My bank wants to implement this.

Discussion in 'privacy general' started by Ocky, Apr 2, 2008.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I am not keen on mobile phones (cell phones here), they irritate me,
    and now all the bank's clients may soon be forced to do what is described
    below. Currently we have to sign an indemnity form if we don't want to go
    the SMS route.
    Also recently there have been some intricate cases of SIM card swaps
    where the SMS with the reference number to enter on the banking site
    was sent to the criminals phone. I don't see any earth shaking innovation
    or security benefit here. What do you think ?
    (PS. This bank requires a profile no., folowed by a pin no., followed by a
    password to access the site)
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Seems to me that this is a variant on what my bank did to me.
    I don't have to use a cell phone, but my bank gave me a bankcard reader, that looks like a pocket calculator in order to calculate my password of 8 digits and then I can login. Each money transfert has to be confirmed with another password of 8 digits, that is not the same anymore as the login password.

    The bankcard reader is not connected to anything, but it can read my bankcard and verify my pin code and calculate my password, that is based on a challenge number given by the bank.
    The advantage is that keyloggers are useless, because the password changes constantly and can be used only one time.

    Since my bank did this, I don't login so much anymore, only when absolutely necessary. The login procedure isn't very practical for the client.
     
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Ocky: It´s a so called "twofactor-authentification" method where you use partly your mobile and also webb-login (password + certificate) to verify your identity.

    Pros: High usability, fairly secure, using two networks (Internet + mobilephone) for authentification.

    Cons: The mobile network isn´t encrypted, if you loose your mobile you have to get a new unique password through a traditional letter to your homeadress.

    The method ErikAlbert uses is even more secure (reading your bankcard + password generated through controll questions) but as he remarked also less userfriendly and if you want to login using another computer you have to bring the bankcard reader/generator with you.

    However this later method would be the most common used authentification method in the future since it covers up secure transactions using bankcard for e-commerce as well.

    /C.
     
    Last edited: Apr 2, 2008
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is correct. I'm lucky it always happens at home. The only advantage is that it is VERY SAFE. Also member "Paranoid2000" confirmed this.
     
  5. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Sure, I understand what Cerxex is saying and that Erik's banking site is
    ultra secure, but I live here (see under location.)
    There have been some very intricate swaps of SIM cards going on, I don't know the details anymore,
    but mainly in small businesses ( maybe employees had access to the
    mobile phone). Any thoughts on this ? I suppose Erik's banking method
    will also protect him from XSS (cross site scripting) ? or not ?

     
  6. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    But even if some low-life criminals manage to swap your mobile SIM card, they still have to get a copy of the web-based certificate as well as the login password. Sooner or later the user have to figure out why they don´t receive any mobile phonecalls anymore...;)

    Getting the certificate and the login password isn´t impossible either if the criminals have the knowledge, access and are targeting a special user. But it´s the combination of using two networks as an authentification method that makes it fairly secure.

    AFAIK using the bankcard reading/generating method would protect against cross-site scripting attacks since it generates unique passwords for each visiting session.

    /C.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That was my impression too. Each time I open my bank website, I get another challenge number, which I enter in my bankcard reader to calculate my new login password. An online-thief needs my bankcard reader, my bankcard, my bankcard number and bankcard pin code (only in my head) to get that login password.
    That is impossible, unless he visits my home as a burglar and torture me to get my pin code.

    I heard of XSS, but I don't know how this works in practice. I need an explanation with a practical example.
     
    Last edited: Apr 2, 2008
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    It's all right here on Wilders. https://www.wilderssecurity.com/showthread.php?t=201350
    Enjoy ! and don't get too depressed - you are safe !
     
  9. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    How does that work if you travel overseas? I know that the little key chain tokens do work everywhere but I don't like to carry my mobile with me when travelling overseas (different networks, high costs, no need) - does that mean that netbanking is not possible?
     
  10. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Normally your bank should also offer pre-defined passwords instead of using mobiles as an alternative. If not, consider changing bank to one who offer this alternative. This method have the same level of security as using mobiles, i.e. fairly secure.

    /C.
     
  11. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
  12. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    As someone who does not have a SMS plan (Because of the fact that I don't text), I would refuse this on the basis that it is going to cost me significantly (.15c/txt I think is my current rate). Is the bank going to reimburse me for these charges?

    I have to admit, I like what ErikAlbert's bank has done, although I think it would be simpler/cheaper to just use something like a Cryptographic Token. that generates a # (Similar to SecurID tokens.)

    I read a article in a magazine a few months ago that said now that eInk is "proven" (ie: Kindle/Sony eBook) that some credit card companies are going to integrate a small bit of it on credit cards and that every time you use it, you squeeze the card and it will generate a new 6 digit number that is used for verification that you have the card in hand. While the number will remain visible at all times, there is a time limit that the number is good for. Power isn't a concern since the only power usage is when the number is actually changed, no power is consumed simply displaying it. This will not only be useful during online transactions, but will be used for normal "swipe" transactions as well, demonstrating that the card being read is the original. (and not just a cloned copy that was run through a mag reader while the card was read for legitimate purposes.)

    This I think is the way of the future of Credit Cards, moving away from the 3(/4) digit # on the back of the card for verification.
     
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I have similar set-up: text to mobile for authentication code.
    BUT
    I have an other layer of "security" : the code gets sent to the GF's phone :eek:
    I have to have her overseeing MY transactions :gack:
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For someone to swap your SIM card, they would need (physical) access to your mobile so it shouldn't be a concern unless it is stolen.

    As for security, GSM traffic is encrypted (using a variant of the A5 stream cipher) but this probably could be broken by a determined attacker. It should be safe from casual inspection though, especially in the case of time-limited information (like a code set to expire in 10 minutes or so).

    SMS messages however, like email, have to pass through gateways maintained by the mobile network operators. It quite possible that their contents are stored in the clear here and therefore visible to anyone with access to these gateways (and operators, under data retention legislation, will have to keep record of at least the time, sender and recipient for each SMS).

    However since this mechanism is separate from web traffic (unless you are using the same mobile for SMS and web access) it should make it far harder for someone else to perform actions on your behalf, even if your PC was compromised so it does provide a security benefit (though having their system phone and give you a number by voice would be better, and usable on landlines as well as mobiles).

    There are certainly convenience (the need to have your mobile on hand) and cost (if you have a tariff that charges for receiving SMS) issues, so if these apply to you by all means take this up with your bank. In practice, they are likely to phone to confirm large transactions anyway so this is probably a cost-saving measure from their perspective.
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Many thanks Paranoid2000 for your detailed (and reassuring to a degree) info.
    I can't stand mobile phones, but will need to come to the party
    once implemented by my bank. Here another extract from their
    website:

    "The SIM swap takes place after the fraudsters have received the client's logon details as a result of the client acting on, for example, Phishing e-mails.
    Once the fraudsters have the client's cellphone number and other personal information, the fraudster can pose as the client, requesting a new SIM card from a cellular service provider.
    The cellular service provider transfers the client's SIM card identity to the new SIM card, cancelling the client's SIM card in the process.

    The result is no signal on the old SIM card, which means the client cannot receive or make phone calls or send SMS messages.

    The SMS authorisation reference number, which is normally sent to the client, reaches the fraudster instead of the legitimate owner, and the fraudster is able to make once-off payments and create beneficiaries fraudulently."
     
    Last edited: Apr 26, 2008
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well you're the customer so if you don't like their proposal, object! As long as you keep your PC clean and don't access their site from anywhere else, there's precious little benefit to you in this. From the bank's perspective though, most peope can't keep their PCs clean so extra measures for the majority make good sense.

    If you do have to sign an indemnity, just make sure that it doesn't exclude security breaches on the bank's side.
    Thanks for that explanation - it is somewhat different from what I was thinking but this technique would be tricky to pull off. The network provider (if they have any sense) should only post the new SIM card to the subscriber's address and should immediately cancel the old one. So a criminal would have to intercept the victim's post and the victim should be aware something is amiss since their mobile would be disabled - and would have a couple of days at least to find out what was happening.

    In short, unless you're away from your main address for a while, it seems pretty unlikely for such a scheme to work without extreme negligence on the part of the network provider.
     
    Last edited: Apr 26, 2008
Loading...
Thread Status:
Not open for further replies.