ArmchairAthlete
Diamond Member
- Dec 3, 2002
- 3,763
- 0
- 0
How about don't be a retard and learn how to spot phishing emails.
ughh.. what a pain if this is real.
ughh.. what a pain if this is real.
Anubis
No Lifer
I check my bank account online all teh time! How sad... I wonder if this will eventually effect online bill payments for a lot of places as well....
Rubycon
Madame President
- Aug 10, 2005
- 17,768
- 485
- 126
Originally posted by: marvdmartian
Okay, what about the .00001% of us that are still in the "dark ages", and don't have a cell phone?? I have no need or desire to have one, and save $50+ a month by not having one. I used to have one, figured out one day what a waste of money it was, and had it turned off.......and I've never been happier!
Sorry, but I have to agree with the sentiment here that if you just spent the time, effort & money that will be spent on something stupid like this on just making people smarter and more internet/street savvy, we'd be better off. :roll:
Most people that don't have a cellphone don't use a computer. It's just an example. SecureID's are given to those needing access to secure areas from outside networks, etc. The banks will just charge $50 for NSF checks, etc.
i think we should just use what ING uses
you have a login, and a rotating security question, and a PIN
however, to enter the PIN, you use your mouse to click on an image map that changes every time you log onto the site
you have a login, and a rotating security question, and a PIN
however, to enter the PIN, you use your mouse to click on an image map that changes every time you log onto the site
Zenmervolt
Elite member
- Oct 22, 2000
- 24,514
- 44
- 91
I had to use a fingerprint scanner for Bloomberg access when I was working in Finance. The thing worked about 50% of the time. I'll take an RSA SecureID token any day over that blasted fingerprint scanner.
ZV
that wuldtotally work. no hardware needed at all.
adding hardware means these banks will have to come up with a standard or else you'd be stuck with 6 different fingerprint scanners/keyfobs just to access all your accounts.
We will be required to have implants for ID and tracking.
Florida Company has already been given the go ahead to mass produce the devices by the Federal Goverment.
They will have enough produced to fit the entire population by Sept 2007.
Florida Company has already been given the go ahead to mass produce the devices by the Federal Goverment.
They will have enough produced to fit the entire population by Sept 2007.
I was working there when they started implementing them. The simply bought a whole lot of substandard quality scanners. Newer, better ones are much more reliable.
Yeah. When I originally opened my account I had to choose a picture, which was a sitekey, and that has to match up with what they provide and what my computer has on file or something. And so when I log in I enter a passcode for it.
This does not look very good at all.
Two factor authentication is very secure, but it is also a royal pain in the neck. From the user and the companies perspective.
Listen up smart people - this is opportunity knocking for you to create a public authentication mechanism similar to PKI. Rich you will be.
Also RSA makes SoftID which is a software token.
But what bothers me is two factor auth (especially tokens) costs money. Who ultimately is going to pay for this?
Us.
Two factor authentication is very secure, but it is also a royal pain in the neck. From the user and the companies perspective.
Listen up smart people - this is opportunity knocking for you to create a public authentication mechanism similar to PKI. Rich you will be.
Also RSA makes SoftID which is a software token.
But what bothers me is two factor auth (especially tokens) costs money. Who ultimately is going to pay for this?
Us.
I think this is a GREAT idea. I have seen SecurID used at government contractors, and it didnt seem that painful to me.
It's important to be clear what 2 factor authentication is and what it isn't.
2 factor authentication confirms your identity by checking something that you know (your password) *AND* something that you have (e.g. a smart card, security token, scratch pad).
The BofA sitekey is not a 2 factor authentication system. It is a crude version of a security certificate. It allows *you* to trust the site (so you can easily spot a phishing scam, because it provides the wrong sitekey image). (The SSL certificate used to encrypt a web request does the same thing, but is less user friendly - and most people will just ignore warnings anyway. However, I am more than happy verifying the authenticity of my online banking site by checking the cert).
My bank provided me with an RSA SecureID calculator. It's a creditcard sized calculator. You type your PIN number into the machine. It then calculates a passcode, which you then provide to the web site. This avoids the need ever to type your PIN number directly, and prevents your PIN from being captured by phishing.
You can just as easily use a scratch pad, although there have been successful phisihng attacks against scratch pads. A phishing site asks for you login, password and scratch card code. It simply replies 'Login incorrect'. You try the next scratch code. 'Login incorrect'. Each time, they get a fresh unused scratch card code.
No 2 factor scheme will stop a 'man in the middle' attack - basically, a phisher redirects all accesses to the main bank web site. However, they can spy on transactions, and mix their own commands with legitimate ones. These attacks, because they are opportunist only, are much less serious than attacks that compromise authentication.
Whether you agree with the legal requirement for 2 factor authentication or not - it is the only effective way to stop phishing scams.
At present, banks could potentially avoid liability for online banking fraud if you reveal your login credentials - while this is the case, the banks have little motivation to provide expensive secure authentication. Chaging this law to make them liable for all online banking fraud, would likely have a similar effect - unable to pass losses onto the customer directly, they would likely implement a more secure system in order to limit these losses.
2 factor authentication confirms your identity by checking something that you know (your password) *AND* something that you have (e.g. a smart card, security token, scratch pad).
The BofA sitekey is not a 2 factor authentication system. It is a crude version of a security certificate. It allows *you* to trust the site (so you can easily spot a phishing scam, because it provides the wrong sitekey image). (The SSL certificate used to encrypt a web request does the same thing, but is less user friendly - and most people will just ignore warnings anyway. However, I am more than happy verifying the authenticity of my online banking site by checking the cert).
My bank provided me with an RSA SecureID calculator. It's a creditcard sized calculator. You type your PIN number into the machine. It then calculates a passcode, which you then provide to the web site. This avoids the need ever to type your PIN number directly, and prevents your PIN from being captured by phishing.
You can just as easily use a scratch pad, although there have been successful phisihng attacks against scratch pads. A phishing site asks for you login, password and scratch card code. It simply replies 'Login incorrect'. You try the next scratch code. 'Login incorrect'. Each time, they get a fresh unused scratch card code.
No 2 factor scheme will stop a 'man in the middle' attack - basically, a phisher redirects all accesses to the main bank web site. However, they can spy on transactions, and mix their own commands with legitimate ones. These attacks, because they are opportunist only, are much less serious than attacks that compromise authentication.
Whether you agree with the legal requirement for 2 factor authentication or not - it is the only effective way to stop phishing scams.
At present, banks could potentially avoid liability for online banking fraud if you reveal your login credentials - while this is the case, the banks have little motivation to provide expensive secure authentication. Chaging this law to make them liable for all online banking fraud, would likely have a similar effect - unable to pass losses onto the customer directly, they would likely implement a more secure system in order to limit these losses.
My Japanese bank account already has something like that, a physical card that has a row a numbers that I have to verify against the numbers that they show me on screen.
My Danish bank has a two-level system, the first time you login it downloads a key and from then on if you want to use any features other than just checking the balance you have to either use the same computer or deauthenticate it first.
My Danish bank has a two-level system, the first time you login it downloads a key and from then on if you want to use any features other than just checking the balance you have to either use the same computer or deauthenticate it first.
SagaLore
Elite Member
- Dec 18, 2001
- 24,036
- 21
- 81
FYI - kranky has generously written an article for antisource.com:
http://www.antisource.com/article.php/online-banking-2006
http://www.antisource.com/article.php/online-banking-2006
mugs
Lifer
- Apr 29, 2003
- 48,920
- 46
- 91
How would it be sent? Text message? I do NOT want that.
I don't really like this... because people are stupid enough to fall for phishing scams, they're putting a huge burden on the banks and the general public. How about some personal responsibility instead?
I assume this will apply to credit card accounts as well? Jeesh, I'm going to have to keep a huge stash of scratch-off cards/secureIDs/whatever with me all the time.
I like ING Direct's authentication method - account number, PIN, and a piece of personal information that changes each time you visit the page - i.e. first 3 digits of social security, etc.
when i did content management for a big online company, i was required to use a securID. it was a nifty device which had a six-digit number that changed every 60 seconds. you basically had to enter that number when you logged in before it changed. if you were off by one second, you'd be denied access and would have to try again with the new number that was generated.
i thought that was a great idea (and this was in 1997 or so). it's too bad that it takes years of identity theft for people to recognize the importance of such devices.
i thought that was a great idea (and this was in 1997 or so). it's too bad that it takes years of identity theft for people to recognize the importance of such devices.
mugs
Lifer
- Apr 29, 2003
- 48,920
- 46
- 91
I use them at work too, unfortunately they look pretty expensive... ~$50 each for 3 years. That cost would have to be passed on to consumers either directly or indirectly. I have 6-7 accounts that I access online regularly, I don't want to pay $300 because people have been living in a cave and can't recognize a phishing scam.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 384
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter