You call it 'hacking.' I call it 'investigation' Here's a photo of what I had for lunch! Amazing!!! No it isn't amazing. It's your lunch. You gotta see the new 4k TV I bought today! Thanks for giving me a fascinating, if cursive, inventory of your consumer durables. Took Jonesy out for his walk and he chased a rabbit. Nice to have your pet's name. Could be useful. 28 …
As I have posted here before, I have actually been accused in an interview (for an IT Security job) of having something to hide due to my very small online footprint.
If I buy a pizza, it's to eat it. Not take pictures of it. Nor do I have any interest in other people pretending how great their life is compared to mine by the stream of selfies they post in "exotic" locations.
We're pretty much screwed anyway. Even if I try to take care where my personal information is held and that it isn't easy to get at, as long as someone else needs it and chooses to store it on Arsebook or Groogle, I can't stop a hacker getting it second-hand.
When it comes to authentication with banks, we are asked to give them information so 'they know who they are talking to', but they seem resolute not to let us as consumers have the same confidence in them. Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?
Is there any way for them to verify the Nth character of the password without having the password stored in the clear somewhere? If so, is there any point changing the password regularly when it's being stored in the clear on the bank's side and thus available for hackers anyways?
"When it comes to authentication with banks... they seem resolute not to let us as consumers have the same confidence in them."
I have had several phone conversations initiated, supposedly by HSBC, the then bankers for my then business which never got beyond my telling the caller I didn't believe they were from HSBC because they [cw]ouldn't prove it.
Strange, as a personal customer and a few arguments about them proving who they were first, they found a way:
"Our records say you were born on the nth day of the month; Could you confirm which month?"
or
"You have a standing order set up to $COMPANY. Can you tell me approximately how much it is for?"
I used to work for a large credit company in their call centre; when we called people we were supposed to just ask for a couple of details to confirm that the person who answered the phone was who we wanted to speak to, but in practice we generally (unofficially) used a similar system - "I see you live in NW1, what's the rest of the postcode?" and so forth. If the person at the other end wasn't who we wanted, we hadn't given anything away.
If they insisted, we asked them to call the number on their card.
Ha ha. In long ago more innocent days, I got a call from an HSBC rep who suggested a better pigeon hole (still within HSBC of course) for some dosh. After a lot of discussion (she needed to convince me!), I agreed. Then she asked for whatever the security was at the time. "But you called me!" So the call and discussion turned out to be pointless. Hmm, maybe HSBC could corporately sponsor the TV quiz game, Pointless.
> didn't believe they were from HSBC because they [cw]ouldn't prove it.
Yup - I've had those:
[Telephone noise}
>Hello, COCM here.
"This is [your bank] - we would like to discuss stuff with you. But first, we need to determine if it's really you".
>Can you prove you are from [your bank]? For example, can you tell me the last two digits of my bank account number? Can you tell me what the largest deposit (oo-er!) was in the last month?"
"No - because we can't be sure that you are you. You could be not-you!".
>Indeed. Same applies.
"But, but - we're the BANK! We wouldn't lie to you!"
>Cough, splutter, goodbye.
[Cue telephone cutoff noises and queries from Mrs COCM about who I was speaking to. She seems to be nicely learning paranoia^W caution from me..]
And, in case you did not know, like me, Santander do the 2nd, 5th, 8th thing too now, but only for new customers it seemed.
I noticed when my boy logged in. So I asked Santander if I could have the better log in please. They then just enrolled me (by sending a letter with the first part of the sequence).
So now they have:
1. Customer ID, you can set this how you wish but they give you a large number to start with. It is visible and not meant to really be secret.
2. A picture and phrase, not really sure how this works, it always shows the same ones, I don't have to select them except when I chose them. I presume that, when another computer is used, they ask you to choose the correct ones.
3. Selected characters from a password.
4. Selected digits from a pass number.
5. Answers to rather more complex questions than Mother's maiden name (for which I use a made up name BTW, why wouldn't you? just pick a movie star, anything reasonably memorable, they are not going to guess it in the tries available).
Also, despite not wanting someone to see your bank account contents, taking the money requires a new transfer and this *does* require 2FA so it has additional security.
Note: some years ago, someone called my bank using telephone banking and managed to enrol themselves into the new telephone banking security system and empty my account because, apparently, Santander had added secure telephone banking but did not require letters or on-line use before allowing it to be used. I had no idea it even existed since using the telephone to bank is as old-fashioned to me as using an abacus to calculate. This may be why Santander have a slightly superior system now. Yes, they did refund me and added £200 on top for my trouble.
My view is that I prefer 2FA, despite the article, Russian hackers cannot easily steal my phone. If a phone is stolen and then hackers are informed so they can then use the 2FA, the time expired will almost certainly be enough to prevent access, especially when a phone is locked, I could probably remotely wipe it before they accessed it. As for hacking my phone while I have it, even less likely given the phone OS I use.
Basically, you call the bank first when compromised, email accounts etc. pale in importance. I also know my phone isn't stolen when I log in to something like PayPal so the 2FA feels useful and very hard to defeat. My MS/cloud account is the same, first the password must be guessed and then the 2FA must be defeated, difficult; then you get to see my photographs and some invoices etc., not really worth it.
I would feel hugely better if the Bank used 2FA on top of all the other stuff, simply because I find it very easy to use.
It would be even cooler if they used the authenticator app system, already present, no text needed. But, being banks, they would have to have their own.
"If they need to contact me, they send me a letter.*
I show up, show my driver's license and bank card.
Then we discuss things face to face.
I see no need to change things.
*Yes, snail mail."
My bank is open Monday to Friday 9am-4.30pm.
My working week is Monday to Friday 9am-5.30pm.
This is extremely inconvenient. Even sorting out a mortgage necessitated taking a half day off.
I do believe that in the big cities banks open on a Saturday morning! With the associated parking costs visiting a big city entails, or trying to work out which buses are actually running from and to the sticks on a weekend morning.
"Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?"
I agree... I'm bored with having this conversation..
Caller: can you tell me the 2nd and 3rd letters of your password?
me: yes I can.
Caller: Er...
me: you called me, how do I know you are who say you are?
Caller: well, if you pass security I can tell you what's its about.
me: you called me.
caller: you can ring this number... 083545473839
me: *YOU* called me , why should I trust any number you give me?
caller: but I'm from your bank!
me: then prove it! You tell me what credentials you've got and I'll tell you if they're correct
caller: I can't do that because of security
me: Oh well.. bye then.
Obviously, you have no secure messaging with your bank, or don't use it.
I was discussing a real, in use, system. It is not too complicated and works like this (you were close, but not close enough).
From: pleasedonotreply@your.bank.co.uk
To: your.address@your.email.com
You have received a secure message.
...Followed by truly insane amounts of boilerplate disclaimer/registered addresses etc.
I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.
This is a useful system obviating the need to keep checking on the site to see if they answered one's question.
> I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.
No, it gets users into the habit of seeing that message and so expecting that from their bank, which increases the likelihood of alarm bells ringing when it's not there. Although, personally, I don't think banks have done anything like enough to instill this lesson. There should've been primetime TV ads for the last decade just saying "Hi. This is a message from every single bank in the UK. We will never ever ever send any of our customers an email with a link in it. If you get an email with a link in it, it's not from us, and you should never click it."
I've had the "But you called me!" argument with First Direct a couple of times -- except it wasn't an argument, as they just said "Sure, no problem. Call us on the usual number and ask to be put through to my department." Since they (unlike some) answer the phone dead quickly, not a problem.
"I can't recall the last time my bank called me, it has been at least a decade."
I get calls all the time - one from "Dept of Justice" with the guy being very threatening, saying I could be prosecuted if I didn't pay the fine. Official looking caller ID and all, scary as shit. I looked up the number and it was a Majic Jack number from San Bernadino. Somehow I didn't think it was the real DOJ.
The government doesn't call you anyway, they send mail. And if it is really nasty, the summons is delivered by the sheriff. But scammers use mail too. I once got something official from the "Department of Commerce" with a return address of 2000 Pennsylvania Ave, Washington DC NW, about 4 blocks from the White House. So I looked it up and it was a shopping center.
Yes, it still perplexes me that BT would want to outsource their IT security to Nigeria. I told the nice gentleman when he called to tell me that unfortunately BT had given my computer a virus that I was sure that I had only just spoken to one of his colleagues last week from somewhere in India. He even said the same thing, that there was an error with credit card details I had given him to 'fix' my computer and so he would have to send me a virus help file in order to resolve the problem. For some odd reason his help file was blocked by my anti-virus scanner: I wonder why.
my bank got this message when I kept refusing to give them information on the phone to identify myself, as I had no evidence who they were. As a result, I get virtually no sales calls, and we came to an arrangement re identification.
As regards security questions, you don't use your mum's real maiden name do you? I never have.
<snip> when I kept refusing to give them information on the phone to identify myself</snip>
I once applied for a job, and when the recruitment company called me they asked me to verify my postcode to prove my identity. I pointed out to them that the postcode they had for me came from the same CV that had my phone number, so if I wasn't who I claimed to be I would already have falsified the data they had. This put them in to stack overflow, repeat question until answered no matter how stupid the question is, at which point I decided that if they were this bad about just speaking to me the job description was bound to be gibberish too and gave up.
@salamamba too
"As regards security questions, you don't use your mum's real maiden name do you? I never have."
I did, but it got hacked, so I've had to dump her and get another mum. Right pain that was. The dog was really put out too. And it was such a hard letter to write to my favourite teacher to tell him I'd chosen another. I'm still working out how to replace my fingerprints... I think I can get new ones each month, at least until they rot.
Those "security questions" aren't. They are really just passwords that are usually stored in the database in clear text. Hackers don't look your mums name from public records, as they probably don't know who you actually are. They just get SQLi on some crappy website and dump the database. Then they know what answers you use for those questions and can pwn you on other websites.
For anything important,, I use keepassx to manage my passwords and have a script to generate answers for those questions from /dev/random. I store the answers in keepass along with the questions so I never have to remember anything.
"As regards security questions, you don't use your mum's real maiden name do you?"
I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?
"I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?"
I once knew someone who had recently got a dog and used his mums maiden name as it's name.
He signed up for online banking:
- Memorable name:
$maidendog
- Pet's name:
$maidendog
- Mother's maiden name:
$maidendog
One of the concepts that seems to be missing from "security" considerations of online systems is that of proportionality. That means, of course, that the security of access should be proportionate to the risk of unauthorised access - but conversely, that high-risk systems probably shouldn't depend entirely on online credentials because high-stakes attackers are inevitable and requiring them to post a letter or turn up in person is one of the most effective ways of thwarting brute-force or large-scale attacks.
Online access to my credit card account used to be fairly low risk, because all anyone could usefully do if they gained access was to pay my bill for me. Now any unauthorised user can change my registered email address, home address, access my credit score and do a whole bunch of other things that might threaten my financial security.
The solution to his is not to add biometric complexity so that I can continue to use the one low-risk function I've ever needed (to pay my bills) but to allow me to remove access to the higher-risk functions I don't want.
the banks would have to actually keep branches open
Not that this wouldn't be a good idea, but banks do (for the moment) have large networks of ATMs. It wouldn't be impossible to arrange that if you want to do something potentially risky - like change your address or transfer a large amount of money - that you have to visit a nominated machine and present your bank card. Might help Mr. D. keep off those lost kilograms, too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
