×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Court Rules Passwords+Secret Questions=Secure eBanking

samzenpus posted more than 2 years ago | from the nobody-knows-your-mother's-maiden-name dept.

Security 284

An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

284 comments

One-time pads (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36382414)

We've been using one-time pads in Finland for a long time, and they do the job.

What's the issue?

Re:One-time pads (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36382430)

well. Here in the US we don't feel like spending money on security.

Re:One-time pads (4, Funny)

MightyMartian (840721) | more than 2 years ago | (#36382938)

Maybe we can let the TSA take over computer security. You can have a couple of brawny perverts in front of every computer reading to cup your genitals before you go to pay some bills. Add in a X-ray machine to toast your testicles, and you're ready to go!

Re:One-time pads (5, Funny)

Snarky McButtface (1542357) | more than 2 years ago | (#36383240)

I can handle my own genitals when in front of a computer screen.

Re:One-time pads (-1)

Anonymous Coward | more than 2 years ago | (#36383246)

I can handle my own genitals when in front of a computer screen.

But I am a NIGGER so my genitals ARE the fuckin computer screen. Hah!

Re:One-time pads (5, Insightful)

pirho13 (2247512) | more than 2 years ago | (#36383250)

As the previous poster said, we don't like spending money on Security.
Now Security Theater, that's entertainment!

Re:One-time pads (1)

ColdWetDog (752185) | more than 2 years ago | (#36382436)

We've been using one-time pads in Finland for a long time, and they do the job.

What's the issue?

We're just trying to balance our checkbooks, not take over the world.

Re:One-time pads (1)

Yoda's Mum (608299) | more than 2 years ago | (#36382460)

At some point the "victim" businesses need to be responsible for the physical and network security of their systems. It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.

Re:One-time pads (5, Insightful)

ekhben (628371) | more than 2 years ago | (#36382538)

I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.

One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.

So why do the banks resist the idea?

Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

Re:One-time pads (3, Interesting)

QuasiSteve (2042606) | more than 2 years ago | (#36382782)

Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

I'm curious.. what is the other channel?

Here in NL there's two major forms of online banking authorization (separate from the account login, of course), both are a challenge/response type, and both perform the challenge in the browser.

The first one, the response is either on a paper sheet you have (which you can then move to a computer file or whatever if you want to spend some time typing it in) or is sent to your cellphone along with the amount (so that no transactions can sneak in without it being shown in the same text).

The other one, the response is something generated on an external device - looks like a little calculator - after entering the challenge.

In both cases, the response is also entered into the browser.

Despite these more-or-less two-factor authorizations, I'd consider this to be a single channel.

I'm not sure what other channel could exist either... a custom application that communicates over an SSL'd connection or secure FTP or whatever could just as well be targeted by malware authors.. perhaps even moreso considering its focused purpose.

A true separate channel would probably be a modification of the aforementioned challenge-via-text method to also send the response via text. Or calling the bank and checking with an employee that the order as you see it on your screen is indeed the order pending and then proceed to provide the response to the presented challenge. The former could be automated, the latter.. not so much?

So I'm curious what the 2nd channel in your banking situation is.

Re:One-time pads (3, Interesting)

AK Marc (707885) | more than 2 years ago | (#36383004)

I have my bank send me a text with a code I put in the browser for online transactions above a certain level. Sure, it all goes through the browser at some point, but a one-time use code texted to my phone that won't work for another transaction even if someone was at my computer watching everything I put in will not allow them to then compromise my account at all. I could bank with that on a public computer and nobody could get anything out of my account.

Re:One-time pads (1)

ColdWetDog (752185) | more than 2 years ago | (#36383080)

A bank with this degree of sophistication in Alaska? I'm impressed. Would you mind disclosing which bank it might be?

Re:One-time pads (1)

AK Marc (707885) | more than 2 years ago | (#36383528)

I'm no longer in Alaska. I moved out of the US 2 years ago. I'll move back after the economy collapses and 10 Euros will buy me a small city in the US (I predict somewhere around 2025, but you never know for sure).

Though the family is still in Alaska, and I used to use Wells Fargo, which offers SecureID (or should that be InSecureID now?), and Wells Fargo is about the only national bank with a real presence there. Bank of America has (last I checked) a single ATM in the entire state, so you could theoretically bank with them if you didn't mind going to the foodcourt of the 5th Avenue Mall every time you wanted to do something at a BoA ATM, and they have SecureID as well.

Re:One-time pads (1)

Anonymous Coward | more than 2 years ago | (#36383092)

Someone could be watching... like this guy [youtube.com] :)

Re:One-time pads (1)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#36383162)

Hypothetical attack on that scheme: wait for you to type in a code, cause the browser to hang for a few seconds before transmission to the bank, perform malicious transaction with the intercepted code during those few seconds.

Re:One-time pads (0)

Anonymous Coward | more than 2 years ago | (#36383374)

Improvement: if the transaction must be submitted to the bank website, and then the SMS code is generated, sent to the customer, and entered into the browser on the transaction confirmation page, then I think it's not possible to intercept a valid code and apply it to a different transaction. At the time you enter the code, both you and the bank know exactly which transaction it applies to.

Hypothetical attack on this would be submitting a malicious transaction in place of the original transaction, then replacing the display of the confirmation page with the details of the original transaction so that the customer "confirms" the malicious transaction with a code that matches it. But I think this sort of thing is always going to be a problem if the browser itself is compromised.

Re:One-time pads (1)

AK Marc (707885) | more than 2 years ago | (#36383494)

Impossible. The bank links that transaction to the code. That code isn't valid for any other transaction. If the valid code is given, the transaction completes. If not, it times out. Any other transactions require a different code be generated.

Re:One-time pads (1)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#36383520)

How do you know what transaction the code is authorizing? Does the text message also contain human-readable information with all details about the transaction?

Re:One-time pads (1)

Orffen (1994222) | more than 2 years ago | (#36383546)

You missed out where he says the code is for that specific transaction and not for any other transactions.

Re:One-time pads (1)

jonwil (467024) | more than 2 years ago | (#36383070)

The ideas with the little calculator and the one-time-SMS work just fine, even if the bad guys have compromised the browser, the results of the little calculator or the one time SMS wont be usable.

Good banking security isn't rocket science and it doesn't need to cost banks a fortune either.

Re:One-time pads (2)

dgatwood (11270) | more than 2 years ago | (#36383458)

Sure they will, if you have compromised the browser completely.

  • You start the transaction that requires you to enter a code.
  • Attacker creates a malicious transaction in the background that also requires you to enter a code.
  • Attacker puts up a fake copy of the bank's dialog that tells you it will have to confirm the transaction and asks you to choose a phone number for them to text or whatever.
  • You do whatever you need to do there.
  • Attacker posts the malicious transfer form and performs the query to tell the bank to send out a text message.
  • Attacker displays a fake copy of the verification form where you are supposed to enter the info from the text message.
  • You enter the verification code.
  • Attacker submits the verification code for the malicious transaction.
  • Attacker displays a fake "verification code failed message" repeatedly until you tell the bank to send a new code.
  • Attacker passes on that request for a new code to your bank.
  • Your bank sends a new code.
  • Attacker displays the real verification page for your transaction.

At this point, as far as the user knows, the bank just sent a broken code. Meanwhile, $20,000 has been transferred to a bank in Zurich.

Re:One-time pads (1)

thePowersGang (1726438) | more than 2 years ago | (#36383286)

National Australia Bank implements SMS security, that sends a code to your mobile phone when you attempt to log into internet banking, you then need to enter this code to be able to log in and/or to transfer funds. I'd call that two channel authentication.

Re:One-time pads (1)

ekhben (628371) | more than 2 years ago | (#36383382)

Text message challenge, web response.

In order to subvert a transaction, the attacker would need to own both communication channels - my browser displays which transaction I'm approving, the text message displays the same thing. If they don't agree, one or the other has been tampered with.

If they do agree, it's too late for the attacker to alter the transaction, and my response via web can only be blocked, not used for a different transaction.

It's two channel because an attacker needs to subvert both channels to subvert the transaction; only capturing one will cause an easily detectable change.

Re:One-time pads (3, Interesting)

Dodgy G33za (1669772) | more than 2 years ago | (#36382984)

Don't underestimate the power of the money that can be made by subverting online banking.

If the machine on which you do banking is not secure it becomes very hard to secure a transaction unless you have a true second channel. For example confirm a transaction with an SMS or phone call, although with smart phones this can no longer be guaranteed to be a second channel.

The latest generation of man-in-the-browser malware sits between the user and the bank and can alter transactions that the user has legitimately entered and authorised, as well as hide the evidence of the results.

At a recent AUScert conference in Australia we heard that such malware can also add additional form fields so that the user confirms their phone number, and use that as a vector to infect their smartphone by exploiting smartphone OS vulnerabilities. Once they have both PC and phone infected, it is game over as far as two factor authentication with the phone is concerned.

This problem can be solved in a very simple (technically, not politically) way, and that is to clean up international banking so that the money trail can be followed. Make the bank that failed to identify the one that ends up with the money liable for repayment (and that includes the likes of Western Union), and in the event of a failed bank make the country in which the bank is registered liable.

Failing that make operating system and software manufacturers liable for security flaws in their products. We do it with cars, so why not software?

Re:One-time pads (1)

jonwil (467024) | more than 2 years ago | (#36383154)

So you use an authentication like the little calculators some banks give. Things that can't be compromised by hackers.

Unless the transaction details you see on the screen match the real transaction details, the special hash displayed by the little calculator wont match and the bank will reject the transaction.

Re:One-time pads (0)

Anonymous Coward | more than 2 years ago | (#36383466)

Unless the transaction details you see on the screen match the real transaction details, the special hash displayed by the little calculator wont match and the bank will reject the transaction.

This only holds if the browser is trusted to submit exactly the information you enter, and display exactly the information it receives. If the browser is compromised, this doesn't necessarily hold: a compromised browser could submit a completely different transaction to the one you entered, replace the contents of the confirmation page with the transaction you entered, and you'd quite happily enter your code to confirm the transaction, which the bank would see as a valid confirmation of the malicious transaction.

Re:One-time pads (3, Insightful)

jonwil (467024) | more than 2 years ago | (#36383486)

No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.

Re:One-time pads (1)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#36383122)

I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

So your bank authenticates every single thing you do online via a second channel?

Re:One-time pads (1)

ekhben (628371) | more than 2 years ago | (#36383334)

Transactions to unapproved accounts, where "approved" means either the bank knows the recipient and can hunt them down if they commit fraud, or I've explicitly said the recipient is OK by me (which requires external auth to do :-)

Re:One-time pads (1)

green1 (322787) | more than 2 years ago | (#36383596)

refuse to use electronic banking that relies on anything sent via my browser alone

In most countries that would completely rule out using any form of online banking at all.

Where I live, the only banks that don't charge me insane monthly fees are only available online, they have no tellers to visit. Additionally, no banks in the country offer any more secure banking than asking for a password. and worse yet, one of the banks I have dealt with in the past required the password to be exactly 6 characters long (no more, no less) and completely numeric.

You may be lucky enough to live somewhere with secure banking, but most of the world doesn't have anywhere near that luxury.

Re:One-time pads (1)

geekmux (1040042) | more than 2 years ago | (#36383104)

At some point the "victim" businesses need to be responsible for the physical and network security of their systems. It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.

Not that I'm disagreeing with you, but playing devils advocate for a moment, it is highly unreasonable for you to assume that any institution should be held 100% liable for every connection made to any system directly connected to the Internet.

That's kind of like suing Microsoft for a vuln that they *should* have known beforehand. The term "zero-day" wasn't coined because it sounds cool.

Re:One-time pads (3, Funny)

Anonymous Coward | more than 2 years ago | (#36382630)

i don't want to buy an iPad, use it one time, then throw it away.

Re:One-time pads (2)

wvmarle (1070040) | more than 2 years ago | (#36383112)

It seems Europe in general is way ahead of the US when it comes to security in on-line banking.

My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a number from a list that was written on a separately mailed paper. So two-factor already, while the whole environment was a lot safer by then.

A few years later they created an off-line application, where you could enter all your transactions. Saved a lot on telephone costs. That dedicated number was long-distance of course.

Another few years later, and an Internet option appeared. Not long after I got a dial-up connection. Same two-factor security.

Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.

And all of the above was over ten years ago already. The system has remained basically the same (I'm still using that paper list - for living overseas and not having a Dutch mobile number), now using a calculator or having the one-time code sent to your mobile phone. Still: two-factor, physically separate.

Bank fraud, also e-banking fraud, is unfortunately still not unheard of in Europe. A lot is related to credit card fraud, but also e-banking accounts still end up being hacked. No security is perfect, but the relative rare occurrence of such incidents indicates it's pretty good.

I really wonder when the US will catch up.

Re:One-time pads (1)

WaffleMonster (969671) | more than 2 years ago | (#36383322)

We've been using one-time pads in Finland for a long time, and they do the job.

What's the issue?

I would love for you to explain to me how that would do you any good when your own system is compromised and an attacker can display anything they want on your screen. When you just entered your OTP you didn't just transfer $100k to the attacker did you? Ooops....

Secure = Secure Enough (2)

timeOday (582209) | more than 2 years ago | (#36382440)

I think this standard is OK, *if* the banks are liable for compromises (as they are with credit/debit cards). Obviously this isn't totally secure, but you have to consider everybody's wasted time when weighing alternatives.

Re:Secure = Secure Enough (4, Interesting)

FatAlb3rt (533682) | more than 2 years ago | (#36382590)

Unless the questions are like my bank's:
Who is your favorite Disney character?
What is your favorite color?

You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?

Re:Secure = Secure Enough (0)

Anonymous Coward | more than 2 years ago | (#36382904)

Those questions are positively Goofy.

Sorry, couldn't help myself.

Re:Secure = Secure Enough (4, Interesting)

definate (876684) | more than 2 years ago | (#36382960)

I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"

This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.

All good!

Same. (0)

Anonymous Coward | more than 2 years ago | (#36383128)

I always obfuscate my answers to the lack-of-security questions. And not just for banks.

I mean, I get your average person isn't going to answer 'What's your favorite color?' with, "Leo Nikolayevich Tolstoy", but this is Slashdot. Please, tell me you guys aren't actually answering with data that could be scraped off your Facebook site/blog/linkedin profile/etc.

Re:Same. (1)

definate (876684) | more than 2 years ago | (#36383274)

Exactly. Though, sometimes I do completely random stuff, other times, when I'm forced to write a pile of these, I tend to get a little angry by the last one. So they're often of the form:
%#@02-1as who the fuck wrote this fucking system, he is surely a retard of the highest order

If they'll allow me to use that many characters. This is fine and dandy, if I only see it. But sometimes the support personnel take offence.

Re:Secure = Secure Enough (2, Interesting)

Anonymous Coward | more than 2 years ago | (#36383330)

I was doing that with my bank (the 'mothers maiden name' answer I had, while technically correct, wasn't the obvious one), until one day when I had to call in and was informed that my answer was wrong. My mom has an account at the same bank, and somehow they had been able to 'fix' it; I have not been able to change it back. Nor did I ever get an answer as to why the change was made.

Re:Secure = Secure Enough (2)

definate (876684) | more than 2 years ago | (#36383378)

WOW! That's not good. So, they ENFORCED bad security on you. By revealing something which could be found out.

That's insane.

Re:Secure = Secure Enough (0)

Anonymous Coward | more than 2 years ago | (#36383402)

But you already know why the change was made: someone at the bank is an idiot, an asshole, or both.

Re:Secure = Secure Enough (1)

Idbar (1034346) | more than 2 years ago | (#36383182)

That actually depends on how do YOU answer those questions and if you want them to be easy.

The questions should serve as mnemonic such that if they ask for your favorite color you may as well go with tomatoandpepperred or a favorite Disney Character go with mysonlovesthemousewithbigears.

The problem is that people want something quick and easy to remember which normally turns into Red or Mickey

Re:Secure = Secure Enough (1)

froggymana (1896008) | more than 2 years ago | (#36383618)

Then create a "passkey" with keepass or something of the similar to use for your security questions. They don't really restrict what your response can be.

Re:Secure = Secure Enough (0)

Anonymous Coward | more than 2 years ago | (#36382720)

Would someone slap this asshole with a crowbar?

Would someone go rape this judges identity?

This has a name (4, Insightful)

IICV (652597) | more than 2 years ago | (#36382448)

There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.

And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

Re:This has a name (3, Funny)

ScrewMaster (602015) | more than 2 years ago | (#36382586)

There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.

And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.

Re:This has a name (3, Informative)

MightyMartian (840721) | more than 2 years ago | (#36382950)

I'm sure he's not depositing the check from the banking industry in an American bank account, so it shouldn't be a worry for him.

Re:This has a name (1)

westlake (615356) | more than 2 years ago | (#36383510)

Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.

Simply a reminder.

It is your job as plaintiff or defendant to make your case through evidence and arguments that everyone in the courtroom can see and hear.

Not to ask the judge and jury to fill in the blanks behind closed doors.

Re:This has a name (3, Interesting)

Mashiki (184564) | more than 2 years ago | (#36382698)

If there's zero case law on something. Any case law is good. Because it creates both a starting point, and a breech point for other lawyers to prove that the system is faulty. It's not bullshit, well actually it is but not in the way you think. It's bullshit that it's taken nearly 15 years for the first real case to come to light creating case law.

good (3, Interesting)

waddgodd (34934) | more than 2 years ago | (#36382486)

From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.

Re:good (1)

Anonymous Coward | more than 2 years ago | (#36382608)

From a consumer perspective.....any losses are yours"

Wrong. Consumers aren't liable for losses due to unauthorized charges: Business are. That's why this is such a big deal. The decision doesn't have anything to do with consumer banking.

Re:good (1)

jtownatpunk.net (245670) | more than 2 years ago | (#36383272)

Some people aren't living paycheck to paycheck with just debit and credit card charges to watch out for. That law/rule doesn't cover me if someone gets into an investment account and clears it out. What if they get into my bank account and wire the contents of my checking and savings accounts? Once it's wired, the thief converts it to cash and it's gone. That shit goes through in minutes to hours. By the time I get my monthly statement, they're in the Bahamas sipping rum-based drinks. Well, I'd get an SMS alert within minutes but I still might not be able to stop it in time.

Boycott (1)

korendir (2212878) | more than 2 years ago | (#36382564)

I believe the ruling is correct, the judge is just saying 1FA is "what constitutes “commercially reasonable” security." Which I disagree of course, but who am I to judge (I'm sure the judge knows more about this than an IT professional). Consumers should boycott using IT banking from such banking systems and stick to those who have implemented 2FA. Not sure about US, but where I'm from, nearly all banks have that implemented, and still people worry about the security of internet banking, what with RSA's announcement and all. Doubt anyone would even consider using that with one that doesn't have it here

Re:Boycott (-1)

Anonymous Coward | more than 2 years ago | (#36382618)

You have a point, but you're also an arrogant shit, so agreeing with you hurts my stomach.

Cheap Air Jordan (-1, Troll)

jeanlifalei (2247240) | more than 2 years ago | (#36382600)

Thousands of cheap Air Jordan [airjordan113.com] and Air Jordan Shoes [airjordan113.com] in stock with free shipping,no sales tax.Welcome to Air Jordan [airjordan113.com] online store to see the world famous products and choose the one you like.

Re:Cheap Air Jordan (0)

jeanlifalei (2247240) | more than 2 years ago | (#36382650)

Do you need the both fast and right way to training at home? P90x workout reviews [p90x-review.org] are just the most scientific method for you. P90x reviews [p90x-review.org] could help you get the most charming and healthy body.Welcome to buy p90x review [p90x-review.org],it is fitable for you.

Our p90x nutrition [p90xnutrition.org] sells very well. p90x nutrition plan [p90xnutrition.org] and p90x nutrition guide [p90xnutrition.org] are the Best home Fitness Program.we have lots of p90x nutrition pdf in our website.contact us as soon as possible.

The p90x [p90x-p90x.org] workout will help you burn loads of calories while simultaneously attacking, strengthening, and developing multiple muscle groups. We welcome your visit to our website to get the free p90x [p90x-p90x.org]. p90x on sale [p90x-p90x.org] in our website. Please go to our website if you have any questions or doubts.

Re:Cheap Air Jordan (0)

jeanlifalei (2247240) | more than 2 years ago | (#36382688)

Do you want to have a good figure this summer? Do you want to keep your body's dewlap.Then hurry to our website to buy Insanity DVD [insanity-dvd.org] and Insanity Workout DVD [insanity-dvd.org] which is best-seller and have discount this summer

Insanity Workout [insanityworkout60.com] is our knockout product,you can become healthy by using Insanity Workout 60 Days [insanityworkout60.com],wo have a lot of insanity workout review [insanityworkout60.com] in our website you can choose from.

Do you want to have a b body? P90x workout [p90x-p90x.org] is a good choice. A p90x [p90x-p90x.org] can improve your health in a step-by-step process. I bly suggest you pay attention to our information products, limited low-cost snapping up about it.

Re:Cheap Air Jordan (0)

jeanlifalei (2247240) | more than 2 years ago | (#36382742)

Welcome to our website and buy p90x workout [p90xworkout90days.org] that you satisfied.The cheapest p90x workout schedule [p90xworkout90days.org] and p90x workout routines [p90xworkout90days.org] are published.If you are interested in our p90x workout,you can buy it on our website directly with free shipping

Re:Cheap Air Jordan (-1)

Anonymous Coward | more than 2 years ago | (#36383014)

I tried p90x and had to go to the doctor to get my stomach pumped. That sh*t is pure poison.

why not use some sort of authenticator? (5, Interesting)

snuf23 (182335) | more than 2 years ago | (#36382636)

I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

Re:why not use some sort of authenticator? (1)

betterunixthanunix (980855) | more than 2 years ago | (#36382664)

Considering the amount of money WoW brings in for Blizzard...

Re:why not use some sort of authenticator? (1)

CastrTroy (595695) | more than 2 years ago | (#36382754)

Trust me, the amount of money Blizzard makes from WoW is peanuts compared to the money the banks are making. I feel like there's a Douglas Adams quote that belongs here.

Re:why not use some sort of authenticator? (1)

Luckyo (1726890) | more than 2 years ago | (#36383168)

Blizzard spends (or used to spend) a very large amount of money on support of the people who had their accounts stolen. It was a pure business decision for them - invest in authenticator technology, save on staff.

Re:why not use some sort of authenticator? (1)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#36383210)

That still won't completely prevent malicious activity when the attacker has control of the end user's machine.

Re:why not use some sort of authenticator? (3, Informative)

Cyno01 (573917) | more than 2 years ago | (#36383314)

Actually it still does, as you need a separate device thats not connected to the computer in any way.

Re:why not use some sort of authenticator? (1)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#36383398)

Only to log in, usually. Once logged in the attacker can gain control of the authenticated session and use it for malicious activity.

Re:why not use some sort of authenticator? (0)

Anonymous Coward | more than 2 years ago | (#36383444)

http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars

Is why.

Calm down (5, Insightful)

Charliemopps (1157495) | more than 2 years ago | (#36382716)

Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

Re:Calm down (3, Insightful)

memyselfandeye (1849868) | more than 2 years ago | (#36382872)

Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.

Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

I agree, I mean, it's not like banks want to you easily move money out of an account anyway.

Re:Calm down (0)

Anonymous Coward | more than 2 years ago | (#36383066)

http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass

Re:Calm down (0)

Anonymous Coward | more than 2 years ago | (#36383296)

Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

Not sure SecureID is the best example after what happened to Northrup Grumman and Lockheed Martin...

On a more relevant note, my local small-town bank uses one-time codes sent via cell-phone for all online access, and you can (so far as I can tell) only move money between accounts you set it up for (not really sure, only have one account ATM). It baffles me that a tiny bank like mine can do it, but massive country-wide chains have problems with what is really a very simple (and much, much more secure than passwords) security system.

Re:Calm down (0)

Anonymous Coward | more than 2 years ago | (#36383328)

Wells Fargo offers SecureID tokens.

They also allow pin numbers of greater than four digits in length. Which I hear can cause issues in other countries, but works just fine here in the US and confuses the hell out of people who think PINs *MUST* be four digits. (:

Re:Calm down (4, Insightful)

Rockoon (1252108) | more than 2 years ago | (#36382988)

If your banks security sucks, switch

Switch to another insecure bank? The problem is that this shitty security is industry standard.

And if you don't mind me asking... What was the name of your first childhood pet?

Re:Calm down (1)

Charliemopps (1157495) | more than 2 years ago | (#36383312)

My banks security is:
Username is a 12 digit random number, provided by the bank.
Password is 12 characters at least 2 numbers and 1 special character.
3 unsuccessful attempts locks the account.
Unlocking the account requires a call to customer service who then hangs up and calls me back.
At that point they ask me what my pass code is.
I had to provide the pass code, in person, in writing at the bank when I opened the account.
If I log in from a new IP address, the bank auto-dials my house... I then have to punch my pin code into the phone.

It's friggen ridiculous. I wasn't even looking for this much security.
Like I said, if your bank is isn't secure enough for you, switch. There are literally thousands of them.

Re:Calm down (1)

guybrush3pwood (1579937) | more than 2 years ago | (#36383006)

What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

If I had to go to then bank to unlock my account so I can go back to my house, connect to the home banking system, transfer funds, and then return to the bank to lock the account once again... I'd feel a very pressing urge to stab someone in the face.

Re:Calm down (1)

Dodgy G33za (1669772) | more than 2 years ago | (#36383088)

3 mortgages, 3 credit cards and three accounts covering business personal and share trading. I doubt it would take an hour.

Mail as a second channel does have merit - it is pretty hard for a Russian mafia dude to intercept. But my letterbox sits out at the front of my property. If banks started mailing out username/passwords on a regular basis I can guess what would happen. And that is assuming they don't get diverted by a crooked mail service employee.

Locking down your account makes sense, especially nominating accounts. I have an RSA token so set my non-RSA approved amount to zero. And then RSA went and got themselves hacked *sigh*.

Ultimately though the banks will not implement any security which drives people to their branches. If they had their way they would do away with branches altogether.

This is about liability, not security (2)

Kohath (38547) | more than 2 years ago | (#36382866)

The company suing the bank had seen the bank's security measures. They had the opportunity to judge whether the bank's security measures were secure enough for them. The bank should win unless the precautions were unreasonably weak.

You would think everyone involved would be insured against these kinds of losses.

Re:This is about liability, not security (1)

Dachannien (617929) | more than 2 years ago | (#36383278)

What's more, the bank account was compromised because of the account holder's lousy security that ended up with them getting keyloggers on their computers. Why should the bank be liable for that?

Measures= joke (1)

Progman3K (515744) | more than 2 years ago | (#36382884)

I worked in a business where we built point-of-sale terminals.

The banks are already crazy-serious about certifying devices that talk to their systems.

When you think that the future is everyone and their phone conducting banking operations and that most of those devices have multiple known exploits, you expect things will only get worse.

It's time for businesses to get more paranoid (2)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#36382948)

If you have a business account where the bank won't cover losses from fraud; if your bank doesn't implement effective security measures; if you have some reason to stay with that bank anyway; if you feel compelled to sign up for online banking:

Use a dedicated computer. They're cheap. You can afford to have one computer that's off limits for web surfing, online videos, dancing cursors and so on. For extra credit put it on a separate LAN segment, and of course you should have disabled Autorun anyway. Set it up so it can only connect to your bank's web site and to Windows Update.

Re:It's time for businesses to get more paranoid (1)

PPH (736903) | more than 2 years ago | (#36383180)

Set it up so it can only connect to your bank's web site and to apt-get.

FIFY

From my experience, banks don't understand (1)

nawcom (941663) | more than 2 years ago | (#36382956)

I find it upsetting that my online access to my bank account has a password limit of 10 characters which are also limited to letters and numbers. I've called and complained, but of course the silly stupid customer doesn't know anything about anything. Here's the exact limits according to their website:

Password must be between 7 and 10 alpha-numeric characters. Acceptable characters for passwords include combinations of any of the following characters: a-z, A-Z, 0-9, !, @, #, $, %, ^, &, *, (, or )

I hate retarded security.

Re:From my experience, banks don't understand (1)

Paco103 (758133) | more than 2 years ago | (#36383096)

My bank account used to be 6-8 with no special characters. Such a joke. I complained about it, and probably 6 months later it went up to like 24 characters with special characters allowed. It was a small privately owned bank though, and I have no idea if my complaint actually mattered. I know they use Shazaam for the website, which appears to not be uncommon among smaller banks.

Re:From my experience, banks don't understand (0)

Anonymous Coward | more than 2 years ago | (#36383300)

Think about what an UPPER limit on password length means... The limit is probably due to a field size limitation, which means that they're storing the password, and not the *hash* of the password.

umm ok (0)

Anonymous Coward | more than 2 years ago | (#36383058)

BS.. use a security key like paypal... sent via their hardware or via SMS on cell... works for me

Who is to blame? (1)

PPH (736903) | more than 2 years ago | (#36383146)

The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"

And who's fault is that? At what point does a bank's responsibility for a users poor choice of system end?

Username + pword + question != secure (1)

stenn (1086563) | more than 2 years ago | (#36383152)

It's pretty bad when a computer game, ie: World of Warcraft, is more secure then my bank. Rotating RSA key fobs are common in Europe and used regularly to secure wow accounts against hackers trying to get game gold Passwords and questions are easily obtained using a keylogger

Banking security? (2)

Wolfling1 (1808594) | more than 2 years ago | (#36383244)

I've worked at a bank where $30,000 was sent overseas by accident in a testlab incident. A testlab!

Banks are monumentally incompetent at securing their environments, so each individual needs to become accountable for the security of anything that takes place outside the bricks and mortar of their bank. Mmy strategy is to distribute my funds across a few different banks.

No password sharing minimises the risks, and distribution minimises the impact.

This will not be solved on purpose (1)

samantha (68231) | more than 2 years ago | (#36383290)

But it is not the fault of the banks. Governments around the world, including in the US, are very committed to spying on all of their citizen's networked interactions whenever they wish. Establishing much more perfect security including near unbreakable encryption is the last thing that governments wish to see. So if the banks had much more perfect security software then it would quite likely be illegal to use in most countries. If it has government back doors then it is that much less secure.

It's only a District Court case (2)

DERoss (1919496) | more than 2 years ago | (#36383362)

A decision by a U.S. District Court is not even binding within the same jurisdiction of that court. Yes, other District Court judges might give the decision some weight; but they are not required to do so.

Only when the U.S. Circuit Court of Appeals upholds a decision from a District Court in that circuit does the decision become binding on all the District Courts in that circuit. Even then, the decision is not binding in other circuits. To be binding throughout the U.S. requires a decision from the U.S. Supreme Court.

Even after the Supreme Court decides, similar cases may arise in which Circuit Court judges conclude the Supreme Court was wrong. Then the process starts all over again until the Supreme Court either upholds its prior decision (most likely result) or overturns its own prior decision (rare but not unknown). For the latter case, look at how long (about a half century) it took the Supreme Court to overturn its prior decision that "separate but equal" segregation was legal for public schools. Attempts to get the Supreme Court to overturn Roe vs Wade (abortion) have been unending for decades.

Conclusion: Living in California, I'm not yet worried about a ruling by a District Court in Maine on this issue.

What are banks for? (4, Interesting)

taucross (1330311) | more than 2 years ago | (#36383448)

If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?

Banks need to adopt RSA token keychains 4 everyone (1)

Anonymous Coward | more than 2 years ago | (#36383538)

Why is my world of warcraft account more secure than my bank account with 6 figures in it?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...