Misleading Banking Security

Some banks have complexified their online security measures, to me this seems more like a way of making the consumers think it's secure rather than actually being secure. Here is the logon process of one of the banks I am talking about (there are many that use the same type of system so no need for names).

In short the client goes to their bank's login page and is prompted for a million pieces of information, the client feels safe.

  • Account number
  • Memorable data: You may enter any of the "memorable data" you have previously provided (a date, a place or a name)
    • You can chose any one or always use the same, a potential attacker will have 3 times more chances to figure out this information.
    • No "funny" characters, date is only numbers, place and name should only contain letters
  • 6 digit pin number
    • Yes, only digits !!
    • You have to enter only 3 of the 6 digits and in a random order. To do this:
      • You have to use 3 drop down menus, anyone looking can see the digits while they are being entered
      • Some people tend to pronounce their pin number out loud while counting the position of each digit
      • If you know only the first 4 digits you can still enter, every time you reload the page the site asks for a random 3 of the 6 digits

This is probably intended as a way to bypass any possibly installed keylogger, it is just as easy for a trojan (if not easier) to intercept data sent over http/https. You can use a Firefox plugin called "HTTPFox" to see for yourself. If you have a keylogger, you might also have an http logger.

All this is besides the fact that the more complicated the system the more chances people will write down information about their account on a sticky note glued to their computer screen... ..

Highlighted is the entered information shown by HTTPFox

There are other things that bug me as well when buying things online, more on that later... In the meantime, we should require from our banks the possibility to simply chose the password we want for our accounts, I mean one that can have more than 8 characters and that is not restricted to only numbers or something stupid like that.


Nux - http://www.nux.ro

Yeah, it's all about the appearence. I think this is a general problem, not only with banks. True security requires harder work and a way to educate people.


What a crappy idea.
My bank also does that kind of security: you can transfer money to someone only after you have entered his/her account details and waited for 7 days. AND also, to buy something online and for every transaction you make with your card you now have to use a little machine, by the size of a calculator, to generate a supplementary challenge response code... But in reality the algorithm of the cards is bad and attackers can generate banking card numbers on the fly, why wouldn't they be able to generate a response code, too, without even having this machine?
All that stuff only makes online banking more difficult. But I guess this shows how much money must get lost this way, as the banks have to cover the costs for that kind of thing.
However, _your_ bank seems to be inciting people to commit fraud.. ;)
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).