Misleading Banking Security

Some banks have complexified their online security measures, to me this seems more like a way of making the consumers think it's secure rather than actually being secure. Here is the logon process of one of the banks I am talking about (there are many that use the same type of system so no need for names).

In short the client goes to their bank's login page and is prompted for a million pieces of information, the client feels safe.

  • Account number
  • Memorable data: You may enter any of the "memorable data" you have previously provided (a date, a place or a name)
    • You can chose any one or always use the same, a potential attacker will have 3 times more chances to figure out this information.
    • No "funny" characters, date is only numbers, place and name should only contain letters
  • 6 digit pin number
    • Yes, only digits !!
    • You have to enter only 3 of the 6 digits and in a random order. To do this:
      • You have to use 3 drop down menus, anyone looking can see the digits while they are being entered
      • Some people tend to pronounce their pin number out loud while counting the position of each digit
      • If you know only the first 4 digits you can still enter, every time you reload the page the site asks for a random 3 of the 6 digits

This is probably intended as a way to bypass any possibly installed keylogger, it is just as easy for a trojan (if not easier) to intercept data sent over http/https. You can use a Firefox plugin called "HTTPFox" to see for yourself. If you have a keylogger, you might also have an http logger.

All this is besides the fact that the more complicated the system the more chances people will write down information about their account on a sticky note glued to their computer screen... ..

Highlighted is the entered information shown by HTTPFox

There are other things that bug me as well when buying things online, more on that later... In the meantime, we should require from our banks the possibility to simply chose the password we want for our accounts, I mean one that can have more than 8 characters and that is not restricted to only numbers or something stupid like that.