More fallout from phishing... two-level authentication required by end of 2006

Toggle sidebar Toggle sidebar
kranky

kranky

Elite Member
Oct 9, 1999
21,019
156
106
By the end of 2006, you won't be able to log on to your bank's site with just a username and password.

Banks are required to implement two-level authentication, meaning that not only will you will have to supply a username and password, but you also will have to use a second method to keep phishers from accessing people's accounts.

There are a number of different methods that will satisfy the requirement.
- Card readers which generate a password when a card is swiped
- Tokens, which can plug into a USB port
- Password generators that create one-time use passwords
- Fingerprint or retinal scanner
- Scratch-off cards that have a series of one-time use passwords

The bank gets to choose the method that will be used.

I feel bad for people who have accounts at multiple banks.
 
K

Kipper

Diamond Member
Feb 18, 2000
7,366
0
0
Source?

I wonder who's going to pay for this...something tells me consumers will pick up the tab.
 
Specop 007

Specop 007

Diamond Member
Jan 31, 2005
9,454
0
0
Most of that sounds like a hardware solution, which I imagine cause a bit of a fuss from the general public. I know I personally do NOT want to pay for additional hardware just to access my account online.
Also, what about other financial services online, such as ING or scottrade or a IRA account?
 
Mardeth

Mardeth

Platinum Member
Jul 24, 2002
2,608
0
0

"Scratch-off cards that have a series of one-time use passwords." been using something like that for years already. No problems...
 
Rubycon

Rubycon

Madame President
Aug 10, 2005
17,768
485
126
Tumbling passwords sent out to a cellphone every five minutes. When you need to log on, grab phone and enter code from phone. Lose phone or phone goes dead = no access.
 
M

MrBond

Diamond Member
Feb 5, 2000
9,911
0
76
Originally posted by: Mardeth

"Scratch-off cards that have a series of one-time use passwords." been using something like that for years already. No problems...
Click to expand...
Sounds like something you'd need to activate a nuclear bomb :shocked:

I think this is a good idea. I wouldn't mind paying for a fingerprint scanner so I could do online banking. I'm sure it'd work with more than one bank.

That'd also sort of eliminate the need for the password - unless the phishers start cutting off fingers or something (apparently it IS the russian mafia behind a lot of it...)

 
Kelemvor

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Like the banks are going to shell out to give every one of their customers a VPN type token or a USb key or something. So much for FREE online banking if they have to do that crap.
 
yllus

yllus

Elite Member & Lifer
Aug 20, 2000
20,577
432
126
Doh. Guess I won't be checking my account balance from work anymore.
 
A

arcas

Platinum Member
Apr 10, 2001
2,155
2
0
- Card readers which generate a password when a card is swiped
- Tokens, which can plug into a USB port
- Password generators that create one-time use passwords

If these are standalone, then it's not too bad. Lots of corporate VPNs use standalone keyfobs which generate new PINs every 30 seconds or so. Standalone is good because it doesn't lock you into using a particular computer or a particular operating system.

The plug-into-a-USB port or card readers (which are presumably plugged into the computer) are bad because drivers for said device may not exist on the computer you're using. For example, as I recall, the old defunct Amex blue smartcard offered an optional card reader and app that generated new one-time CC numbers. This setup only worked for Windows (and maybe Mac) so BSD/Linux/BeOS/etc users were stuck using the online number generator on Amex's website.

Standalone is good. Dongles and other hardware-software combinations that rely on a host computer are bad.
 
N

NeoPTLD

Platinum Member
Nov 23, 2001
2,544
2
81
I say little calculator like device which you put in a number and spits out another number that you type into computer works well. I've seen something like this used for a corporate network access password.
 
M

marvdmartian

Diamond Member
Apr 12, 2002
5,444
27
91
Originally posted by: C6FT7
Tumbling passwords sent out to a cellphone every five minutes. When you need to log on, grab phone and enter code from phone. Lose phone or phone goes dead = no access.
Click to expand...

Okay, what about the .00001% of us that are still in the "dark ages", and don't have a cell phone?? I have no need or desire to have one, and save $50+ a month by not having one. I used to have one, figured out one day what a waste of money it was, and had it turned off.......and I've never been happier! :D

Sorry, but I have to agree with the sentiment here that if you just spent the time, effort & money that will be spent on something stupid like this on just making people smarter and more internet/street savvy, we'd be better off. :roll:
 
KK

KK

Lifer
Jan 2, 2001
15,903
4
81
This is stupid, who's pushing this idea? Must be the government. Leave it up to the government to fvck something up. We should line up all the politicians and execute them.
 
Anubis

Anubis

No Lifer
Aug 31, 2001
78,712
427
126
tbqhwy.com
the bank shoudl just give everyone a FOB when they get an accnt, have it generage a random number every 15 seconds, mysister has one of them so she can log into work from anywhere
 
S

skace

Lifer
Jan 23, 2001
14,488
7
81
Why is this so stupid? I wouldn't mind having a USB dongle. Although I hadn't thought of driver issues yet. But I was sort of hoping it would be a stand alone dongle, plug it in and it recognizes it as some sort of read only drive with special data on it / whatever. That would eliminate the possibility for anyone ever getting into your account (supposedly).

Now I'm not a "stupid user" but there is always a possibility that someone gets my PIN somehow, possibly through a new exploit that hasn't been patched that backdoored my machine and put a keylogger on. So if a cheap dongle can completely prevent that, I don't see what is wrong.
 
rh71

rh71

No Lifer
Aug 28, 2001
52,844
1,049
126
... and you thought the ING Direct "type the letters corresponding to your PIN" authentication was a PITA... this sounds like it will be much more troublesome.
 
R

randomlinh

Lifer
Oct 9, 1999
20,846
2
0
linh.wordpress.com
Originally posted by: Anubis
the bank shoudl just give everyone a FOB when they get an accnt, have it generage a random number every 15 seconds, mysister has one of them so she can log into work from anywhere
Click to expand...

friend's dad works for the treasury.. or some sub department of it, same thing. I wouldn't mind this... on top of the username password.. wouldn't want to lose it and have someone access my account with it...
 
halik

halik

Lifer
Oct 10, 2000
25,696
1
81
Originally posted by: kranky
By the end of 2006, you won't be able to log on to your bank's site with just a username and password.

Banks are required to implement two-level authentication, meaning that not only will you will have to supply a username and password, but you also will have to use a second method to keep phishers from accessing people's accounts.

There are a number of different methods that will satisfy the requirement.
- Card readers which generate a password when a card is swiped
- Tokens, which can plug into a USB port
- Password generators that create one-time use passwords
- Fingerprint or retinal scanner
- Scratch-off cards that have a series of one-time use passwords

The bank gets to choose the method that will be used.

I feel bad for people who have accounts at multiple banks.
Click to expand...


There needs to be a standardized and centralized interface for all banks. If they agree on one protocol and one centralized spot to log onto all banks, it won't be an issue. That and stop sending email announcements with links of any kind. If people know that banks will never send anything clickable , they won't be an issue.
 
halik

halik

Lifer
Oct 10, 2000
25,696
1
81
Originally posted by: lnguyen
Originally posted by: Anubis
the bank shoudl just give everyone a FOB when they get an accnt, have it generage a random number every 15 seconds, mysister has one of them so she can log into work from anywhere
Click to expand...

friend's dad works for the treasury.. or some sub department of it, same thing. I wouldn't mind this... on top of the username password.. wouldn't want to lose it and have someone access my account with it...
Click to expand...


RSA makes those... they call them SecurID
 
I

ironcrotch

Diamond Member
May 11, 2004
7,749
0
0
I dunoo about this, but BofA has had two level account access for a while now. Works pretty well, it's just a sitekey that contains an image with a passcode.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom