We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Stop refunding victims of online fraud, police chief tells banks
Comments
-
No passwords, I hope, given that you should not store actual passwords anywhere, just clues to them at the most.Had a break-in recently, a lot of log-in information was taken.
It can only be an SQL primary key thing if the designer of the system is incompetent. An address is not an appropriate thing to use as the primary key, though for some secondary purposes it can be useful in reporting table keys. It's justa silly limitation of their system that you may be able to work around by adding some extra junk to your address like a "house at" street number instead of "flat whatever" at street number.I tried to change my User ID with National Savings, but apparently I need to change address to get another User ID. I assume it's an SQL Primary key thing.0 -
I've always wondered why large transfers aren't subject to multi layer checks , for example enter code from text AND click on email link to confirm its youEx forum ambassador
Long term forum member0 -
Had a break-in recently, a lot of log-in information was taken.
As a consequence, I had to make up wrong answers to the security questions, just in case they try to hack in. Would you believe my grand father now has a new profession?
I'm more astounded that you wrote ALL your security information down:eek:The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt.Bertrand Russell0 -
Interesting that Santander is mentioned on this thread because I have several accounts with different banks and Santanders security is the one that gives me most concern.
I can't see how their method of asking for three characters from a password can work without Santander themselves knowing the whole password. When I did a course on password security (some years ago now) I was taught that the password when entered should be passed through a one-way function (hash) and the result stored, that way there was no way of reproducing the password only checking that it was correct by passing the entered password through the same function.
This leads me to believe that Santander store the actual passwords somewhere which worries me somewhat, but not enough to stop me getting 3% interest !
Sorry for the geek stuff but anybody out there knowing better please comment.
Oh and on the original topic, while blame the victim can never be right, we all have some responsibility however part of exercising that would be an independant audit and comparison of the banks security and online methodology so that we could all transfer to the most secure bank, league tables anyone.0 -
I've always wondered why large transfers aren't subject to multi layer checks , for example enter code from text AND click on email link to confirm its you
That just means the fraudster will swap your sim and hack your email. A little more work for them but not prohibitive.
Or more likely they'll continue with the email hack sending dodgy bank account details that's been doing the rounds lately.The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt.Bertrand Russell0 -
Re the Santander password, I have several LBG accounts and they ask for 3 digits when logging on to the mobile app, is that not the same thing?The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt.Bertrand Russell0
-
Interesting that Santander is mentioned on this thread because I have several accounts with different banks and Santanders security is the one that gives me most concern.
I can't see how their method of asking for three characters from a password can work without Santander themselves knowing the whole password. When I did a course on password security (some years ago now) I was taught that the password when entered should be passed through a one-way function (hash) and the result stored, that way there was no way of reproducing the password only checking that it was correct by passing the entered password through the same function.
This leads me to believe that Santander store the actual passwords somewhere which worries me somewhat, but not enough to stop me getting 3% interest !
Sorry for the geek stuff but anybody out there knowing better please comment.
Oh and on the original topic, while blame the victim can never be right, we all have some responsibility however part of exercising that would be an independant audit and comparison of the banks security and online methodology so that we could all transfer to the most secure bank, league tables anyone.
My Bank, the Halifax, asks for a password and 3 letters from my "memorable word/phrase" - does that mean they only have the latter stored somewhere, because I can't actually log into my a/c with only my password.0 -
Lady Dee and others - I'm not sure, I was hoping someone with more recent knowledge than mine would reply.
The security always used to be username, password. I would use totally random passwords and store them in LastPass. Then they started asking for personal info, I would just treat them as further random passwords and store them also.
But this latest trend to ask for random characters seems to be less secure in my mind. It solves the 'somebody watching' scenario but makes the use of passwword managers harder and opens the issue I raised above of storing the actual passwords and/or a means to reproduce them on the banks system.0 -
gunsandbanjos wrote: »I'm more astounded that you wrote ALL your security information down:eek:
They actually ripped out a safe, which is £5,000+ of repair bill, before the valuables. It means they got copies and originals of important documents, so they definitely have my birthdate, National Insurance number, passport details etc. There were also notes on memorable data. Effectively, a hacker can call up and override the password by knowing enough to get through security.
It's only when you go through something like this, that you realise how paper thin the so called security mechanism is. All they have to do is to login once, like my frequent flyer account, to find my birthdate, precise address and post code, and passport details.
All my memorable data are now compromised, so I now have to update them all with something else: if my father was William, he is now Frank. Try to remember all of that without writing it down.
I have been trying to update the security details on Vodafone's website, but it's so useless, it crashes every time I try. But Top-Up still works. :rotfl:0 -
That's not sufficiently secure because if the salt is obtained a rainbow table can be used. Instead, store only enough of the hash so that the number of possible matches is huge but the confidence of a correct match remains high.I can't see how their method of asking for three characters from a password can work without Santander themselves knowing the whole password. When I did a course on password security (some years ago now) I was taught that the password when entered should be passed through a one-way function (hash) and the result stored
Santander probably store the whole password but it is not strictly necessary. They could instead store hashes of many permutations of three of the characters and discard the actual password.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.5K Banking & Borrowing
- 253.3K Reduce Debt & Boost Income
- 453.9K Spending & Discounts
- 244.5K Work, Benefits & Business
- 599.8K Mortgages, Homes & Bills
- 177.2K Life & Family
- 258.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards