What are your experiences with banks' security requirements?

[Mike Walsh]

Afternoon, all.

Just curious as to different people's experiences with their banks' online security requirements. Normally, as with most things, I, personally, insist on using as up-to-date a browser as possible.....and you often hear of banks refusing to let you do anything online unless you have an up-to-date one.

I was curious about this. I decided to put this to the test; I run Chrome 26 in Lucid (the newest version that will run there, due to the age of the glibc). This is now around 32 major revisions out of date.....yet my bank allowed me to log on, and perform a transfer between accounts.

I was quite taken aback by this, I must admit. I don't know whether to be alarmed that this was possible.....or grateful for the warning that their security practices are this slack..!

Or might it have anything to do with it being the Linux version of Chrome 26? I'm quite certain if it had been the Windows version, warning bells would have been going off all over the place.....

Thoughts?


Mike.

[dancytron]

My bank has no problem with Windows XP, Chrome version 49.

[watchdog]

I use several online banks in Italy and I have not problems logging in them from every puppy and palemoon (even puppy 4.31). I do not use any security as the CD live session: I just log in from every install. I read that legally security in online banking is a responsability of banks when the accountant is not negligent (example: phishing). I think the banks profile their accountants and their browser's preferences. I always use the same palemoon's profile with cookies in /mnt/home. All my banks use onetime passwords for dispositive operations. I do not use debit and credit cards on the internet anymore.

[bigpup]

Seems to me, that someplace on the banks web site, should be information on what is required, for account access

It should also give info on what precautions they use for the security of your account info.

To me, it really seems to get down to knowing an access code.
If you know the code, you can get into an account.

I always wonder what kind of protection is being provided by the company providing you access to the Internet.
They get everything you do in their system servers.
Just what info are they keeping??????????

[Flash]

...Just what info are they keeping??????????

All of it, every last bit they get their hands on. And they're keeping it forever. It costs them virtually nothing to gather and to keep, and might be worth something someday. So why not?

[perdido]

...Just what info are they keeping??????????

All of it, every last bit they get their hands on. And they're keeping it forever. It costs them virtually nothing to gather and to keep, and might be worth something someday. So why not?

Someday is today!
The Senate Just Legalized The Sale Of Your Browsing History


.

[prehistoric]

Here's an example of what happens when the on-line banking group tightens requirements.

I was having trouble with my local bank's on-line banking, which never thought about people running Linux. I went to the brick-and-mortar branch bank closest to me, and got the same advice I had read on-line. When I went to demonstrate the problem -- using their own customer-service machine -- it would not let me log in because they were running an ancient version of IE.

No big deal, right? All they had to do was update IE or download Chrome.

Hah! The bank's own security people would not let them install any software on those customer-service machines. They could not even install updates of software already present. Old versions of IE are so insecure I assume everything entered on those machines was already in the hands of criminals.

The last time I checked with them I showed them how simple a hardware token providing one-time passwords could be. I have two different kinds: Yubikey and Verisign. This was a revelation to the people interacting with customers. Banks use similar things internally, but the whole business is wrapped in secrecy on the assumption that this equals security.

All the machines I had seen before had been replaced with new compact desktop processors running Windows 10, which happens to be instrumented down to the level of collecting individual keystrokes. There have been exploits costing banks over one billion dollars on older Windows systems. I'm waiting for news of new exploits using the built-in W10 telemetry, which I'm told is now in the process of being hard-coded into essential system routines so it can't be disabled by removing separate modules. This is a disaster waiting to happen.

[belham2]

...Just what info are they keeping??????????

All of it, every last bit they get their hands on. And they're keeping it forever. It costs them virtually nothing to gather and to keep, and might be worth something someday. So why not?

+1

I know firsthand (from hearing people in the industry talk) that what Flash wrote is true. And the scary part is how every week they encounter another small or mid-sized fin'l institution calling & asking to help protect their online presence, and, guess what, the data center section that deals in what they've gathered---- especially what they've gathered, and are backing up.

When they go in there, sign things to keep everything hush-hush, and then get to working, two things happens to people:

1) they get gut-sick, literally, at what they see in terms of the security protecting the fin'l institution, and what is furthermore protecting the databases of what these institutions collected & are collecting (and don't even begin to talk about the lack of "physical" on-premises security---many places are still using out-sourced data centers, and they don't even have a clue about that data center's security policy). And;

2) the amount and kind of info these fin'l institutions are logging raises the hairs on the neck supposedly...well, let's just say--for U.S. purposes--- the big data center out in the West (you should know what I am referring to) is the unwanted best friend, the un-invited guest they will not un-invite (and, for the most part, cannot)


If people (and this applies all over the world) could do just one simple thing, they'd be miles ahead---it's your responsibility what OS you log in from & what browser you use to your online fin'l sites. Most fin'l institutions, smalls up to the giants, are mostly log-in OS agnostic. Some will pitch a fit and scatter your screen making warning recommendations, but that is about it. But for heaven's sakes, among the many things you can do to protect yourself online, it is best when you go to any fin'l site site you belong and/or a customer to---completely clear everything in your browser's cache, and I mean everything!, all saved passwords and credentials from anything used across the web. That browser should be so 'pristine' it isn't even funny. Your OS should be pristine. And don't make the dumb-headed mistake of having a ton of add-ons in your browser. Run it pristine, and have a dedicated OS for this.

Who are the biggest fighters and pooh-pooh of this approach? Start with Apple and Microsoft. They know they are part of the problem, a big part, so they step the blame away and shift it onto something or somebody else.......

[8Geee]

MHO is that the words "bank" and "identity security" should not exist in the same sentance, because generally they don't. Its just an advertising feel-good without disparaging remark expression. Imagine one bank A claiming its security is better than bank B. Ain't gonna happen!

regards
8Geee

[Moose On The Loose]

Afternoon, all.

Just curious as to different people's experiences with their banks' online security requirements.

With my bank, you need to input your user name and then hit a submit button and then on the new page make sure the picture you set appears and then put in your password. If this is the first time they have seen you from the browser, they may ask for one of your confirming answers instead of going to the password page.

I have thought about this for a bit and have concluded that is is a very good method for several reasons.

Someone spoofing the DNS updates or the like to get my request redirected to their server would not know the picture to put onto that second page. Since it would be a different browser and or from a different IP range, they would get the question page back if they asked the real site.

The usual fake site is just the first page expecting that to be where the password is entered. This means that the fakers would have to do some extra work to make a fake version of my bank.

As I expected, this is all going on via HTTPS and the forms have hidden big complicated values in them so their computer can check to make sure it is really a page from them in the last few minutes that generated the POST.

[8Geee]

Several banks I know of (all of them are "too big to fail" size) use click-tracking by a third party. My personal experience with one indicates that ad-blockers / redirect-killers will pop-up a warning at least, and usually refuse connection to that 3rd party. My older FF27 browser does this, and that bank throws a hissy-fit. I usually go back to login, and repeat, and no such problem. The newer FF45.8 uses different apps, and all appears well, but the connection times-out. As before login again works no problem.

I agree fully with Belham2... the security is no better than the end-user permits / does not permit. I also agree that off-line storage and browser caches should be preset to zero and/or refused. WHat is not there cannot be taken.

Regards
8Geee

[Mike Walsh]

@Moose On The Loose:-

My bank has a very similar procedure, AFAICT.

The initial log-on page, you enter your Customer ID (which is a 10 digit number.) This then takes you to a second page, where you confirm whether a picture (chosen from a selection provided by the bank) is in fact the picture you selected. You then enter 3 characters (picked completely at random) from your 12-character password, and also 3 digits (again, picked at random) from your 8-digit Security Number.

It's quite a comprehensive system, since you need to confirm, at no less than four different stages, your identity as initially selected when setting up online banking.

The only reason I attempted what I did with the elderly version of Chrome, was to see whether or not there were any safeguards in place against using a seriously out-of-date browser, since I've read, on many occasions, of situations where banks will throw a hissy-fit if the user is not running a browser of less than a certain age.

Needless to say, I don't normally do this! I usually only perform on-line banking with a bang up-to-date version of Chrome. I also use the 'Click'n'Clean extension, which, among other things, will allow you to shut the browser down securely, clearing the cache completely in the process.





This is also available for FireFox/PaleMoon, if anyone's interested.....although the Mozilla-based version has a totally different GUI.


Mike.

[prehistoric]

@Mike Walsh

Your screenshot raises another question. You have many tabs open, which makes an attack via tabnabbing possible. If you are going to do on-line banking, I recommend you launch a separate instance of your browser to prevent such attacks.

Naturally, we agree that it is best to use the latest browser available with current updates. I also prefer to operate from a system booted from a DVD. This necessarily has a cleared browser cache.

I would like to use a hardware dongle providing a one-time password (OTP), but finding a bank which allows this is difficult. Even PayPal, which offered this option in the past, now tries to force customers to use two-factor authentication (2FA) depending on SMS text messages, which have known insecurities.

Approaches depending on security of mobile phone apps strike me as inherently vulnerable. A separate hardware device (which is difficult to hack without physically wrecking it) holding the secret seed from which OTPs are generated seems superior.

Anyone know a bank currently using this system?

[watchdog]

Is it true that online banks are legally responsible for security of their accountants unless they behave in a quite negligent manner (example:phishing)?

I refer to this italian article:

http://www.laleggepertutti.it/150690_co ... ffe-online

(you can use google to traduce it). Without this legal responsability of the banks I would be going to close all my accounts in online banks.

[Mike Walsh]

@Mike Walsh

Your screenshot raises another question. You have many tabs open, which makes an attack via tabnabbing possible. If you are going to do on-line banking, I recommend you launch a separate instance of your browser to prevent such attacks.

Thanks for the heads-up. Not one that I was aware of; I shall pay a bit more attention to that in future, now that I know of it.

Cheers!


Mike.

[Marv]

@Mike Walsh

Thanks for the Click&Clean extension tip, I wasn't aware of it. Works a treat on the slimjet 13.0.8.0 chromium deriv. I'm running.

[Mike Walsh]

No probs, Marv.

If you, like me, are finding it useful, all well & good..! It's handy being able to simultaneously clear the cache and shut down with a single-click.

It does help to disable the 'page-count' thing in the options (it quits after reaching 100 anyway!).....and also the notifications, too ('cos otherwise you keep getting an 'icognito' start with Click'n'Clean's advertising bumf at the same time as you start the browser itself.)

Which is annoying..!


Mike.