We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Martin's Money Tips 18 June 2008 - Banks and anti-virus

2

Comments

  • malc_b
    malc_b Posts: 1,086 Forumite
    Part of the Furniture 500 Posts
    "A simple added security is to always enter your log-in details via the on-screen keyboard - hence no key strokes can be hacked"

    unfortunately this is not always true. there are many keyloggers that can also record mouse clicks.

    Yep, but as I said, if you are clicking an image map displayed by the bank then the mouse clicks are no use without the image map and the bank could vary that. True there are keyloggers that capture keystokes and images but not as common and it is a lot of info to send a continuous screen video, even as stills. Your more likely to notice that.
  • malc_b
    malc_b Posts: 1,086 Forumite
    Part of the Furniture 500 Posts
    jamesd wrote: »
    malc_b, you have three alphanumeric characters. That's 36 * 36 * 36 combinations = 46,656 tries to check them all. You'd expect to get in after half of the tries so that's only 23,328. If you get three tries that's 7,776 accounts you have to try before you can expect to succeed.

    But the point is that 3 letters is less secure than 12. The argument that this helps with keyloggers also doesn't hold water. If you have 8 char password and give 3 which the hacker knows then those 3 will be asked for again and then the hacker is in. All the banks rotate the asking of the 3 so how often does the hacker have to press the refresh key? Probability is 3/8 * 2/7 * 1/6 = 6/336. So 56 refreshes and the hacker will be asked for keys he knows.

    Even if we say the hacker doesn't have a screen shot so doesn't know which chars he has then it is only 336 tries.
    jamesd wrote: »
    You'll also need to know enough of the account details to get to the point of needing the password check.

    So, the other details, typically info like mother's maiden name which can be found other places is the more secure part rather than the password? Rather the wrong way about. And users are more likely to be suspicious of giving out password than this data. Say you spammed users with a competition - win a holiday. Online customers only, just enter user name, and mother's maiden name but not password, + never give out password lecture. Would users fall for it? Hacker is half way there now.
    jamesd wrote: »
    There's a fair chance that you'd find that you could no longer even get to the password screen by the time you'd locked out a few accounts, since the banks are unlikely to let someone just keep on trying lots of accounts.

    You wouldn't attack 8k accounts from your own PC but use a zombie PC network.
    jamesd wrote: »
    What the banks do works well enough or they would have switched to something else. The measures that they are taking suggest that keystroke loggers and people telling scammers their login details are seen as the biggest threats to their systems.

    But as I have shown cutting up passwords doesn't help with keyloggers as anyone who knows maths would realise so the banks don't have a clue. Same for network sniffers. Obvious solution is a 2 stage login. First password is plain text that a sniffer could capture, that puts browser into SSL so next password is encrypted and can't be captured. Any bank do that? None of mine do and it would be simple to implement and secure against wi-fi hacks. Typically all the banks follow the herd and look for someone else to blame, us customers.
  • malc_b, I don't understand about your two stage password thing. Is this supposed to prevent man in the middle attacks from WIFI intruders? Please explain.

    Your point about the passwords is good I think. While at first I thought the Natwest system was clever in that it didn't require sending the whole pass every time, 3 is a little too short and accepting the the numbers from those who argue against you (I haven't verified them), that is too few tries when as you say it can be done from a network of infested pcs.

    james d:
    The measures that they are taking suggest that keystroke loggers and people telling scammers their login details are seen as the biggest threats to their systems.

    The measures they are taking suggest (as with CHIP and PIN in the past), that they are trying to shift liability from themselves onto their customers.

    While I think some users are really, really stupid and, well, perhaps should be more careful, the banks also have some really, really stupid systems and as their systems are designed by professionals for users (who they should assume are really, really stupid) it is the banks who should be doing more.

    Even non-stupid users and most IT pros who aren't security experts don't really have a great chance just using virus software and firewalls against all these threats.

    If keystroke loggers for example are seen as the biggest threat, and say phishing sites, why don't the banks do more to create secure systems for their customers (that the banks would back)? They could for instance maintain and distribute live cds that people could boot up and use to connect to online banking. That should solve the keystroke logger problem (apart from harware ones) and probably eliminate any man in the middle attacks by having a bank built browser for watertight certificate inspection, and also the cds would have to be distributed by a secure channel (bank branches or secure delivery), so could be loaded with all the banks' public keys so you might not need browser verification via CA's anyway, it could be done by sending back an "unencrypted" code (over ssl of course) that had previously been encryted with the public key of the bank in question that was on the CD (not really thinking about this too clearly at the moment). The phishing problem would also be solved as only the correct banks sites would be loaded into the CD, as well as because of the aformentioned improved certificate handling and/or having the CD as a public key source (the banks in the banking code could get together on this).

    Well I mean that is just one idea the banks could be doing so much more.
  • optiMISER wrote: »
    If keystroke loggers for example are seen as the biggest threat, and say phishing sites, why don't the banks do more to create secure systems for their customers (that the banks would back)? They could for instance maintain and distribute live cds that people could boot up and use to connect to online banking. That should solve the keystroke logger problem (apart from harware ones) and probably eliminate any man in the middle attacks by having a bank built browser for watertight certificate inspection, and also the cds would have to be distributed by a secure channel (bank branches or secure delivery), so could be loaded with all the banks' public keys so you might not need browser verification via CA's anyway, it could be done by sending back an "unencrypted" code (over ssl of course) that had previously been encryted with the public key of the bank in question that was on the CD (not really thinking about this too clearly at the moment). The phishing problem would also be solved as only the correct banks sites would be loaded into the CD, as well as because of the aformentioned improved certificate handling and/or having the CD as a public key source (the banks in the banking code could get together on this).

    Well I mean that is just one idea the banks could be doing so much more.

    Firstly, there's enough complaints on this forum about people having to use keypads for their online banking, let alone a bespoke operating system just for online banking.

    Secondly, the bank can and should only do so much. Should they really be responsible if you give your details away? I couldn't hold the builder of my house responsible if I give my keys to some one and they take my TV can I? If you can't secure your computer in a suitable manner, then you shouldn't be using online banking. It's pretty straight forward.

    Random brute forcing banks accounts is not very common, simply because of the minute chance that the details would be correct. Relying on people not being savvy enough to realise a fake site from the real thing is much more lucrative
  • malc_b
    malc_b Posts: 1,086 Forumite
    Part of the Furniture 500 Posts
    A man in the middle attack is where all the data flows through the man in middle. An example would be where you go to a web site that pretends to be your bank. It takes your data and passes it on to the bank and passes the returned data back to you. There is no defence against that, other than going to the crooked web site in the first place. The crook is in and when you log off he doesn't. But, in order to anything useful the crook has to be able to empty the account so a bank system where say a keypad/token was used to set up new payments would stop the crook. Social engineering might convince users to use the keypad/token I suppose.

    Another attack is wifi or physical network monitoring. The data on your network is read. That means that the password/user data to login into the bank is visible to the crook. Once logged in the data is encrypted. So the sensible setup is to login in twice. 1st as normal, crook reads that. 2nd when in SSL, encrypted, crook can't read that so can't get further than 1st login. Banks already ask for password and personal data so there is no difference except the added security of blocking wifi/network eavesdroppers.

    My guess is the most common tricks are the false web site and keyboard loggers. For false web sites, usually frm trick emails, people should really use plain text emails and therefore so should the banks. In a plain text email client it stands out plain as day that a link is false. I do this and just find them a joke. It's like a conman turning up at your door with a big neon sign over his head - its not a threat anymore.

    Most keyboard loggers would be defeated by a click the numbers on the image PIN entry system where the images where different everytime. True some loggers can record screen shots but that's a lot more data than just keystrokes and would be noticeable.

    As for random brute forcing having a minute chance the whole point of this thread was to point out how the banks don't understand chance and by their systems are reducing the probability to the point it is no longer a minute chance, but practical!

    The other data the bank asks for with the password is usually stuff like place of birth, mother's maiden name, 1st school, etc. All that stuff can be often found on social sites. The only truely randon personal data is the password, and that is the part the banks are eroding to be worthless.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    malc_b, the token cards don't protect against that type of man in the middle attack because the middle site can relay the questions and answers.
  • malc_b wrote: »
    No bank I can think of shows much sense. The latest trend seems to be hardware solutions but not common ones so each bank sends a difference piece of kit. NW has a calculator, HBOS has a keyfob dongle. And they take different approaches. HBOS uses the dongle to get in. NW is going to only ask for the calculator for new payments I believe.

    HBOS only use them for business banking. Retail customer dont get inflicted with the "hardware"
    :santa2:
  • malc_b
    malc_b Posts: 1,086 Forumite
    Part of the Furniture 500 Posts
    jamesd wrote: »
    malc_b, the token cards don't protect against that type of man in the middle attack because the middle site can relay the questions and answers.

    BUT, if the crook is trying to make a new payment, to crooks-r-us, as man in the middle and so he has to pay back the request for a valid token to you as you have the token hardware. Hopefully you might be suspicious of a new request. I suppose rather than a direct copy the request for a token could be disguised as some normal, but if the banks make it clear that tokens are ONLY for new payments then it should raise alarm bells.
  • malc_b wrote: »
    Another attack is wifi or physical network monitoring. The data on your network is read. That means that the password/user data to login into the bank is visible to the crook. Once logged in the data is encrypted. So the sensible setup is to login in twice. 1st as normal, crook reads that. 2nd when in SSL, encrypted, crook can't read that so can't get further than 1st login. Banks already ask for password and personal data so there is no difference except the added security of blocking wifi/network eavesdroppers.

    What do you mean? The financial institutions I am a customer of have SSL encrypted login pages.
    As for random brute forcing having a minute chance the whole point of this thread was to point out how the banks don't understand chance and by their systems are reducing the probability to the point it is no longer a minute chance, but practical!

    Don't most online account systems lock out access on the third or fifth incorrect attempt, which prompts the user to have to contact the organisation to get it unlocked/reset again?
    The other data the bank asks for with the password is usually stuff like place of birth, mother's maiden name, 1st school, etc. All that stuff can be often found on social sites. The only truely randon personal data is the password, and that is the part the banks are eroding to be worthless.

    It's no ones fault but the user if they strewn social networking sites with information that could compromise their security, why should it be the banks fault?

    Just accept it, passwords are becoming ineffective because the majority of users don't know how to create a good password, let alone keep different ones for different sites.
  • exel1966
    exel1966 Posts: 4,983 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    malc_b wrote: »
    I read that now the banks want us to have up to date anti-virus etc. to be covered in the event of being hacked.

    And the ONLY reason they state that is to try to relieve themselves of any responsibility if something untoward might happen with your account regardless of who's to blame.

    It's called passing the buck !
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 346.7K Banking & Borrowing
  • 251.4K Reduce Debt & Boost Income
  • 451.5K Spending & Discounts
  • 239K Work, Benefits & Business
  • 614.5K Mortgages, Homes & Bills
  • 174.9K Life & Family
  • 252.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.