Online Banking Security. Isnt' that a pretty picture...

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Well who's the genius that thought up this idea.

Anyone have a bank that has adopted this new login system where you get to pick a pretty picture to represent your account to know it's legit? Ooo. How cool.

So I put my ID in on one screen, then on the next screen I get to see my very one, personally chosen picture. Then because I see the pretty picture I am guaranteed that this is a legit site and someone isn't phishing for my info. Well golly gee, I feel so much safer now.

I don't know what the people who designed this were smoking but I wish they'd share.

Don't you think if someone is stupid enough to click a link in an email and put their login info into the wrong website that they probably won't remember their pretty picture anyway? Or they won't realize they are supposed to look for the pretty picture and will log right into the fake site anyway?

So now they just make things more inconvenient for everyone else by making people think they are real secure.

And of course, now my Money software can no longer download my info from the bank because it's not setup with that new pretty picture login system so it won't talk.

*sigh* Oh well. Gotta protect everyone because of the failings of the few, the idiotic, the dumb. ;)

Ah well.
 

Queasy

Moderator<br>Console Gaming
Aug 24, 2001
31,796
2
0
Bank of America right? That bit drove me up the wall.
 

DBL

Platinum Member
Mar 23, 2001
2,637
0
0
It's just meant to be an added layer of security which has become mandatory for banking services. Besides, from what I have seen, a lot of these sites could use a little extra security (beyond UN and PW). While there are more secure methods than showing you a picture, it requires 0 extra time on your part. So, why exactly are you complaining?

 

thirtythree

Diamond Member
Aug 7, 2001
8,680
3
0
Originally posted by: DBL
It's just meant to be an added layer of security which has become mandatory for banking services. Besides, from what I have seen, a lot of these sites could use a little extra security (beyond UN and PW). While there are more secure methods than showing you a picture, it requires 0 extra time on your part. So, why exactly are you complaining?
It requires a little extra time. Have to load an extra page.
 

mugs

Lifer
Apr 29, 2003
48,920
46
91
It's not really much of an inconvenience. After the first time I login with a particular computer, I can indicate that it is "safe" and I no longer have to go through that step with that computer.
 

Imported

Lifer
Sep 2, 2000
14,679
23
81
The company I pay my students loan online through gave me a security question that I never even requested or knew how to answer. They wanted to know my first niece's name, and I have no nieces. :confused:

Had to call them up and they had to cancel my account and have me re-register.. but I got a pretty picture now too!
 

j00fek

Diamond Member
Dec 19, 2005
8,099
1
0
its call multi-factor authentication

we are currently implementing it into 55 credit unions here
 

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Originally posted by: DBL
It's just meant to be an added layer of security which has become mandatory for banking services. Besides, from what I have seen, a lot of these sites could use a little extra security (beyond UN and PW). While there are more secure methods than showing you a picture, it requires 0 extra time on your part. So, why exactly are you complaining?

Because it broke my MS Money as I pointed out. Used to be able to login and download my stuff right into money. Now I have to login to the bank's site and do an Export of the file and then import it into Money. It's extra time and extra work. Besides the point that it's retarded and doesn't really offer me any security at all. Any phishing site could show you a picture and some of the time it will be the right one.

And it really doesn't help me at all. It only assures that when I'm on the right site to start with, that I'm really on the right site. It doesn't do anything to help people who click a link from their email because they probably won't notice that their pretty picture isn't there anyway.
 

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
I dunno. It seems like a sensible idea - one of the problems with authentication of any kind, is how you tell who you're talking to. When you 'phone the bank, they ask you for your security details, but how do you know you are really talking to the bank?

The problem with this system is that it breaks things, and that there already is a system in place which does this. The security certificate for the website will be verified by your browser, and you will be warned if it is invalid, or suspect. The problem is that the message is often cryptic and may not be understood - but if you ignore the warning, you will still get a connection that is 'visibly secure' - in otherwords, the padlock icon will appear and everything looks good.

It's all well and good moaning about the ignorance of people caught up in phishing scams. Not everyone is as netwize as you. But what about pharming scams? They happen occasionally, there's nothing you can do to avoid them. You type https://www.myonlinebank.com and you go straight to the hacker's site. How many people would understand the implication of the 'unverified certificate' as being the only sign of the scam? Would you? Would your grandma? As people do become more and more aware of phishing, the scammers are working harder to try and execute pharming attacks. There have already been a signiciant number of pharming attacks on banking sites - usually with a trojan on the user's PC which intercepts web traffic and redirects it, but there have been some recorded cases of vulnerabilities in ISPs systems leaving their customers vulnerable.

The point is that this is a genuine security measure. Visa does exactly the same thing (except with a 'passphrase' rather than a picture) for online CC payments. I think, that as scams become more aggressive and frequent, that we will end up seeing more of these.

Either that, or set web browser defaults to reject secure connections where the certificate can't be validated - rather than prompt the user. The problem then is, who deals with the technical support.

Someone really needs to make an effort to get smartcard authentication out to the general public - A 2 factor system with mutual authentication. The PIN is no use without the card, and the card will only talk to its authorized provider.

 

DBL

Platinum Member
Mar 23, 2001
2,637
0
0
Originally posted by: Kelemvor
Originally posted by: DBL
It's just meant to be an added layer of security which has become mandatory for banking services. Besides, from what I have seen, a lot of these sites could use a little extra security (beyond UN and PW). While there are more secure methods than showing you a picture, it requires 0 extra time on your part. So, why exactly are you complaining?

Because it broke my MS Money as I pointed out. Used to be able to login and download my stuff right into money. Now I have to login to the bank's site and do an Export of the file and then import it into Money. It's extra time and extra work. Besides the point that it's retarded and doesn't really offer me any security at all. Any phishing site could show you a picture and some of the time it will be the right one.

And it really doesn't help me at all. It only assures that when I'm on the right site to start with, that I'm really on the right site. It doesn't do anything to help people who click a link from their email because they probably won't notice that their pretty picture isn't there anyway.

It's been known for a while that banks were required to implement additional security and the banks I deal with all notified me in advance. Personally, I'd be asking MS since they likely had ample lead time to ensure that this did not happen.



 

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Originally posted by: DBL
Originally posted by: Kelemvor
Originally posted by: DBL
It's just meant to be an added layer of security which has become mandatory for banking services. Besides, from what I have seen, a lot of these sites could use a little extra security (beyond UN and PW). While there are more secure methods than showing you a picture, it requires 0 extra time on your part. So, why exactly are you complaining?

Because it broke my MS Money as I pointed out. Used to be able to login and download my stuff right into money. Now I have to login to the bank's site and do an Export of the file and then import it into Money. It's extra time and extra work. Besides the point that it's retarded and doesn't really offer me any security at all. Any phishing site could show you a picture and some of the time it will be the right one.

And it really doesn't help me at all. It only assures that when I'm on the right site to start with, that I'm really on the right site. It doesn't do anything to help people who click a link from their email because they probably won't notice that their pretty picture isn't there anyway.

It's been known for a while that banks were required to implement additional security and the banks I deal with all notified me in advance. Personally, I'd be asking MS since they likely had ample lead time to ensure that this did not happen.

I already have MS working on it. Problem is the bank knew they were going to do it but apparently never passed that info on to MS so they could update their software. Hopefully they get it figured out eventually.
 

FreshPrince

Diamond Member
Dec 6, 2001
8,361
1
0
Originally posted by: Kelemvor
Well who's the genius that thought up this idea.

Anyone have a bank that has adopted this new login system where you get to pick a pretty picture to represent your account to know it's legit? Ooo. How cool.

So I put my ID in on one screen, then on the next screen I get to see my very one, personally chosen picture. Then because I see the pretty picture I am guaranteed that this is a legit site and someone isn't phishing for my info. Well golly gee, I feel so much safer now.

I don't know what the people who designed this were smoking but I wish they'd share.

Don't you think if someone is stupid enough to click a link in an email and put their login info into the wrong website that they probably won't remember their pretty picture anyway? Or they won't realize they are supposed to look for the pretty picture and will log right into the fake site anyway?

So now they just make things more inconvenient for everyone else by making people think they are real secure.

And of course, now my Money software can no longer download my info from the bank because it's not setup with that new pretty picture login system so it won't talk.

*sigh* Oh well. Gotta protect everyone because of the failings of the few, the idiotic, the dumb. ;)

Ah well.

um...that's a good thing....

if you were phished, you would know because they would not be able to supply the correct image, therefore a telling sign that you've been phished and you should not input any more information, including passwords. that's you authenticatng the site, and it's something better than 2 factor authentication me thinks.

 

DBL

Platinum Member
Mar 23, 2001
2,637
0
0
Originally posted by: Kelemvor
I already have MS working on it. Problem is the bank knew they were going to do it but apparently never passed that info on to MS so they could update their software. Hopefully they get it figured out eventually.

..or so says MS
 

smack Down

Diamond Member
Sep 10, 2005
4,507
0
0
Originally posted by: FreshPrince
Originally posted by: Kelemvor
Well who's the genius that thought up this idea.

Anyone have a bank that has adopted this new login system where you get to pick a pretty picture to represent your account to know it's legit? Ooo. How cool.

So I put my ID in on one screen, then on the next screen I get to see my very one, personally chosen picture. Then because I see the pretty picture I am guaranteed that this is a legit site and someone isn't phishing for my info. Well golly gee, I feel so much safer now.

I don't know what the people who designed this were smoking but I wish they'd share.

Don't you think if someone is stupid enough to click a link in an email and put their login info into the wrong website that they probably won't remember their pretty picture anyway? Or they won't realize they are supposed to look for the pretty picture and will log right into the fake site anyway?

So now they just make things more inconvenient for everyone else by making people think they are real secure.

And of course, now my Money software can no longer download my info from the bank because it's not setup with that new pretty picture login system so it won't talk.

*sigh* Oh well. Gotta protect everyone because of the failings of the few, the idiotic, the dumb. ;)

Ah well.

um...that's a good thing....

if you were phished, you would know because they would not be able to supply the correct image, therefore a telling sign that you've been phished and you should not input any more information, including passwords. that's you authenticatng the site, and it's something better than 2 factor authentication me thinks.

What is to prevent the phising site from asking the bank website what is the pretty picture for the supplied user name?
 

Dunbar

Platinum Member
Feb 19, 2001
2,041
0
0
Originally posted by: Kelemvor
Because it broke my MS Money as I pointed out. Used to be able to login and download my stuff right into money. Now I have to login to the bank's site and do an Export of the file and then import it into Money.

Switch to Quicken, I'm still able to download transactions from BoA :) I didn't even know what that stupid picture was for. How many people are going to make their passcode the name of the little picture they just selected? Not exactly an improvement in security if you ask me...

I just logged into the BoA site from a new computer I built and it said that it didn't recognize the computer (a Vista box) and asked me a bunch of security questions to which I apparently answered wrong so they locked my account...

 

Dunbar

Platinum Member
Feb 19, 2001
2,041
0
0
Originally posted by: smack Down
What is to prevent the phising site from asking the bank website what is the pretty picture for the supplied user name?

Nothing but it would be a lot harder than just sending out a bunch of SPAM hoping a few people are dumb enough to login into their bogus site.

 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
I always check the picture. This is a GOOD thing and pretty difficult if not impossible to scam/phish, etc.

Better than your bank issuing you tokens or a smartcard.
 

iamaelephant

Diamond Member
Jul 25, 2004
3,816
1
81
I don't get how this works - you put your username and password in first, then you see the picture? So if it is a phishing scam, you only realise after you have given them your username and password? Errr... isn't the point of a phishing scam to get these details? So this just alerts you after the fact that some unsavoury individual has your details?
 

Skotty

Senior member
Dec 29, 2006
232
0
0
When I first tried using online banking at Bank of America, I tried to enter a 10 digit passcode. The website wouldn't let me because it was too long. lol. I had to shorten it to about 7. I think they have fixed that now though.
 

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Originally posted by: iamaelephant
I don't get how this works - you put your username and password in first, then you see the picture? So if it is a phishing scam, you only realise after you have given them your username and password? Errr... isn't the point of a phishing scam to get these details? So this just alerts you after the fact that some unsavoury individual has your details?

No. You give them your username on one screen. Then you click Submit.
Then on the next screen they show you a pretty picture.
If you recognize the pretty picture as being the same pretty picture you chose when you signed up for the server, then you are assured you are at the right site.
Then you enter your password and get in to the system.

However, I have accounts at a couple banks and I have no idea what picture I chose at which bank. SO if I was stupid enough to click a link in an email or something, as long as they showed me any picture, I'd probably assume it was the right picture and go through anyway. I guess the system is just too sophisticated for me...
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Kelemvor
I guess the system is just too sophisticated for me...

Sounds like it. But this added security is a very good thing. The banks are making it very clear with good, easy to understand questions and answers.

Also if a phisher got your userID and password, there isn't anything they can do with it. They'd need to know the answers to your other security questions.
 

thirtythree

Diamond Member
Aug 7, 2001
8,680
3
0
Originally posted by: iamaelephant
I don't get how this works - you put your username and password in first, then you see the picture? So if it is a phishing scam, you only realise after you have given them your username and password? Errr... isn't the point of a phishing scam to get these details? So this just alerts you after the fact that some unsavoury individual has your details?
No. You just enter your username, then go to a page with your picture. You type your password in on this page.
 

Kelemvor

Lifer
May 23, 2002
16,928
8
81
Originally posted by: spidey07
Originally posted by: Kelemvor
I guess the system is just too sophisticated for me...

Sounds like it. But this added security is a very good thing. The banks are making it very clear with good, easy to understand questions and answers.

Also if a phisher got your userID and password, there isn't anything they can do with it. They'd need to know the answers to your other security questions.

Oh I agree that that's a good feature with adding the extra questions. I just think the whole "pretty picture" thing is dumb.