My bank wants to implement this.

I am not keen on mobile phones (cell phones here), they irritate me,
and now all the bank's clients may soon be forced to do what is described
below. Currently we have to sign an indemnity form if we don't want to go
the SMS route.
Also recently there have been some intricate cases of SIM card swaps
where the SMS with the reference number to enter on the banking site
was sent to the criminals phone. I don't see any earth shaking innovation
or security benefit here. What do you think ?

(PS. This bank requires a profile no., folowed by a pin no., followed by a
password to access the site)

 

Seems to me that this is a variant on what my bank did to me.
I don't have to use a cell phone, but my bank gave me a bankcard reader, that looks like a pocket calculator in order to calculate my password of 8 digits and then I can login. Each money transfert has to be confirmed with another password of 8 digits, that is not the same anymore as the login password.

The bankcard reader is not connected to anything, but it can read my bankcard and verify my pin code and calculate my password, that is based on a challenge number given by the bank.
The advantage is that keyloggers are useless, because the password changes constantly and can be used only one time.

Since my bank did this, I don't login so much anymore, only when absolutely necessary. The login procedure isn't very practical for the client.

 

@Ocky: It´s a so called "twofactor-authentification" method where you use partly your mobile and also webb-login (password + certificate) to verify your identity.

Pros: High usability, fairly secure, using two networks (Internet + mobilephone) for authentification.

Cons: The mobile network isn´t encrypted, if you loose your mobile you have to get a new unique password through a traditional letter to your homeadress.

The method ErikAlbert uses is even more secure (reading your bankcard + password generated through controll questions) but as he remarked also less userfriendly and if you want to login using another computer you have to bring the bankcard reader/generator with you.

However this later method would be the most common used authentification method in the future since it covers up secure transactions using bankcard for e-commerce as well.

/C.

 

That is correct. I'm lucky it always happens at home. The only advantage is that it is VERY SAFE. Also member "Paranoid2000" confirmed this.

 

Sure, I understand what Cerxex is saying and that Erik's banking site is
ultra secure, but I live here (see under location.)
There have been some very intricate swaps of SIM cards going on, I don't know the details anymore,
but mainly in small businesses ( maybe employees had access to the
mobile phone). Any thoughts on this ? I suppose Erik's banking method
will also protect him from XSS (cross site scripting) ? or not ?

 

But even if some low-life criminals manage to swap your mobile SIM card, they still have to get a copy of the web-based certificate as well as the login password. Sooner or later the user have to figure out why they don´t receive any mobile phonecalls anymore...

Getting the certificate and the login password isn´t impossible either if the criminals have the knowledge, access and are targeting a special user. But it´s the combination of using two networks as an authentification method that makes it fairly secure.

AFAIK using the bankcard reading/generating method would protect against cross-site scripting attacks since it generates unique passwords for each visiting session.

/C.

 

That was my impression too. Each time I open my bank website, I get another challenge number, which I enter in my bankcard reader to calculate my new login password. An online-thief needs my bankcard reader, my bankcard, my bankcard number and bankcard pin code (only in my head) to get that login password.
That is impossible, unless he visits my home as a burglar and torture me to get my pin code.

I heard of XSS, but I don't know how this works in practice. I need an explanation with a practical example.

 

It's all right here on Wilders. https://www.wilderssecurity.com/showthread.php?t=201350
Enjoy ! and don't get too depressed - you are safe !

 

How does that work if you travel overseas? I know that the little key chain tokens do work everywhere but I don't like to carry my mobile with me when travelling overseas (different networks, high costs, no need) - does that mean that netbanking is not possible?

 

Normally your bank should also offer pre-defined passwords instead of using mobiles as an alternative. If not, consider changing bank to one who offer this alternative. This method have the same level of security as using mobiles, i.e. fairly secure.

/C.

 

As someone who does not have a SMS plan (Because of the fact that I don't text), I would refuse this on the basis that it is going to cost me significantly (.15c/txt I think is my current rate). Is the bank going to reimburse me for these charges?

I have to admit, I like what ErikAlbert's bank has done, although I think it would be simpler/cheaper to just use something like a Cryptographic Token. that generates a # (Similar to SecurID tokens.)

I read a article in a magazine a few months ago that said now that eInk is "proven" (ie: Kindle/Sony eBook) that some credit card companies are going to integrate a small bit of it on credit cards and that every time you use it, you squeeze the card and it will generate a new 6 digit number that is used for verification that you have the card in hand. While the number will remain visible at all times, there is a time limit that the number is good for. Power isn't a concern since the only power usage is when the number is actually changed, no power is consumed simply displaying it. This will not only be useful during online transactions, but will be used for normal "swipe" transactions as well, demonstrating that the card being read is the original. (and not just a cloned copy that was run through a mag reader while the card was read for legitimate purposes.)

This I think is the way of the future of Credit Cards, moving away from the 3(/4) digit # on the back of the card for verification.

 

I have similar set-up: text to mobile for authentication code.
BUT
I have an other layer of "security" : the code gets sent to the GF's phone
I have to have her overseeing MY transactions

 

For someone to swap your SIM card, they would need (physical) access to your mobile so it shouldn't be a concern unless it is stolen.

As for security, GSM traffic is encrypted (using a variant of the A5 stream cipher) but this probably could be broken by a determined attacker. It should be safe from casual inspection though, especially in the case of time-limited information (like a code set to expire in 10 minutes or so).

SMS messages however, like email, have to pass through gateways maintained by the mobile network operators. It quite possible that their contents are stored in the clear here and therefore visible to anyone with access to these gateways (and operators, under data retention legislation, will have to keep record of at least the time, sender and recipient for each SMS).

However since this mechanism is separate from web traffic (unless you are using the same mobile for SMS and web access) it should make it far harder for someone else to perform actions on your behalf, even if your PC was compromised so it does provide a security benefit (though having their system phone and give you a number by voice would be better, and usable on landlines as well as mobiles).

There are certainly convenience (the need to have your mobile on hand) and cost (if you have a tariff that charges for receiving SMS) issues, so if these apply to you by all means take this up with your bank. In practice, they are likely to phone to confirm large transactions anyway so this is probably a cost-saving measure from their perspective.

 

Many thanks Paranoid2000 for your detailed (and reassuring to a degree) info.
I can't stand mobile phones, but will need to come to the party
once implemented by my bank. Here another extract from their
website:

"The SIM swap takes place after the fraudsters have received the client's logon details as a result of the client acting on, for example, Phishing e-mails.
Once the fraudsters have the client's cellphone number and other personal information, the fraudster can pose as the client, requesting a new SIM card from a cellular service provider.
The cellular service provider transfers the client's SIM card identity to the new SIM card, cancelling the client's SIM card in the process.

The result is no signal on the old SIM card, which means the client cannot receive or make phone calls or send SMS messages.

The SMS authorisation reference number, which is normally sent to the client, reaches the fraudster instead of the legitimate owner, and the fraudster is able to make once-off payments and create beneficiaries fraudulently."

 

Well you're the customer so if you don't like their proposal, object! As long as you keep your PC clean and don't access their site from anywhere else, there's precious little benefit to you in this. From the bank's perspective though, most peope can't keep their PCs clean so extra measures for the majority make good sense.

If you do have to sign an indemnity, just make sure that it doesn't exclude security breaches on the bank's side.

Thanks for that explanation - it is somewhat different from what I was thinking but this technique would be tricky to pull off. The network provider (if they have any sense) should only post the new SIM card to the subscriber's address and should immediately cancel the old one. So a criminal would have to intercept the victim's post and the victim should be aware something is amiss since their mobile would be disabled - and would have a couple of days at least to find out what was happening.

In short, unless you're away from your main address for a while, it seems pretty unlikely for such a scheme to work without extreme negligence on the part of the network provider.