Password Tools - Invalidate Banks T's and C's

masonic

oldfella wrote: »

my view is that Windows systems are too easily broken into - I use a Linux live CD which does all its work in RAM, no changes can be made to it. The firewall does not allow any externally initiated sessions, and will only allow https outbound sessions. Port 80 is only permitted to bank URLs. All other ports are shut.

Before that I ran a simple password manager using TrueCrypt in a Sandboxie.

What do you use for your passwords now, software, pen and paper, brain?

oldfella

masonic wrote: »

What do you use for your passwords now, software, pen and paper, brain?

Keepass + Truecrypt

Undisputedtruth

masonic wrote: »

You may have missed blueberrypie's post below, which refers to the most common aggregators, which have the same approach as Keepass...

I don't agree but I do agree with oldfella:

oldfella wrote: »

a password manager has no reason to access the Internet and therefore will be stopped by your firewall. An aggregator has to access the Internet to work, and therefore has to have permission to talk to the external world.

masonic wrote: »

You seem to think I believe there is some inherent risk associated with using a password manager or aggregator. I've already stated that I think, if anything, using a good one is probably marginally better than just typing passwords into the keyboard. Layering may reduce your risk from, say, 0.3% to 0.2%, but you still have to 'unwrap' the password manager to use it, at which point it is as vulnerable as if there were no additional layers. When using a password manager, a password is at its most vulnerable when it is being transferred between the password manager and the web browser. At that time, the additional layers of security have already been unlocked.

As I said before, password managers do have tools to prevent password comprises whilst in operation. I tend to think my account is more at risk with bank's employees rather than using a password manager.

masonic wrote: »

It depends how confident you are of plausible deniability. For example, I do all of my internet banking from a linux live CD. My passwords are stored in a text file on a file-hosted hidden truecrypt volume, among a large number of similar looking system files on a USB stick. I believe with near certainty that a bank cannot know, or even reasonably suspect I've stored my password anywhere. Even if the USB stick was seized and analysed and the truecrypt file found, I could simply decrypt the outer volume to reveal a couple of innocuous documents. That is an example of having plausible deniability.

I am well aware of the plausible deniability facility on Truecrypt. But the fact is that I shouldn't have to lie if I've taken above reasonable steps to protect my passwords. If a banks says I can no longer use a password manager then I would definately vote with my feet. This issue is far too important. I know Kasperky has released a password manager on the market towards the end of last year. I would expect more password managers to be made available to the market in future and so banks would have to recognise that people need to have a facility to manage their accounts more effectively. It is in the banks' interest to do so since online banking have the potential to increase their profits by reducing operating costs.

oldfella

if the banks are so concerned about password software they should market their own approved products. Several do a similar thing already with Rapport, a third-party product which operates as an anti-keylogger.

maybe MSE could be helpful here and start a campaign to get this clarified. It is ludicrous that banks could maintain that using a password manager breaches their T&Cs

masonic

Undisputedtruth wrote: »

I don't agree but I do agree with oldfella:

Well, my response to oldfella still holds - you need to be able to effectively block your password managers ability to access the internet. That will make it marginally safer than an aggregator. However, I don't think banks can change their position on password managers when the majority people are still using them without such added protection, or using tools like lastpass or roboform. I don't have a great deal of confidence banks will understand the benefit of what was described by oldfella.

As I said before, password managers do have tools to prevent password comprises whilst in operation. I tend to think my account is more at risk with bank's employees rather than using a password manager.

Again, you seem to think I disagree, I don't.

I am well aware of the plausible deniability facility on Truecrypt. But the fact is that I shouldn't have to lie if I've taken above reasonable steps to protect my passwords. If a banks says I can no longer use a password manager then I would definately vote with my feet. This issue is far too important. I know Kasperky has released a password manager on the market towards the end of last year. I would expect more password managers to be made available to the market in future and so banks would have to recognise that people need to have a facility to manage their accounts more effectively. It is in the banks' interest to do so since online banking have the potential to increase their profits by reducing operating costs.

I hope you have clarified your position with your bank. We know now from a post earlier in the thread that at least one bank has formally stated that the use of Keepass violates its T&Cs. I suspect others would follow suit. As oldfella says, if banks got together and endorsed a product, that would completely resolve this hazy situation.

spenderdave

What is not clear in this thread is whether they object to any password storage system per se, or whether they only object to storing bank passwords in it. I use Opera's Wand password system for my day to day passwords, but I do not and never will use it to store passwords for any bank or similar sites - and in the case of HSBC using its 'first, second and fourth digits' approach these things are useless anyway. Opera's Wand is built into the browser itself so is not 'third party' in this context.

I cannot see how they can object to using a password manager for other people's sites.

blueberrypie

There have been a number of good points raised in this thread, some of them more relevant than others. I still feel that using an aggregator based on Account Unity is safe, but would not use Lovemoney's service for the simple fact that it does require my passwords to be stored on someone else's servers. I do use Keepass, and feel it's a good product, but I don't feel that there is a great difference in risk between its use and an aggregator.

I do think there's one other benefit of using an aggregator, and that is the increased likelihood that accounts will be checked regularly. Using Account Unity, it's easy for me to check the majority of my accounts daily. I know approximately what the balance on each of them should be, and it takes only a minute to glance down through the list. If someone were to access any of those accounts and start moving money around, I would notice it very soon - certainly within 24-48 hours. I would not check all of those accounts on a daily basis if I had to navigate to and log into each bank individually. I have one bank account which does not appear in the aggregator, and if there was unexpected activity in that account, it could easily be missed for a week or more.

Undisputedtruth

masonic wrote: »

Well, my response to oldfella still holds - you need to be able to effectively block your password managers ability to access the internet. That will make it marginally safer than an aggregator. However, I don't think banks can change their position on password managers when the majority people are still using them without such added protection, or using tools like lastpass or roboform. I don't have a great deal of confidence banks will understand the benefit of what was described by oldfella.

It seems I potentially could be penalised for other people's failure to add layers of security to their password manager. This is unfair.

masonic wrote: »

Again, you seem to think I disagree, I don't.

I know you don't disagree. I'm merely stating there is a greater risk with rogue bank emloyees rather than password software.

The figures you've provided on inherent risks with password managers are they based on factual data by the banking industry/computer security experts or is it an arbitary figure you had plucked from the sky to convey your message? I'm not aware of anyone being victims of financial fraud caused by password managers. That is not to say there are risks with password managers, no system is ever 100%, but in my case using a password manager in conjuction with other security products has provided the best possible security benefits.

masonic wrote: »

I hope you have clarified your position with your bank. We know now from a post earlier in the thread that at least one bank has formally stated that the use of Keepass violates its T&Cs. I suspect others would follow suit. As oldfella says, if banks got together and endorsed a product, that would completely resolve this hazy situation.

Yes, but Stompa said earlier in the thread that this bank doesn't even know what is keepass. Currently, I suspect there isn't a policy on password managers as the vast majority of banking staff are pretty clueless about them and their benefits. My T&Cs have all stated that I should take precautions to secure my information so I feel using a password manager is justified in this instance. I wouldn't clarify with bank staff whether I'm allowed to use a password manager because I can't rely on their advice on normal financial products at the best of times much less on password managers!

I completely agree about banks endorsing password products and provided advice on securing their products. Then they could update their terms and conditions according just like they have done with online banking where you are expected to run regular av scans and use a firewall.

Undisputedtruth

blueberrypie wrote: »

There have been a number of good points raised in this thread, some of them more relevant than others. I still feel that using an aggregator based on Account Unity is safe, but would not use Lovemoney's service for the simple fact that it does require my passwords to be stored on someone else's servers. I do use Keepass, and feel it's a good product, but I don't feel that there is a great difference in risk between its use and an aggregator.

I do think there's one other benefit of using an aggregator, and that is the increased likelihood that accounts will be checked regularly. Using Account Unity, it's easy for me to check the majority of my accounts daily. I know approximately what the balance on each of them should be, and it takes only a minute to glance down through the list. If someone were to access any of those accounts and start moving money around, I would notice it very soon - certainly within 24-48 hours. I would not check all of those accounts on a daily basis if I had to navigate to and log into each bank individually. I have one bank account which does not appear in the aggregator, and if there was unexpected activity in that account, it could easily be missed for a week or more.

I fully agree with your post. But I wonder on Barclays stance on aggregators is not really based on financial risks but to protect their position with account holders who may change their bank accounts to one provided by the aggregators.

Stompa

Undisputedtruth wrote: »

Yes, but Stompa said earlier in the thread that this bank doesn't even know what is keepass.

I said that from their response it sounded as though they didn't.