[thelist] Interesting Security procedure

Ken Schaefer Ken at adOpenStatic.com
Thu Apr 19 00:08:44 CDT 2007


Hmm,

So the security image/phrase authenticates the bank to you.
You then authenticate with your username/password and/or challenge question.

But neither stops, say, a "man in the middle" attack.

Surely PKI, or token/fob based authentication, are far superior ways of doing
this (a pity about the consumer-unfriendlyness of those technologies). I
think CardSpace/Infocard may be a way to get around this though.

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Stephen Rider
Sent: Thursday, 19 April 2007 10:03 AM
To: thelist at lists.evolt.org
Subject: [thelist] Interesting Security procedure

I logged onto my bank website today, and where the normal Username/ 
Password fields, there was Username, and a link labeled "Where's my  
Password?  Clicking that link took me to the following message:

START
  Where's my password?

Beginning April 2007, we're releasing a Security Profile feature that  
will affect the way you log in to your XXXXXXXX Online Banking(r) and  
XXXXXXXX accounts. Your Security Profile will not only help us  
recognize you, but also help you recognize us. With it, you'll know  
that you're logging into the legitimate Harris online banking site  
rather than a phony, look-alike site.

When you enter your User ID at XXXXXXXX.com and click LOG IN, we will  
either:

a) Ask you to type in your Password to access Online Banking

OR

b) Ask you type in your Password and then create a Security Profile  
to access Online Banking.

Creating a Security Profile is a simple, three-step process:
	1. Choose a Security Image
	2. Create a Security Phrase you would associate with that image
	3. Select and Answer three Challenge Questions

Each time you log into XXXXXXXX Online Banking after setting up your  
Profile, we will attempt to recognize the computer and method you are  
using to log in. If we do, we will show you your Security Phrase and  
Security Image; this is how you are able to recognize us. Once you  
have verified that it is your Security Profile, you can then enter  
your Password -- and rest assured that you are logging into the  
authentic XXXXXXXX.com online banking site.

If we do not recognize the computer you are using or how you are  
accessing your account, we may ask you one of your challenge  
questions. Only once you've answered it correctly will we show you  
your Security Phrase and Security Image. You can then enter your  
Online Banking password and continue logging in.

Because this is a "phased release", only a certain number of randomly  
selected clients each day will be asked to set up their Security  
Profile. It is expected that all clients will have been able to set  
up their Profiles by late May/early June. This method allows for  
optimum system availability and a better online experience.

END


I thought it was an interesting procedure.

Five minutes later I logged onto my credit card website, and that one  
had a new security measure too.  it detected that i wa logging on  
from a computer they didn't recognize as mine, so the made me  
authorize the computer through a code being emailed to my address.   
There was a different option to get authorization from a phone call.   
I opted for the phone call, and my phone instantly rang, with a  
(recorded) voice telling me an authorization code.

Just thought I would share.  The technology could be anything -- I  
found the methodologies interesting.

Stephen Rider
 



More information about the thelist mailing list