• Home
  • About John P.
  • Contact
  • Terms
  • Facebook
  • Google+
  • Instagram
  • LinkedIn
  • Pinterest
  • StumbleUpon
  • Twitter
  • YouTube

One Man's Blog

Specialization is for Insects.

  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
Home / Finance / Online Banking Still Not Secure!

Online Banking Still Not Secure!

John P.

November 13, 2006 By John P.

SpyingThe Internet is not a safe place. I’m not talking about your kids, I’m talking about YOU!

Recently my financial institutions have begun implementing “security enhancements” in order to fain compliance with guidelines set by the FFIEC. In a nutshell, the recommendation is as follows:

Using nothing more than a login ID and password to access banking and financial transaction services via the Web is insecure. Instead, financial institutions should turn to multi-factor authentication schemes to ensure client safety.

In order to understand what this means, here is a quick security lesson.

The authentication factors for humans are generally classified by three methods:

  • Something the user is (e.g., fingerprint or retinal pattern, DNA sequence, voice pattern, signature recognition, or other biometric identifier)
  • Something the user has (e.g., ID card, security token, software token or cell phone)
  • Something the user knows (e.g., a password, a pass phrase or a PIN)

Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term ‘two-factor authentication’ is used.

Both Bank of America and Citibank have announced that their idea of complying with the multi-authentication recommendation is to essentially do two things:

  • Require users to define secret Questions and Answers in their system for challenge purposes.
  • Implement a system of “machine tagging” which looks for irregularity in terms of where the banking system is being accessed from.

Since passwords and login IDs are things that a user knows, adding question and answer challenges do not meet the criteria of multi-factor authentication since they also are things a user knows. In essence this isn’t really two-factor, more like 2 one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.

(Sidebar: Even multi-factor authentication can be beaten, so 2 one-factors is a joke!)

Look at it this way. Do you or someone you know EVER make a note of your login information to any site on the Internet? I mean on a piece of paper, in your MS Outlook notes, on a card in your wallet? Or have you ever allowed an automatic form filler like Internet Explorer to remember a password?

Every one of these can be easily compromised and how hard do you think it is to then answer your secret Question / Answer? Many people will write it on the same note so as not to forget it! Otherwise, it’s easy to find out your mother’s maiden name, etc. using investigative sources on the Web.

The bottom line is, multiple shared secrets are not any more secure. In fact they simply inconvenience the user and leave a false sense of security.

These are not merely my thoughts, they are shared and have been heavily debated on the Web for years:

  • SecurityFocus.com discussion
  • Nabble Web App Security Forum
  • Slashdot.org discussion
  • BankersOnline.com discussion

Here is a presentation which outlines how the use of cheap fingerprint scanners could be a secure and cost effective answer to this entire issue; and here is a bank which chose to go the “smart card” route and do this right.

At the end of the day, it’s going to be costly to add true multi-authentication to online financial transactions. But the elimination of $billions in fraudulent transactions will more than make up for it. Do not be fooled into believing that the banks doing everything they can to ensure your protection. In fact, they are doing less than the minimum expected.

Finally, make sure that you’ve read my previous information regarding Protecting Your Digital Secrets.

Related

Filed Under: Finance, Security Tagged With: Authentication, Bank-of-America, Banking, Biometrics, Citibank, Crime, Finance, Fingerprint, Fraud, Retina, Security, Spying

About John P.

John P. is a former CEO, former TV Show Host, and the Founder and Wizard behind Texas Metal Works. You can find him on Twitter, Facebook and LinkedIn. Feel free to send shoutouts, insults, and praise. Or Money. Money is good.

John P’s Tweets

Tweets by johnpoz

John P. on Instagram

johnpoz

Ok, what we're gonna do, see, is jack this bitch u Ok, what we're gonna do, see, is jack this bitch up so high you need a ladder to get in it. Then put low profile tires on it.

Makes sense.
Let them eat turkey... I mean cake. Let them eat turkey... I mean cake.
Need I say more? Need I say more?
Cleaned my vehicles with @ArmorAllUSA Ultra Shine Cleaned my vehicles with @ArmorAllUSA Ultra Shine Wash Wipes. Here's the story! http://onemansblog.com/ultrawipes

#ArmorAll - #Ad - #YeeHaw
Tomorrow I'm getting my new forklift from @quality Tomorrow I'm getting my new forklift from @quality_equipment! Can't wait to start forking stuff. ;-)
Aaarrgh! What should I choose? Aaarrgh! What should I choose?
Have I died and gone to heaven? Have I died and gone to heaven?
Hard boiled chili quail eggs anyone? Hard boiled chili quail eggs anyone?
I'll take two! I'll take two!
This exists. This exists.
Over two pounds of pizza! Over two pounds of pizza!
Where should I start? Where should I start?
Give it a minute. You'll get it... Give it a minute. You'll get it...
Instagram post 17855855425047701 Instagram post 17855855425047701
Instagram post 17849137462070109 Instagram post 17849137462070109
It'll tickle yore innards! It'll tickle yore innards!
Instagram post 17855388973056226 Instagram post 17855388973056226
The @genyhitch is a massive 80 pound drop hitch wi The @genyhitch is a massive 80 pound drop hitch with a bonus - it can absorb the shock from twists, turns and bumps in the road, providing cushioning for both the tow vehicle and whatever it's pulling.
Who's up for some ghost pepper powder in their sal Who's up for some ghost pepper powder in their salt?
Downloading at around 140 MB/S. That's a full Gig Downloading at around 140 MB/S.  That's a full Gigabit download speed from the World of Warcraft servers to the new @Acer Predator desktop machine.
Follow on Instagram
This error message is only visible to WordPress admins

Copyright © 2021 · Local Media on Genesis Framework · WordPress · Log in

Follow Along for E-Mail Updates
Don't miss any of John P's craziness! Just shove your email address in the slot below and we'll take care of the rest! :-)
Arrow

Email: