×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

42 comments

repeat after me... (1)

bcong (1125705) | about a year and a half ago | (#41924773)

something you know, something you have, and something you are

Re:repeat after me... (2, Funny)

Anonymous Coward | about a year and a half ago | (#41924849)

technology, motivation, stupid

Ugh, captcha: diploma.

Re:repeat after me... (0)

Anonymous Coward | about a year and a half ago | (#41924889)

When a lot of money is involved, you don't want 'something you are' to be biometric.

Imagine if your thumb / palm / eye was worth ten million dollars to someone. In this sort of situation, it's better to implement 'somewhere you are', (Especially if that somewhere is somewhere people can look at you and confirm you are you visually.

Humans are always the weakest link when it comes to security.

Re:repeat after me... (5, Interesting)

PPH (736903) | about a year and a half ago | (#41925245)

Imagine if your thumb / palm / eye was worth ten million dollars to someone. In this sort of situation, it's better to implement 'somewhere you are', (Especially if that somewhere is somewhere people can look at you and confirm you are you visually.

Not always just you. Some years ago, the local media interviewed a member of Bill Gates' security team. It seems that Bill travels with minimal security. Meanwhile, his family is heavily protected. When asked why, the guard said, "Bill has to be free to visit the bank to make a withdrawal. We need to make sure his family is safe when he does so."

Re:repeat after me... (0)

Anonymous Coward | about a year and a half ago | (#41924919)

The thing that represents you is not the thing that proves who you are.
An identifier is not a shared secret key.

Re:repeat after me... (1, Informative)

dgatwood (11270) | about a year and a half ago | (#41925713)

something you know, something you have, and something you are

The problem is that superficially, a phone looks like a great second factor. You know your password, and you have your phone. Unfortunately, in practice, it is not a second factor at all because the phone is a party to the communication of the first factor (password/PIN), so compromising the phone compromises a second factor implicitly. Fundamentally, no phone can ever be a second factor for authentication purposes, period, so long as it is possible to enter your password or PIN through that phone.

The ability to clone phones is just the icing on the cake. It's the beach ball floating through the gaping hole that nobody noticed previously that calls attention to the flaw in the minds of people who were otherwise not sufficiently security-minded to see it.

Re:repeat after me... (1)

PrimaryConsult (1546585) | about a year and a half ago | (#41926465)

Fundamentally, no phone can ever be a second factor for authentication purposes, period, so long as it is possible to enter your password or PIN through that phone.

Not at all. If you never enter your bank password or pin through the phone in the first place, there is no way a compromised phone will be able to obtain it. I do all of my online banking from a computer, so a second factor being the phone would work fine (unfortunately only the least important of my three banks uses two factor).

Re:repeat after me... (1)

dgatwood (11270) | about a year and a half ago | (#41927101)

Not at all. If you never enter your bank password or pin through the phone in the first place, there is no way a compromised phone will be able to obtain it. I do all of my online banking from a computer, so a second factor being the phone would work fine (unfortunately only the least important of my three banks uses two factor).

Fair point. But that kind of negates the purpose of all the mobile banking apps at that point, which the banks are eager to promote because they think it makes them look more in touch with their customers' needs. Besides, you're basically assuming security-conscious users with that assertion. :-)

Unfortunately, even if we very optimistically estimate the security knowledge of a bank's customers, I doubt that more than 1% would know enough about computer security to understand that a single device cannot safely be used for both purposes. Therefore, it is the banks' responsibility to ensure that it is not possible for them to set up their account in this way. In practice, this probably means that you either have the ability to do banking on the web (and/or with a mobile app) or you allow text messages as a second factor, but not both.

I mean, sure, they could ostensibly disable the use of text messages as a second factor when you first log in with their mobile banking app or using any mobile device to access their website, but the sheer number of hairy edge cases that would cause means that such a design would get very, very complicated very, very quickly.

Re:repeat after me... (1)

Anonymous Coward | about a year and a half ago | (#41928453)

It's the beach ball floating through the gaping hole that nobody noticed previously that calls attention to the flaw in the minds of people who were otherwise not sufficiently security-minded to see it.

It is no such thing.

I've worked on a number of Multi Factor Authentication projects at 2 different Australian banks (1 major, 1 minor) and had numerous in-depth conversations with other banks, and we were well aware of these sorts of issues. If anything, I'm more surprised that this (number porting) hasn't happened more often previously. The main obstacle is that is requires doing a targeted attack (at least on the phone side, you can do a scatter-gun approach on the PC side, and then try and get phone details for the owners of the PCs you successfully infect) and most attacks we see are still broad, but shallow.

I'm even more surprised that we've never detected a combined key-logger + sms interceptor trojan for a major smartphone OS. From the time phone-based internet banking become popular, we always knew that we had a risk there. So far it's not a risk that has eventuated.

The banks cover the losses of anyone who has money stolen via internet/phone banking (unless they were complicit in the theft). There is clearly still an impact on the customer who has to claim back the money, and live with a shortfall while the claim is investigated and processed, but the actual money being lost is the banks'.

So the banks have every incentive to reduce these thefts, and hire talented and smart people to help devise solutions, but there are 2 obstacles:

  1. It has to be easy and convenient to use, or the customers won't use it (and will go to another bank if you force them to use it). The article talked about physical device tokens, and every bank has them and uses them, but most customers don't particularly like them, and prefer to use SMS.
  2. It has to be cost-effective. The banks suffer a certain amount in losses. Any proposed solution needs to save more than it costs (including intangible costs/savings such as customer satisfaction).

Every project I've been involved with has been well aware that the solutions being employed were not perfect. They never had to be perfect, they just had to reduce the bank's exposure, and they do that very well.

Phone cloning / SIM stealing / number porting requires a co-ordinated, targeted attack. Those are generally not a major concerns for the banks. There are other techniques for detecting them, and the losses are relatively small. The number of attacks that use un-targeted or weakly-targeted trojans still greatly exceeds those sort of targeted attacks, and so that's where the banks still focus their efforts. SMS multi-factor-authentication is still a strong mitigator of those risks (although a smartphone trojan could rip it to shreds).

Re:repeat after me... (1)

marcosdumay (620877) | about a year and a half ago | (#41931031)

It's still dificult to understand.

The paper table of codes that is used by some banks is way safer, more reliable, and somewhat cheaper than the SMS code. Also, it is about as much easy to use as the SMS code. Yet, lots of banks prefer SMS.

I blame MBAs for that.

Re:repeat after me... (0)

Anonymous Coward | about a year and a half ago | (#41931315)

Paper OTP tables

(a) aren't tied to a single transaction, so their security is arguable weaker. I realise that's a bit strange in a discussion of an article exposing SMS weaknesses, but this isn't a theoretical question, the bank know what sort of attacks they're seeing, and having a code bound to a specific transaction (and having the details of that transaction communicated out-of-band) is helpful to mitigate the specific risks that are prevalent.

(b) aren't generally accepted by Australian consumers. It seems to be a cultural thing, as they're quite successful in some European markets, but the experience in Australia is that customers find them cumbersome and confusing and won't use them. (I don't really understand why, it's not like slipping a piece of paper into your wallet is hard)

There's certainly some truth to the idea that bankers know nothing about IT security and are prone to making dumb decision when they try, but in most banks those people have very little control of the security measures in place for online banking. Their input is generally limited to providing feedback about how easy/cumbersome their customers find particular solutions.

The solutions that the banks use are far from perfect, and like all of us, they're prone to accentuate the positives and ignore the negatives. I've lost my share of arguments trying to convince them to go down different paths, but the CEOs and CIOs are not stupid and they're not (typically) putting these decisions in the hands of MBAs.

Australian banks lose millions of dollars to this sort of fraud/theft. They do their research, they're well aware of solutions that are in place in other banks/countries. You're more than welcome to think that they're picking the wrong options (and in at least some of the cases, I'd agree with you), but it's not due to ignorance or stupidity. It pretty much all comes down cost-effectiveness and customer-acceptance.

This Just In.... (0)

Anonymous Coward | about a year and a half ago | (#41924807)

From the department of No Shit Sherlock!

For those that were not previously aware, banking via email or smartphone is begging to have your account emptied.

Re:This Just In.... (2)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#41924997)

From the department of No Shit Sherlock!

For those that were not previously aware, banking via email or smartphone is begging to have your account emptied.

Architecturally, 'smartphone' is pretty much identical to 'pc', possibly more secure in practice. If a phone is 'smart' in any serious sense, it will support the same HTTP+SSL arrangement that you'd use on a computer. SMS, on the other hand, combines the very finest weaknesses of email with those of a direct connection to your local malevolent telco's billing infrastructure...

Re:This Just In.... (1)

Anonymous Coward | about a year and a half ago | (#41925339)

pretty much, possibly, if...

Unfortunately, unlike a PC based browser where we can verify that our channel to the site is encrypted end-to-end, verify the certificate etc, with a smartphone app we can do none of that. With a smartphone app all we can do is hope that they properly used TLS to encrypt our communication and that the app doesn't leak our information to other apps or third party advertisers. We can only hope that our account details are not stored in a local text or log file. We, perhaps foolishly, assume that major bank corp wouldn't be so stupid as to not properly implement a TLS session before connecting us to our online banking and yet, there's no way to tell without sniffing the traffic.

Not surprised... (2)

u.hertlein (111825) | about a year and a half ago | (#41924831)

I'm not at all surprised that the banks here don't follow that advice.
Westpac seems to think that a six digit password (upper-case characters and digits only) is enough for online banking. :-(

Re:Not surprised... (4, Informative)

norpy (1277318) | about a year and a half ago | (#41926133)

They also seem to think that inputting your password with an on-screen html keyboard using your mouse will provide *ANY* extra security.

The one thing that i'm happy about is that unlike commonwealth bank, they are not integrating facebook with their online banking system.
Just let that one sink in a little bit.... integrating FaceBook with your online banking

Re:Not surprised... (1)

Anonymous Coward | about a year and a half ago | (#41927317)

I once used a credit union where they used an on-screen keyboard that moved a little bit in a random direction each time you clicked on it. I imagine using the mouse would prevent keyloggers from getting your password, and the random movement would prevent logging of the position of the cursor when clicking from being useful.

Use The Right Tool (0)

Anonymous Coward | about a year and a half ago | (#41924847)

Symantec VIP
https://www.symantec.com/verisign/vip-authentication-service

Google Authenticator
http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

Re:Use The Right Tool (2)

Krojack (575051) | about a year and a half ago | (#41925371)

It should be a federal offence to use "symantec" and "security" in the same paragraph..

Oh guess that would mean I'm going to jail... WOOO free roof over my head with free food!

Re:Use The Right Tool (0)

Anonymous Coward | about a year and a half ago | (#41925843)

You didn't use those words; you mentioned [wikipedia.org] them.

Not suprising (0)

Anonymous Coward | about a year and a half ago | (#41924877)

coming from banks that only allow 6-8 alphanumeric characters and no specials for passwords

Re:Not suprising (1)

PrimaryConsult (1546585) | about a year and a half ago | (#41926525)

How about mandating exactly 6 characters and requiring a number and special character?
I wish there was some place to report piss poor password schemes for banks (BBB?), no amount of my complaining has done it, not even informing them that they are strictly my "just enough to use the ATM every week" bank, and my real money is elsewhere...

These banks require customers to have cellphones? (1)

John Hasler (414242) | about a year and a half ago | (#41925063)

n/t

Re:These banks require customers to have cellphone (0)

Anonymous Coward | about a year and a half ago | (#41925291)

Where I live, more people have cellphones than homekeys.

As far as banking security is concerned, my bank does use SMS's to verify large transactions. You confirm the transaction normally on the computer, but the final commit is postponed until a simple handshake is completed using a cell phone.

The main point of this SMS scheme is to cover the case where your computer has been highjacked. You are entering the right codes but unknowingly are confirming a different transaction. The SMS contains the transaction seen by the bank. You can then check that the recipient and sum match what you had entered on the computer.

The problem is the customer misinterprets the SMS as a secondary authentication. No, the computer transaction already authenticated you. Because of the misinterpretation, the customer is prone to just blindly wave the transaction through without checking the recipient account number. Well, at least the customer had a chance to intervene...

Re:These banks require customers to have cellphone (2)

mlts (1038732) | about a year and a half ago | (#41925515)

The best answer to this was IBM's ZTIC. The ZTIC is a simple device, and the KISS principle is important when it comes to security.

You plug it in to a USB port, it authenticates and has a direct secure channel to the bank regardless how compromised the computer it is plugged to might be.

Then, when you do a bank transaction, the ZTIC will pop up a display confirming the transaction, the parties involved, the direction, the time, and the amount. A transfer of a complete bank account to Nigeria is fairly obvious unless someone just blindly hits the "approve" button like the guy on the Drivetime commercial.

The worst malware can do is cut the path between the ZTIC and the bank's computers which means the transaction doesn't get confirmed and thus doesn't happen.

Re:These banks require customers to have cellphone (0)

Anonymous Coward | about a year and a half ago | (#41925865)

My bank went for a similar device. Trouble was, it wasn't supported by linux. Even a windows computer would have required a proprietary driver and application. I will trust my money to the bank, but I sure as hell won't trust the bank enough to install their software on my computer. Had to switch banks.

Is ZTIC supported by Fedora out of the box?

Re:These banks require customers to have cellphone (1)

mlts (1038732) | about a year and a half ago | (#41926409)

I wish I knew... I assume that it would be Linux friendly.

What would be an ideal is a ZTIC-like device as one offering, but if it requires a driver, perhaps an for a smartphone that uses OpenPGP packets over MMS might be passable. Since the app would use the phone's IP stack to communicate, it would be fairly secure, barring a compromise of the device.

Plus, since the app is only communicating with the bank, it could have the fingerprints of any public keys built in, so a compromised CA would have zero effect on the communications channel.

Re:These banks require customers to have cellphone (0)

Anonymous Coward | about a year and a half ago | (#41928505)

The problem is the customer misinterprets the SMS as a secondary authentication.

I don't know where you live, but I can say definitively(*) that (most, and probably all of) the Australian Banks do consider it as secondary authentication.
Most of them see the out-of-band transaction confirmation as an added benefit rather than the primary goal.

(*) I helped design these systems for 2 banks, and the projects were always referred to as Two/Multi-Factor-Authentication projects.

Re:These banks require customers to have cellphone (0)

Anonymous Coward | about a year and a half ago | (#41953041)

Two InfoSec pro's post as anons... there's a joke in that.

There's no joke in the fact that the two factor is using pre-broken algorithms and is only usually offered to business customers.

Re:These banks require customers to have cellphone (1)

mjwx (966435) | about a year and a half ago | (#41929163)

No, You have the option of using a mobile telephone (no, like the rest of the world we dont call them "cell" phones) or can opt for the other method (either a one time pad or RSA token depending on the bank).

OpenPGP + SMS perhaps? (3, Insightful)

mlts (1038732) | about a year and a half ago | (#41925251)

It would be nice if one could add a standardized encryption/signing layer on top of MMS (or SMS if one stitched together multiple messages.) That way, an app from the bank could look at incoming messages, verify they were genuine (regardless of what the phone number states), decrypt them with the user's key, and pass the authentication info to the user.

Fake SMS attempts would be detected/ignored, and an attacker able to get access to text messages wouldn't have the ability to decode them unless they also had access to the phone and the app's private key (which would be unique and generated on each device.)

Someone transferred her number and she didnt notic (1)

citizenr (871508) | about a year and a half ago | (#41925663)

Someone transferred her number and she didnt notice? And she runs a business?
Not getting any calls wasnt a clue enough?

Re:Someone transferred her number and she didnt no (3, Insightful)

SpazmodeusG (1334705) | about a year and a half ago | (#41926281)

Hell not just that. SMS is one small step of internet banking. You still need the banks userID and password to log into online banking before you even make use of the SMS transaction confirmations. There's also a lot of requirements for number porting as it is too - accountID and details with the old provider and there's SMS notices sent when the porting is attempted too.

So this woman was socially engineered out of the following - Her real name, address and DOB (fair enough, this is publically available), her old mobile providers details and accountID (someone go through her bin?), her banks clientID and password (she fall for a fake bank email?), she didn't notice the SMS announcements that she'd be ported to a new provider next month (wtf?) and finally she didn't notice a lack of calls coming in.

At some point you have to say fuck it, there's no way to protect people like this. Even if it was made more difficult to port numbers she's clearly stupid enough to give away any and all information asked of her.

They just want to stop number porting (5, Insightful)

SpazmodeusG (1334705) | about a year and a half ago | (#41925783)

Secure Computing and iTnews.com.au have led a campaign to convince Australia's telcos to include extra security questions during the mobile phone number porting process to ensure fraudsters can't take control of a victim's phone number to gain access to SMS verification codes.

Let me guess. Secure Computing and iTnews.com.au work closely with Telstra and Optus right?

Here in Australia, thanks to consumer protection legislation changing mobile providers is a breeze. You ring up the provider you wish to change to and you ask to be ported. They send you an SMS and ask your personal details and old providers account number and then switch you over. It's both secure and easy (they need your phone number, old provider details and personal details to switch you over). You're now with another provider. You don't need to cancel with your old provider, they do that for you. Your number stays the same. The two biggest Telcos (Telstra and Optus) hate it as there's no lock in. They have to compete on price and service.

So Telstra and Optus lobby hard to ban number porting. They make up bullshit such as "OMG allowing people to switch phone providers is dangerous!!!!". They get their friends in the media to chant the same thing. "Ban number porting!!!"

The reality is that the banks don't use SMS confirmations for anything more than a 3rd layer of security. They don't ask you to transmit anything over the SMS service, it's simply used by them to send you message that a transaction is taking place along with a key that you have to type into online banking (after logging in securly) to allow that transaction to proceed. Essentially it's traditional "login over https" style banking with an extra layer of SMS notifications when you do transactions. It doesn't need the SMS security itself to be bomb-proof as that's just the last step.

So all this talk of restricting number porting is ridiculous. Good on the Communications Alliance (who are mostly made up of smaller Telcos that like number porting) for not bowing to the pressure and bullshit spouted by here by iTnews.com.au. It really isn't an issue, in fact i think other countries should adopt similar consumer protection laws where switching providers whilst retaining the old mobile number is a breeze.

Re:They just want to stop number porting (1)

PCM2 (4486) | about a year and a half ago | (#41931193)

So all this talk of restricting number porting is ridiculous. Good on the Communications Alliance (who are mostly made up of smaller Telcos that like number porting) for not bowing to the pressure and bullshit spouted by here by iTnews.com.au. It really isn't an issue, in fact i think other countries should adopt similar consumer protection laws where switching providers whilst retaining the old mobile number is a breeze.

I don't know if switching mobile providers and keeping the same number is "a breeze" in the US, but I've done it a few times. You can even switch from a landline to a mobile phone and keep your same number, in many cases. There are no fees involved, unless you break a contract.

That said, there definitely is something fishy about this story. Do a Google search for "mobile phone porting fraud" and most of the results you get back are from .au domains. I don't know if that points to a misguided media (or marketing) campaign, like you suggest, or maybe there's a weakness in the number porting procedure in Australia that doesn't exist in other countries?

Social Engineering (1)

kamikaze_late2party (1881438) | about a year and a half ago | (#41926001)

This seems more a case of social engineering than exploiting the lack of SMS security.

The main Issue as I see it is that Vodafone ported over the number to a new phone, while talking to an unverified person. They may have verified him, but only with some weak details that were publicly available.

/. always reaches for the tech solution first.

Obligatory - http://xkcd.com/538/ [xkcd.com]

I guess it takes longer... (1)

mschaffer (97223) | about a year and a half ago | (#41926415)

I guess it takes longer for some obvious things to sink in down under. SMS insecure? Never heard that before. (ROFL)

Re:I guess it takes longer... (0)

Anonymous Coward | about a year and a half ago | (#41928027)

I guess it takes longer to RTFA and the comments. It's about porting your number to a different provider, and not really about banking which is quite secure 'down here'. How easy is porting your number where you live?

(plus one Inf0rmative) (-1)

Anonymous Coward | about a year and a half ago | (#41927263)

BSD's filesystem United States. "numbers continue that he documents they're gone Came is the ultimate I read the latest in posting a GNAA roots and gets on

Banks at fault? (WHISTLE BLOW) (0)

Anonymous Coward | about a year and a half ago | (#41952951)

So if I can't keep up with who has my current phone number its the vendor at fault? The fact they all have multiple databases that they can't keep continuity between is their fault - swapping phones and not updating my number is my fault. Lets criticise them for REAL failures in Information Security.

Westpac doesn't allow you to use the clipboard on their complaints page - yet claims on Twitter it is to enhance security... you can copy/paste into the loan application and login pages - I'm glad secure complaints are more important that secure logins. Additionally Westpac allows known-to-be-skimmed cards to continue to be used (albeit not via SOME online vendors) and will occasionally acknowlege that refunds/card replacements is their only real security plan.

NAB have scripted their site so PDF delivery will only work/be available if you are using Adobe products, otherwise will default to plain text files. When challenged they concede that it is the case that its "too complicated" to explain to a highly qualified IT professional why this is, or to pass on the workaround which they informed the customer they have in their knowledge base. Apparently security via obscurity is acceptable in the banking sector.

Commonwealth Bank - has only fairly recently realised criminal history / background checks for your contractors are actually a legal requirement (or was it the third party who was missing those checks), and oh my - look at all that "security".

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...