Password Tools - Invalidate Banks T's and C's

Undisputedtruth

masonic wrote: »

Perhaps, although most banks I have dealt with kept internet banking credentials completely separate from the security questions asked by bank staff and made a big point of telling people not to divulge them to anyone, even the bank. The login process at each bank seems to be somewhat unique and inflexible, so it's hard to imagine 'shared password syndrome' striking in this situation - though the people who are likely to be targetted by bank employees would have a lot to lose in the original account.

Of course, not knowing your internet banking password means that you can't give it to anyone, which is where I guess a password manager does hold some value.

Don't forget users have multiple accounts with utility companies, telecoms, credit cards, etc, where you could obtain relevant information to bypass the bank's security system.

I really do think that banks take a short sighted view with security and how it will affect them rather than taking a hollistic view with our security.

Don't forget, identity fraud have grown dramatically over the last few years. Another reason for using password managers.

masonic

Undisputedtruth wrote: »

Don't forget users have multiple accounts with utility companies, telecoms, credit cards, etc, where you could obtain relevant information to bypass the bank's security system.

I really do think that banks take a short sighted view with security and how it will affect them rather than taking a hollistic view with our security.

That's true, and it's a good reason to give different companies different answers to security information (e.g. place of birth, mothers maiden name) and far as it is practical to do so. Of course, when you do that it does make life very complicated when you are away from your computer and need to talk to the company in question...

Don't forget, identity fraud have grown dramatically over the last few years. Another reason for using password managers.

Well that's a different kettle of fish. Identity fraud involves obtaining physical documents and/or obtaining personal information either through records held by other organisations or through social engineering attacks (e.g. through something like facebook, or by phoning an individual posing as an authority figure). Obtaining login credentials for somebody's bank account isn't generally going to help anyone open another bank account in that person's name.

Password managers aren't going to be of use in a situation of that type because they can't effectively prevent information such as your address, date of birth etc, or documents such as bank statements and utility bills falling into the wrong hands. Form filling software, like lastpass, could be of some limited use in that situation if you had a keylogger on your computer and were applying for a new bank account, I suppose.

Undisputedtruth

masonic wrote: »

Well that's a different kettle of fish. Identity fraud involves obtaining physical documents and/or obtaining personal information either through records held by other organisations or through social engineering attacks (e.g. through something like facebook, or by phoning an individual posing as an authority figure). Obtaining login credentials for somebody's bank account isn't generally going to help anyone open another bank account in that person's name.

Password managers aren't going to be of use in a situation of that type because they can't effectively prevent information such as your address, date of birth etc, or documents such as bank statements and utility bills falling into the wrong hands. Form filling software, like lastpass, could be of some limited use in that situation if you had a keylogger on your computer and were applying for a new bank account, I suppose.

Fraudster could effectively posed as the individual by using their basic information to gain more information from different accounts and even obtain physical documents. By using a password manager, users can effectively use a variety of different password to make the fraudster job more difficult in obtaining their information.

Although password managers does not prevent posted documents theft, fraudster using ill gotten information could work out the frequency in which documents are sent out and break into their letterboxes.

masonic

Undisputedtruth wrote: »

Fraudster could effectively posed as the individual by using their basic information to gain more information from different accounts and even obtain physical documents. By using a password manager, users can effectively use a variety of different password to make the fraudster job more difficult in obtaining their information.

Although password managers does not prevent posted documents theft, fraudster using ill gotten information could work out the frequency in which documents are sent out and break into their letterboxes.

So to sum it up, you're saying the benefit against identity fraud is indirect, and a result of generally improving the strength of online credentials at general websites that hold personal information about the user? I guess I can see the logic in that, although the problem for many people is that too much of their personal information is totally out in the open and not even behind a login/password on a website.

Undisputedtruth

masonic wrote: »

So to sum it up, you're saying the benefit against identity fraud is indirect, and a result of generally improving the strength of online credentials at general websites that hold personal information about the user? I guess I can see the logic in that, although the problem for many people is that too much of their personal information is totally out in the open and not even behind a login/password on a website.

Absolutely, I was reading an article last week where you only needed someone's name, address and date of birth to start the process in identity fraud. The electoral roll being one source of information.