[thelist] Interesting Security procedure
Ken Schaefer
Ken at adOpenStatic.com
Thu Apr 19 00:08:44 CDT 2007
Hmm,
So the security image/phrase authenticates the bank to you.
You then authenticate with your username/password and/or challenge question.
But neither stops, say, a "man in the middle" attack.
Surely PKI, or token/fob based authentication, are far superior ways of doing
this (a pity about the consumer-unfriendlyness of those technologies). I
think CardSpace/Infocard may be a way to get around this though.
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Stephen Rider
Sent: Thursday, 19 April 2007 10:03 AM
To: thelist at lists.evolt.org
Subject: [thelist] Interesting Security procedure
I logged onto my bank website today, and where the normal Username/
Password fields, there was Username, and a link labeled "Where's my
Password? Clicking that link took me to the following message:
START
Where's my password?
Beginning April 2007, we're releasing a Security Profile feature that
will affect the way you log in to your XXXXXXXX Online Banking(r) and
XXXXXXXX accounts. Your Security Profile will not only help us
recognize you, but also help you recognize us. With it, you'll know
that you're logging into the legitimate Harris online banking site
rather than a phony, look-alike site.
When you enter your User ID at XXXXXXXX.com and click LOG IN, we will
either:
a) Ask you to type in your Password to access Online Banking
OR
b) Ask you type in your Password and then create a Security Profile
to access Online Banking.
Creating a Security Profile is a simple, three-step process:
1. Choose a Security Image
2. Create a Security Phrase you would associate with that image
3. Select and Answer three Challenge Questions
Each time you log into XXXXXXXX Online Banking after setting up your
Profile, we will attempt to recognize the computer and method you are
using to log in. If we do, we will show you your Security Phrase and
Security Image; this is how you are able to recognize us. Once you
have verified that it is your Security Profile, you can then enter
your Password -- and rest assured that you are logging into the
authentic XXXXXXXX.com online banking site.
If we do not recognize the computer you are using or how you are
accessing your account, we may ask you one of your challenge
questions. Only once you've answered it correctly will we show you
your Security Phrase and Security Image. You can then enter your
Online Banking password and continue logging in.
Because this is a "phased release", only a certain number of randomly
selected clients each day will be asked to set up their Security
Profile. It is expected that all clients will have been able to set
up their Profiles by late May/early June. This method allows for
optimum system availability and a better online experience.
END
I thought it was an interesting procedure.
Five minutes later I logged onto my credit card website, and that one
had a new security measure too. it detected that i wa logging on
from a computer they didn't recognize as mine, so the made me
authorize the computer through a code being emailed to my address.
There was a different option to get authorization from a phone call.
I opted for the phone call, and my phone instantly rang, with a
(recorded) voice telling me an authorization code.
Just thought I would share. The technology could be anything -- I
found the methodologies interesting.
Stephen Rider
More information about the thelist
mailing list