| View previous topic :: View next topic |
| Author |
Message |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54209
Location: 56N 3W
|
 Posted: Sun Jan 14, 2018 10:37 am Post subject: |
 |
|
Don't your banks use one time passwords or two factor authentication?
I've been using it since 2003. I put my chip and pin card into a card reader.
It checks my PIN and gives me a one time password.
It locks my card if I get the PIN wrong three times too, just like a cash machine :(
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
 |
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Jan 14, 2018 2:44 pm Post subject: |
|
|
| szatox wrote: | It's not a sign of honesty, it's a sign of ignorance.
Should have reported that as a security incident. By simply ignoring it you became a contributor. |
Lots of insulting posts here lately. Who would I report it to? Some faceless unknown manager in India? How would I contact them? If the multi-billion dollar bank doesn't care, what influence would I have on them? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sun Jan 14, 2018 5:00 pm Post subject: |
|
|
Regarding the issue of e-mailing the password clear text, I look at it through this decision tree:- Is the password sent cleartext? If no, continue. If yes, be unhappy briefly.
- Does the forum support a password reset feature, implemented by sending an e-mail to the account on record? If no, stop and be safe. If yes, continue.
- Do I trust that the e-mail account cannot be modified (messages deleted or blocked from delivery) by untrusted users? If no, continue and be unhappy. If yes, continue and be cautiously optimistic.
- Do I trust that the e-mail account cannot be read by untrusted users? If no, stop and be unhappy with the generally terrible state of e-mail security. If yes, stop and be happy.
From there, I conclude that while it is not desirable that the forum send the original password, that the existence of a password reset mechanism, which can be triggered by anyone who knows my forum account name and e-mail address of record, is a greater threat. An untrusted user who can never read my e-mail cannot retrieve the initial password (which I can change at whim) nor use the password reset mechanism against me. An untrusted user who can read my e-mail is not only able to extract the initial password (which, again, I can change), but can use the "recovery" feature against me at any later point, and there's nothing I can do about that other than try to make them unable to read my e-mail. Using a good e-mail password is necessary, but insufficient, for that purpose. It also requires that the message be kept safe in transit (TLS at every step) and that it come to rest on a system that only transfers the message to me (in particular, that only people I trust not to read the e-mail can be allowed to have root on the machine which stores the message). Effectively, that means I need to run a mail server just to mitigate the password reset problem. Note that none of the password reset problems are at all unique to this forum. Almost every place I've seen that does e-mail based password reset is similarly terrible. A few will insist on a "secret question and answer" as part of it, which is very slightly above nothing.
| NeddySeagoon wrote: | | Don't your banks use one time passwords or two factor authentication? |
Mine uses what I think of as "poor man's two factor" (which, for a big bank, is a pretty poor excuse). If you log in and do not have an appropriate cookie in the browser, they want to e-mail you an unlock code, that you then type into the website to get the cookie. It's better than using only username+password, but not much better, since most e-mail accounts can be read from anywhere on the Internet if you have the credentials. As far as I know, there's no way to list the currently outstanding cookies, so if someone sneaks a peak at my e-mail account, then deletes the unlock code e-mail before I see it, there's no way to know. Nor can I invalidate all outstanding cookies (except possibly by changing my account password, but if I do that, then the old cookies don't matter anyway). If I recall correctly, they have a "You last visited" thing at sign-in, but last I looked, it was broken and always tells me "You last visited $right_now." All that comes back to "You must use an e-mail account that is absolutely secure against everyone who might want to access any of your accounts anywhere." |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3129
|
| Posted: Sun Jan 14, 2018 5:35 pm Post subject: |
|
|
| Quote: | | Don't your banks use one time passwords or two factor authentication? |
They surely do when it comes to ordering transfers. You can still access all information known to the bank, without entering OTP.
Account balance, payments history, credit card limits, home address etc. Not necessarily things I want to share with strangers. If it wasn't the case, why shouldn't we make all such records public? We're honest people, so we have nothing to worry about, right?
Stealing a mobile phone to which they text you OTP or a code book (yes, code books are still in use as well) is not exactly a feat of strength or something. Not to mention more direct methods of "persuasion" https://www.xkcd.com/538/
@Hu, good point on reset pasword feature. And yeah, answers to security questions are often easy to guess, because lying there would defeat their purpose, burdening you with yet another impossible to remember password. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Jan 14, 2018 6:39 pm Post subject: |
|
|
Citibank never used anything other than the log-in password to transfer money which I can also do by telephone. I prefer to use my credit card (NOT debit) that a liability limit for unauthorized use, while a thief could drain your account with a debit card. Fidelity Investments used a two step procedure when I first established transfer to my bank account but not for subsequent transfers. I believe that I have to use the two steps again if I change the institution or the account number which makes sense. I don't recall how US Social security set up auto payments. I think I filled out a form in person at the local office. I know that's what I always did for paycheck autodeposit, including changes.
Chase apparently uses the IP address because I have no trouble logging on from any computer on my LAN including the laptop, but would not let me log in from the laptop while traveling. "You have not used this computer to log in before." You would think they would use MAC address which can be changed but is pretty hard to guess. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sun Jan 14, 2018 7:07 pm Post subject: |
|
|
| Tony0945 wrote: | | Chase apparently uses the IP address because I have no trouble logging on from any computer on my LAN including the laptop, but would not let me log in from the laptop while traveling. "You have not used this computer to log in before." You would think they would use MAC address which can be changed but is pretty hard to guess. |
The public IP address is necessarily visible to them, so it is easy for them to record in their server-side cookie table. The MAC address is visible to native code, but as far as I know, Javascript doesn't let you read that, so there's no easy way for them to get the MAC address. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Jan 14, 2018 9:49 pm Post subject: |
|
|
| Good point, Hu. At least they try to pick up hackers. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gentoo Forums Feedback
