing my financial passwords locally rather than relying on a third party password managers where they keep your passwords on a server.

masonic wrote: »

You are always at the mercy of third parties unless you write your own OS and software yourself. A password manager is not, in and of itself far safer than an aggregator: there are good ones and bad ones, but the same risks apply to them all. It's about choosing a solution that has sufficient security. An aggregator can be as secure as a password manager. Where they fall down is the bank is more likely to be able to find out that you are using an aggregator, unless it is very good at disguising itself when it accesses your accounts.

By layering several security products mitigates the risk from third parties' rogue software or vulnerabilities. I certainly wouldn't advise anyone keeping their financial passwords on a third party server.

masonic wrote: »

I don't believe a distinction should be made between aggregators, password managers and nothing, with the small proviso that you choose a product that is sufficiently secure. However, there is a difference in the risks, most notably that a good PM/A should protect you somewhat from having your details intercepted, at the expense of providing a stored password database that could be specifically targetted. IMHO, a good PM/A is slightly better than nothing.

I don't think you have taken into account layered levels of security.

masonic wrote: »

If I were the victim of fraud, I wouldn't risk hundreds or thousands of pounds by coming clean about something I used that could deny me getting refunded on the basis of a technicality.

Perhaps, but the bank may pick up that you're lying and this puts in a much more weaker position should you fight your case in a court of law / Financial Ombudsman.

masonic

Undisputedtruth wrote: »

But the thread started with reference to the lovemoney website. A number of posters have made references to Keepass where you have more control in saving the location of your password file.

I use lastpass, it's a great prduct, but I use another product for securing my financial passwords locally rather than relying on a third party password managers where they keep your passwords on a server.

You may have missed blueberrypie's post below, which refers to the most common aggregators, which have the same approach as Keepass...

blueberrypie wrote: »

The main account aggregators (Egg and FD) are based on Account Unity, and all three work in the same way: your on-line banking details never leave your computer. They are stored in an encrypted form in a file held locally (or on a removable drive if you choose that option) - they are never provided to the aggregator.

Undisputedtruth wrote: »

By layering several security products mitigates the risk from third parties' rogue software or vulnerabilities. I certainly wouldn't advise anyone keeping their financial passwords on a third party server.

I don't think you have taken into account layered levels of security.

You seem to think I believe there is some inherent risk associated with using a password manager or aggregator. I've already stated that I think, if anything, using a good one is probably marginally better than just typing passwords into the keyboard. Layering may reduce your risk from, say, 0.3% to 0.2%, but you still have to 'unwrap' the password manager to use it, at which point it is as vulnerable as if there were no additional layers. When using a password manager, a password is at its most vulnerable when it is being transferred between the password manager and the web browser. At that time, the additional layers of security have already been unlocked.

Perhaps, but the bank may pick up that you're lying and this puts in a much more weaker position should you fight your case in a court of law / Financial Ombudsman.

It depends how confident you are of plausible deniability. For example, I do all of my internet banking from a linux live CD. My passwords are stored in a text file on a file-hosted hidden truecrypt volume, among a large number of similar looking system files on a USB stick. I believe with near certainty that a bank cannot know, or even reasonably suspect I've stored my password anywhere. Even if the USB stick was seized and analysed and the truecrypt file found, I could simply decrypt the outer volume to reveal a couple of innocuous documents. That is an example of having plausible deniability.

oldfella

my view is that Windows systems are too easily broken into - I use a Linux live CD which does all its work in RAM, no changes can be made to it. The firewall does not allow any externally initiated sessions, and will only allow https outbound sessions. Port 80 is only permitted to bank URLs. All other ports are shut.

Before that I ran a simple password manager using TrueCrypt in a Sandboxie.