Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Banks to Use 2-factor Authentication by End of 2006

samzenpus posted about 9 years ago | from the proof-positive dept.

Security 313

Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

cancel ×


Sorry! There are no comments related to the filter you selected.

One more damn thing to carry around (4, Insightful)

DrRobert (179090) | about 9 years ago | (#13831905)

I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped

Too little security, too much inconvieniece

Re:One more damn thing to carry around (1)

DrRobert (179090) | about 9 years ago | (#13831918)

Good gosh, I can't type... sorry..

Re:One more damn thing to carry around (4, Insightful)

ScentCone (795499) | about 9 years ago | (#13831920)

Too little security, too much inconvieniece

But I'm betting you wouldn't sign a waiver relieving them of liability if you opt out of using their T-FA...

Re:One more damn thing to carry around (5, Insightful)

LordPhantom (763327) | about 9 years ago | (#13831952)

Isn't that like, say, carrying around an ATM card like we do right now? Sure, a "sooped-up" ATM card if it had a rotating pin, but still an ATM card nonetheless - how is this -more- difficult than what we do now? I usually have my wallet handy somewhere, so is it really that big a deal?

Re:One more damn thing to carry around (1)

DrRobert (179090) | about 9 years ago | (#13831971)

That what Winn-Dixie said when they implemnted their grocery store discount card... and Petsmart, and BiLo, and Waldens, and MediaPlay, and Kroger, and Sams,I have stack of cards 2 inches thick.

Re:One more damn thing to carry around (1)

LordPhantom (763327) | about 9 years ago | (#13831975)

Wrong - if you use a bank, 99% chances are you -already- have an atm card. Nothing new at all. Comparing token auths that are built into a card to your local grocer's attempt to monitor what you buy is more than a little ignorant.

Re:One more damn thing to carry around (1)

DrRobert (179090) | about 9 years ago | (#13832022)

Not ignorant. Its not what the card does that is important, its the implication in the article that everyone would want to conduct electronic busniess this way. Then you have a stack of tokens or you subject yourself to some centralized data scheme.

Re:One more damn thing to carry around (4, Insightful)

Tumbleweed (3706) | about 9 years ago | (#13832042)

how is this -more- difficult than what we do now

What, you have a magnetic-strip card reader attached to your computer? Sure, no problem - we'll just mandate that all computers that want to access a bank online have to have one, or whatever hardware doohickey they decide to require.

THAT's the real problem with this proposal. Much like extending Daylight Savings Time, politicians have no idea what impact this has on the real world - programmers that have to code this stuff, and in this really BAD case, new hardware that even the end user is required to now purchase.


Re:One more damn thing to carry around (1)

Lorean (756656) | about 9 years ago | (#13832353)

No, you can have a card you carry around with a pseudo-random number generator, and a screen that displays a new number every 5 minutes. You then have a remote computer have the same number generator. Keeping this card safe isn't any more difficult than looking after your keys.

And it won't work. (3, Insightful)

khasim (1285) | about 9 years ago | (#13832015)

Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.

But because it will be a cool "encryption" key, people will not know that they aren't "secure".

The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).

Re:And it won't work. (1)

daniel de graaf (771021) | about 9 years ago | (#13832129)

Even with IPv6, one can still preform a man-in-the-middle without modifying the IP. The only good way to prevent man-in-the-middle is to use the SSL certificates and get people not to enter their info when the invalid certificate dialog pops up.

Calling you may be a good idea, perhaps only for larger transactions because it might be a nuisince.

SSL can be "correct" and still be fake. (1)

khasim (1285) | about 9 years ago | (#13832173)

I can get an SSL certificate to (change "Bank" to your bank's name). So no pop-up will kick in. But the site will not be what the user thinks it is.

With IPv6, the bank would send you a random 512 digit number, encrypted with your password+IP_address. Since the man-in-the-middle would not have the same IP address as you, or your password, he would not be able to use that connection for his own transactions.

But a trojan key-logger would still be able to collect your keystrokes and defeat it. In order to defeat keyloggers AND man-in-the-middle attacks, you need to use an entirely different channel, pre-configured, to validate the transaction.

Or use the above IPv6 scenario with the key fob to prevent the key-logger from capturing your password.

Re:SSL can be "correct" and still be fake. (1)

Trigun (685027) | about 9 years ago | (#13832206)

We trust that the Certification Authorities would not sign that certificate. That's what you pay them for. Trust. Ideally, you would have to steal the cert from the banks computers, and then the CA would revoke it once someone found out.

But that's ideally. And that's why I don't trust SSL certs.

Re:SSL can be "correct" and still be fake. (1)

daniel de graaf (771021) | about 9 years ago | (#13832248)

Some types of man in the middle do not need to modify either IP, so any authentication based on IP is useless for them.

For the attacks that need to modify the IP, if the hacker is proxying the connectoin, he can modify the HTML+Javascript+whatever that it runs on, changing it to use his IP instead of yours.

A solution to the problem is to have banks use only their main domain name for transactions and to have the users bookmark the bank's https site. Have the domain on the key fob too.

I agree, the only way to prevent a trojained computer is to use a side channel authorization, which perferrably tells the customer "You are planning to transfer $20,000 to bank account 123456 at the Bank of Nigeria" before asking for their approval.

Re:And it won't work. (1)

DangerTenor (104151) | about 9 years ago | (#13832163)

NO! If a PKI-based solution, or even a shared secret (i.e. SecurID) is used, there is no danger of man-in-the-middle attacks. A simple SSL connection will prevent man-in-the-middle concerns. This comment is FUD at its best.

I'll go back to writing checks (0)

Anonymous Coward | about 9 years ago | (#13832064)

I am tired of things getting worse or more difficult for my "safety" or even worse my "convenience". It's like restaurants that change their menus. It's never an improvement.

Wikipedia - TROLLS! TO BATTLE! (-1, Troll)

Anonymous Coward | about 9 years ago | (#13832065)

Come on d00dz! Trolls, RALLY TO MY CALL! Deface this article on Wikipedia! Prove that Slashdot wins the day!

Re:One more damn thing to carry around (3, Funny)

Anonymous Coward | about 9 years ago | (#13832114)

Man, I remember back in the day we had to physically visit the bank between 9am and 5pm on a Monday thru Friday and carry around a little green savings book if we wanted money from our accounts. Get this... When I got paid by my employer, I had to go to that same bank during those same hours and deposit the check in my account through my teller and I had to have that green book with me. At one point, that bank put an odd looking hole in the wall with a big heavy metal door. I think it was called a "night deposit box". Me and the other guys would never put our checks for deposit in that thing, how safe could that really be and no one around to give a receipt or fill in my little green book. Did I mention the trip to my bank was uphill both ways?

IF this comes to pass (1)

Simonetta (207550) | about 9 years ago | (#13832164)

Just because the banking overseers and some bankers agree that this measure could reduce identity theft, it doesn't follow that this two-level ID system will actually come into wide usage. Sure they passed a regulation mandating it at a time in the future.
    But this mandate can be quietly suspended, extended, or admended when it becomes apparent to the people who live in the real world how difficult it would actually be to get working.

    But even if it does come to pass, and you do have put your eyeball up against a laser to get $30 cash from your ATM, you can always take your money out of the idiot bank and put it into another one that doesn't impose such draconian madness. Like a bank that is outside the USA. If you had put most of your money in a Canadian bank last year, your money would be worth 35% more given the rise in the Canadian dollar to the American dollar.

    Need cash? Then use a PayPal debit card that is linked to your Canadian bank account. Have your paychecks automaticly deposited into your Canadian bank account. Have a local bank account that is for check writing only and doesn't require invasive biometrics to access.

    I doesn't hurt to get some money out of the USA. With the USA being the world's biggest debtor nation, the entire world hating the USA, and new alteratives like the Euro available as a benchmark global currency, it's not as if the US dollar is going to be rising in value against the other major currencies. And the rise of inexpensive global communications networks and accessible easy-to-use private-bank international debit cards like the PayPal card makes all the financial tranaction work nearly transparent. Fuck the little corner bank and their eyeball machine!

Re:One more damn thing to carry around (1)

niteskunk (886685) | about 9 years ago | (#13832340)

Have you ever seen RSA SecurID tokens? They're tiny, and will fit right on your keychain...that eliminates the problem of you losing it (unless you lose your keys).

Referring to your comment that the code could be duped...SecurID keys change once every 60 seconds. It generates 6 numbers (IIRC). What are the chances of an attacker guessing that particular number in one minute?

I don't know about you, but if I had access to a powerful account on an important system, I'd have a lot more piece of mind with two-factor authentication.

Re:One more damn thing to carry around (1)

CastrTroy (595695) | about 9 years ago | (#13832430)

Most of the problems with internet banking deal with phishing emails that tell people to go to some random site, and type in their credentials. If you got someone to type in their card number + password + SecurID token, this could then be instantly forwarded to the bank's website, and could log in to the website. This would not only break the security, but provide an automated means of checking the accuracy of the information. Once you get a session at the bank website, you can use it for quite a while. It doesn't really provide that much more security, for those that are willing to be ignorant about giving out personal information.

good idea, in my opinion. (4, Informative)

yagu (721525) | about 9 years ago | (#13831906)

I would embrace T-FA. I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful. But for modest investment and great added peace of mind, I look forward to this.

Ironically, in the slashdot article reference to T-FA, the wikipedia gives as a downside to T-FA:

..., According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. On the other hand, opponents argue that, (among other things) should a thief have access to your computer, he can boot-up in such a way as to bypass the physical authentication processes, scan your system for all passwords and enter the data manually, thus - at least in this situation - making T-FA no more secure than the use of a password alone....

I think this actually strengthensstill does not ensure the intrude has access to one of the two pieces (something you know, and something you have).

Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of.

For a little more work or inconvenience, I think this adds much security.

Re:good idea, in my opinion. (2, Funny)

yotto (590067) | about 9 years ago | (#13831958)

Does this mean slashdotters can tell their bank to read TFA?

Yes (0)

Anonymous Coward | about 9 years ago | (#13832034)


Re:good idea, in my opinion. (0)

Don_Casper (923158) | about 9 years ago | (#13831993)

Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of. Stealing a laptop isnt that hard, and its not like all identity theft is conducted by rings

Re:good idea, in my opinion. (2, Interesting)

Quizme2000 (323961) | about 9 years ago | (#13832056)

Great, when I got mugged before they just wanted my wallet. Now they'll want my left index finger too.

This is another in a long series of laws/policy that servers the "It sounds like we should do this" crowd. Read through the BS and its the insurance (FDIC in the US) behind the banks pushing policy. It does nothing to protect the idenitiy/credit of consumers.

Re:good idea, in my opinion. (5, Informative)

hazem (472289) | about 9 years ago | (#13832071)

I have never (as far as I know) been victim of identity theft, or fraud and for that I'm grateful.

If you want to keep it that way, the best thing you can do is commit a little fraud.

File a police report (this is the fraud part) saying something like you were on mass transit, carrying copies of your tax returns. You set them down, and then when you turned around, they were gone. "someone took them"

With this police report, file for a permanent fraud alert on your credit reports (all 3). This will almost immediately stop all credit card offers and will prevent someone from being able to open instant-credit in your name. You can still get credit, but it takes a little more time and takes a little more proof of who you are.

The sad thing is that to get this "opt-out" in the credit-reporting system, you have to commit a crime. Without doing so, you can only get a 3-month "opt-out". Lovely country it is where we have to commit crimes to protect ourselves from crime.

Not a good idea for banks, but still a good idea (1)

temojen (678985) | about 9 years ago | (#13832084)

This will almost certainly lock Linux/BSD users out of online banking, and probably will lock out Mac users too.

Banks could much more portably just start requiring signed client certificates. For windows users they could be stored on a USB keyfob instead of the HDD for slightly better security. Users of other systems could set it up that way if they wanted, but implementastion on FreeBSD or whathaveyou would be left to the client.

It is a good idea for host login, though. CF the article in the November 2005 issue in Linux Journal, and this thread [] on the gentoo forums (and my journal post from yesterday too).

Re:Not a good idea for banks, but still a good ide (1)

Tony Hoyle (11698) | about 9 years ago | (#13832230)

Not at all... SecurID works for example by a challenge/response system typed in on the keyboard. Last I heard linux supported keyboards out of the box :)

Client certificates are just too hard to manage for most people.

Re:good idea, in my opinion. (0)

Anonymous Coward | about 9 years ago | (#13832209)

"Too, how many (documented) massive identity theft rings are of the "gaining access to personal computers" ilk? None that I can think of."

Like the several hundred thousand strong botnets?
Give it a day, maybe two.

Re:good idea, in my opinion. (1)

underworld (135618) | about 9 years ago | (#13832394)

am I the only one who had to read this comment multiple times before realizing T-FA is Two Factor Auth, not The F*'ing Article ... ;-)

Security or Laziness? (1)

PopeOptimusPrime (875888) | about 9 years ago | (#13831911)

No matter how secure internet banking is, I'll always feel most comfortable physically handing my money to a teller and getting a familiar yellow receipt.

Re:Security or Laziness? (4, Funny)

erick99 (743982) | about 9 years ago | (#13831929)

And then driving home in your horse and buggy?

Re:Security or Laziness? (1)

DrRobert (179090) | about 9 years ago | (#13831951)

The only time I have ever had money stolen from my account was when someone looked over my shoulder at the teller window. When I left, they filled out a counter check for $700 with my account number and the teller gave them the money. Fortunately I happend to check the web page 30min later and saw the with drawal. After two weeks of dealing with... humans... I got my money back.

My bank already does this (4, Funny)

thewils (463314) | about 9 years ago | (#13831914)

At least so they said in that email they sent me...

Which means (0, Flamebait)

coredump-0x00001 (922856) | about 9 years ago | (#13831923)

Cracking your bank password will now take twice the time.

Great, if they keep it compatible (4, Interesting)

Kelson (129150) | about 9 years ago | (#13831924)

Sounds great, as long as they don't take the opportunity to lock out their actual customers.

Good ideas:

  • Hardware that doesn't actually need to be plugged into the computer (such as the token with constantly-changing access codes)
  • Hardware dongle that plugs into the USB port and talks to the computer using standard USB protocols

Bad ideas:

  • Hardware dongle that requires you to install drivers. Even if they commit to producing cross-platform drivers, there's always going to be some obscure platform that they didn't think was worth implementing. (See today's article on the lack of 64-bit Flash for an example of why this is an issue.)
  • Smart cards for the next few years, until readers are as ubiquitous as USB is today. Lots of computers still ship without memory card readers, and I shouldn't be forced to buy one to do something I can already do without it. (In my case I'm just stubborn, but you can bet there will be people for whom the money to buy a card reader is money that they'd rather spend on, say, food for that week.)

Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.

Re:Great, if they keep it compatible (1)

Professor_UNIX (867045) | about 9 years ago | (#13831947)

I think the executives at RSA Security just all simultaneously ejaculated upon hearing this news. They'll no doubt be pushing their SecurID solution very heavily.

Re:Great, if they keep it compatible (1)

Guildencrantz (234779) | about 9 years ago | (#13832012)

Anything that has to be connected to the device is a Bad Idea®. What if I want to connect through my Treo (or other device lacking the necessary input port)? Not to mention the fact that even if a USB device uses standard protocols there has to be some software to verify against the device; I don't care how standardized the protocols are BeOS and Amiga aren't likely to have the implementations on launch.

A dongle with variable authentication key that can simply be entered manually is likely to be the most feasible solution.

Re:Great, if they keep it compatible (1)

krakit (809111) | about 9 years ago | (#13832109)

Lets say I have accounts in three different banks. So does that mean that I'll be carrying three hardware tokens!!! That is a lot of baggage.

Re:Great, if they keep it compatible (1)

buck_wild (447801) | about 9 years ago | (#13832121)

Don't forget an additional 'dongle' for each credit card, because chances are good that they're going to be addopting this soon after. I'm gonna need a wagon.

Compatible to banks and platforms and locations! (1)

toccoa (206164) | about 9 years ago | (#13832201)

1) With two banks and four non-bank financial firms, I DO NOT want 6 dongles.

2) I want to be able to use PC, Mac or Treo

3) I want to be able to travel - the suggestion to look at IP location was moronic!!!! I want to be able to access bill pay and balances when I am travelling for business or pleasure

Re:Great, if they keep it compatible (0)

Anonymous Coward | about 9 years ago | (#13832425)

I would add USB dongle to the list of bad ideas. Why? because of the client software requirements. Unless a standard device is created which all browsers support in some fashion, people will have to use a client application to poll the device. Which means the banks will have to develop client software and support / maintain it. I would much rather a world where the only client software I need is my browser, and I can hop onto any machine, with any browser to check my balance and initiate a transaction. (and no I don't trust any old kiosk that might have a key logger)

Two's better than one (-1, Redundant)

Anonymous Coward | about 9 years ago | (#13831942)

... Right?

Re:Two's better than one (0)

Anonymous Coward | about 9 years ago | (#13832113)

When did we switch the subject to women?

Second factor Windows-only? (5, Insightful)

Anonymous Coward | about 9 years ago | (#13831959)

And what are the chances that the second factor (USB tokens or fingerprint readers, most likely) will have drivers for minority operating systems? I use Linux as my only operating system. Until now, I had no problems accessing my bank account or my credit cards online. Now, I fear I may have to start visiting the bank branch in person...

The reason for my suspicion is that I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.

Re:Second factor Windows-only? (1)

McGiraf (196030) | about 9 years ago | (#13832025)

I used USB dongles for some expensive, proprietary software at my workplace, and on a whim I looked around for Linux drivers for the thing. Turns out that the manufacturer only supports Windows 2000 and XP, and no third-party drivers for other OS's exist.

And the proprietary software supported more OS's than the dongle to use it???
Hum ...

Re:Second factor Windows-only? (1)

TykeClone (668449) | about 9 years ago | (#13832048)

No problem - the FFIEC isn't so sure about open source software either FFIEC Guidance on open source software []

Re:Second factor Windows-only? (3, Insightful)

DangerTenor (104151) | about 9 years ago | (#13832140)

The most popular second-factor token is the SecurID [] by RSA [] . It is a device which generates pseudo-random numbers every 60 seconds. This would be the easy solution for any bank interested in a cross-platform solution with no driver support to worry about.

That said, I hate the SecurID. I'm a much bigger fan of PKI-based solutions, because of all the other things you can get along with it (secure email, secure transactions, strong authentication, persistent digital signature and encryption) for almost no additional cost. However, I'd understand if organizations went the SecurID route to save money not having to support something that didn't work well in multiple platforms.

Don't we already use this? (1)

DerekJ212 (867265) | about 9 years ago | (#13831961)

Maybe i am way off but isnt this already in place? To use an ATM i need:

-Something i have (My ATM card)
-Something i know (My PIN)

Am i living in the future or what is the deal with this?

Re:Don't we already use this? (1)

chanda3199 (786804) | about 9 years ago | (#13832018)

TFA's headline reads:

"Feds Want Banks to Strengthen Web Log-Ons"

All I need to log into my bank account online is my account number and a password. This would require an "ATM card" for your computer to log in to your account online.

Just the FFIEC? (1)

GillBates0 (664202) | about 9 years ago | (#13831970)

Federal Financial Institutions Examination Council (FFIEC) has given a deadline

Hmm..I'm going to need a notification from atleast one other organization than the FFIEC before I believe this.

Re:Just the FFIEC? (1)

TykeClone (668449) | about 9 years ago | (#13831999)

For banking regulators, the FFIEC is the word of God. When they issue a "Thou shalt..." commandment, it must be followed.

cue: 2 factor authentication (0)

Anonymous Coward | about 9 years ago | (#13832078)

methinks gp was a play on the 2 factor scheme.

Sounds great but... (2, Funny)

StarWreck (695075) | about 9 years ago | (#13831990)

Sounds great, but what about forgetful people? So called "Strong Authentication" or 2-factor authentication sounds great in theory. Rather than just cracking your password, a woodbe theif would also have to steal a physical item from your posession. However most people are dumb and forgetful, they would put a piece of scotch tape on the physical item and write their password onto it so that when the woodbe theif pick pockets them, then they don't have to even bother trying to crack their password. Sounds great in theory but it dosen't work - like communism. In summary, it is the authentication for communists.

Re:Sounds great but... (1)

Kelson (129150) | about 9 years ago | (#13832063)

Please don't tell me that "most people" write their PIN numbers on their ATM cards.

Re:Sounds great but... (1)

StarWreck (695075) | about 9 years ago | (#13832134)

like... totally missed out on the joke dude. Like Seriously.

Re:Sounds great but... (1)

buck_wild (447801) | about 9 years ago | (#13832141)

Probably not, but if you had an ATM card from bank A, and one from bank B, along with several credit cards with online passwords, chances are people are going to write them down SOMEwhere. Hopefully not on the card itself.

Re:Sounds great but... (0)

Anonymous Coward | about 9 years ago | (#13832195)

Don't have to. My PIN is the last 4 numbers of my ATM card number, so its already written on there for me.

If you can't wait... (0)

Anonymous Coward | about 9 years ago | (#13832008)

etradebank ( [] ) offers them now.

Re:If you can't wait... (1)

Guildencrantz (234779) | about 9 years ago | (#13832046)

Anybody know how big this is? Besides being ugly it really gives away what it's for. I'd like a small black device (I've seen some companies use them, nondescript and about the size of my pinky) that's not going to indicate exactly what it's for and won't do much to increase the bulk of my keys.

Re:If you can't wait... (1)

MickWest (661110) | about 9 years ago | (#13832179)

It's about 1.5 inches long. Which would be annoying to carry around on a keyring. I keep mine hidden at home since I don't need to log onto ETrade during the day.

To make it a really boring read (2, Informative)

TykeClone (668449) | about 9 years ago | (#13832032)


Straight from the FFIEC's mouth.

Why couldn't they just (2, Interesting)

geekoid (135745) | about 9 years ago | (#13832033)

have the customer register an email account, perferably by going into a branch.

then when they login into the system, it sends a temporary use code to the email address.
Not used in 5 minutes, to is no longer anygood.

Older then 30 minutes, your logged out, the number is no longer any good.

In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.

Defeated via trojan. (1)

khasim (1285) | about 9 years ago | (#13832112)

If the fraudster can get a trojan onto your machine, it could record all the keystrokes that you use. Including the login to your email to get the key to validate the transaction.

Re:Why couldn't they just (1)

renelicious (450403) | about 9 years ago | (#13832212)

More importantly, the FFIEC doesn't consider email a secure method of communication anyway. They probably wouldn't allow the code to be sent via email. 04a.html [] (This is from the FDIC, but you get the picture).

How about "Common Sense" authentication? (2, Interesting)

connah0047 (850585) | about 9 years ago | (#13832049)

Before these banks implement high-tech security, they ought to consider common sense security. How many banks have I walked into where the back of the computers are exposed for a would be "hacker" to slip a keystroke recorder onto the PS/2 port? How many banks have I walked past on the sidewalk and their windows are wide open with no blinds and you can see directly onto the monitor with account numbers, etc on them? How many banks have I called and asked for information about my account and they failed to verify my identity before answering questions about my personal information?

Too many.

Re:How about "Common Sense" authentication? (1)

ColaMan (37550) | about 9 years ago | (#13832285)

Too many?

I can't recall seeing one bank (or credit union) ever having such lax policies.
But I live in Australia. Maybe things where you live could do with some tightening up.

Why doesn't... (2, Insightful)

msauve (701917) | about 9 years ago | (#13832055)

having to know both username and password count as two factor ID?

The wikipedia link claims that TFA contrasts to a system where only the password need be known. That may be a problem with some systems where the username is essentially public (i.e. *nix), but for online banking access, the username need not be easily guessed or based on any personal information, just unique.

Isn't requiring two non-obvious pieces of information (non-personally identifiable username + password) a form of two factor ID? (yes, I know the traditional mantra of "something you have/know")

If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.

Re:Why doesn't... (0)

Anonymous Coward | about 9 years ago | (#13832090)

Requiring more pieces of information essentially amounts to a longer password. If only the password was required, how is "password" different than "usernamepassword"? So what if it's two fields? It's still just one factor. Even adding another layer, say the "security question"... "usernamepassworddognamerex" is *still* just a longer password... even if it's typed into four fields on two different pages.

Don't get me wrong - longer passwords are good... but they're not two factor. Two factor means two factors of *different* types.

Just the ramblings of a security guy...

Re:Why doesn't... (0)

Anonymous Coward | about 9 years ago | (#13832169)

(Yes, I'm the same AC who commented on the two factor thing)

If not, why is an ATM card and PIN considered to be, knowing the ease with which mag stripes can be copied? It's not like there should be high confidence the ATM card stripe is proof of possession of a unique object, as might be the case with a SecureID or retinal scan.

The PIN is not stored in the mag-stripe.

An ATM card + PIN is two factor authentication.... something you have (the card) and something you know (the PIN).

To beat that system, you have to fake the mag-stripe (not an easy feat) and know the PIN. No security is unbeatable. The whole idea is to make it harder for the bad guys. I'm sure when the Card+PIN concept was unvelied, no one thought it would work either.

Australian Bank (4, Interesting)

Cave_Monster (918103) | about 9 years ago | (#13832061)

There is a bank here that already has implemented this strategy. They offer small devices that display an ever-changing PIN that you must enter alongside your user ID and password to login to their website. They provide two options, one is a small device that simply requires you to press the button for the PIN to be displayed. The other is slightly larger but requires you to input a seperate PIN into the device before it displays the other PIN needed for their website. The extra size is simply to accomodate the keypad.

Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.

Re:Australian Bank (1)

Yehooti (816574) | about 9 years ago | (#13832399)

How does this help the phone line customer or even the web one be more secure? I have a gizmo that changes its number every few seconds as a secure third method to get into my company's network. It's a minor pain to have to carry this thing along with my keyring, but apparently it makes for quite a secure connection. I'll not carry another one. I can see me entering my work access number for my VISA one, or vice-versa, several times in a row and getting locked out. If everyone could get together on this (fat chance), and each person have such a device unique to them, it could work on a much larger scale.

TFA Readers (2, Funny)

EEBaum (520514) | about 9 years ago | (#13832062)

So does this mean that all banks will be required to have machines that read TFA?

T-FA ... ! (2, Funny)

icepick72 (834363) | about 9 years ago | (#13832077)

The linked Wiki article actually states "A common example of T-FA is a bank card". Who knew TFA had another meaning ... I wonder if the banks realize -- so Don't get offending the next time you walk up to the bank teller wicket and are asked for TFA !!! They'll wonder why you are snickering. Woo-hoo

There is already two factor authentication (1, Interesting)

Anonymous Coward | about 9 years ago | (#13832086)

There are already two factors of authentication required:

1. username or account number
2. password

What is actually being discussed is a third factor of authentication. This would be extremely harmful to usability because people have enough trouble remembering two things. In fact, Jef Raskin suggests in his book "The Humane Interface" that systems should only require 1 factor of authentication--a password. He explains that if a password is made up of real words (such as "book-garbage-soda-airplane") not only will it be easy to remember (good for usability) but that it will be extremely difficult to guess as well as accidentally have two users with identical passwords. For example, if a dictionary of 10,000 words is used to generate a password that contains only 3 words, that would yield 1,000,000,000,000 possible unique passwords.

Re:There is already two factor authentication (1)

MickWest (661110) | about 9 years ago | (#13832214)

That's not two forms. It just one form, half of which serves to identify you, and half of which you can change.

Silly (4, Insightful)

jesser (77961) | about 9 years ago | (#13832088)

This will cost every Internet banking customer money, time, and convenience. (RSA fobs are not free; if your bank gave you one for free, it will have to pass the cost on to you in some way.) Meanwhile, it will not significantly reduce the impact of phishing or pharming attacks; it will just force attackers to use the information gleaned from such attacks before the fob's digits expire.

How about requiring banks to use https correctly [] , which would at least reduce the impact of pharming attacks?

Re:Silly (1)

geniusj (140174) | about 9 years ago | (#13832227)

I think what ING Direct does can be considered 2-factor authentication, and that doesn't require giving the customer anything additional.

2 Factor does not require bulky items (1)

tizzyD (577098) | about 9 years ago | (#13832092)

I have a bank account with a UK bank, and over there (I'm a US citizen) to use their web site, you have to have additional information. For me, I have to provide:
- a membership number
- a secret word (they ask for letters or numbers from the secret word)
- a passcode
- an account number

It takes several forms, but I don't have yet a third bulky RSA key to carry around.

How about just have people answer 10 questions and then use 3 of those answers, things like, your favorite color (blue, no green), car color (fun for those who do not have a car), or favorite movie. Stuff that no db keeps.

Just a thought.

Defeated via trojan. (1)

khasim (1285) | about 9 years ago | (#13832131)

If the fraudster can get a trojan on your machine, he can collect your keystrokes, including the answers to those questions and then he will be able to "validate" fraudulent transactions as if he were you.

Re:2 Factor does not require bulky items (1) troll (593289) | about 9 years ago | (#13832138)

So wait until the myspace users turn 18 and get their first bank account and you'll have all the answers.

Re:2 Factor does not require bulky items (1)

MickWest (661110) | about 9 years ago | (#13832260)

That's not two factors, that's just a really long password ("something you know"). It's just semantically split into seperate parts to make it easier for you to remember.

Re:2 Factor does not require bulky items (0)

Anonymous Coward | about 9 years ago | (#13832346)

This is not two factor authentication. It's just another form of a password... it's all something(s) you know. Now - it *is* better than just a username and password... it makes it significantly harder to guess/fake/brute force - but it's still just a password.

But why? (0)

Anonymous Coward | about 9 years ago | (#13832119)

As a capitalist pig, I have to ask why the federal government is mandating this... theft is a crime and if too much theft occurs, the banking industry will respond because it is losing money (and it will thus be hard for the banks to get insurance). I can understand how the federal government might offer different terms for FDIC insurance to banks with two-factor authentication, but why mandate the change to all banks?

Found this... (3, Interesting)

azatht (740027) | about 9 years ago | (#13832142) failure_of.html []

Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??

my bank already implemented a low tech version (4, Interesting)

PhiberOptix (182584) | about 9 years ago | (#13832160)

I received a mail from my bank with 70 different 3 digit codes.
01-252 06-743
02-053 07-064
03-113 08-766
04-963 10-244
05-855 11-111 ...
everytime i login, it asks for a pin number(which can't be typed in the keyboard, you have to pick the numbers in the screen keyboard with your mouse), a secret phrase and a random code from this card.

sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.

private numbers (1)

FudRucker (866063) | about 9 years ago | (#13832189)

since most computers still come with a 56k dialup modem why dont banks offer a private phone number for the modem to dial to their customers, it would sure improve privacy and security becuase a direct line to the bank would bypass ISPs & the WWW that normal channels use for internet connections...

If this.. (1)

KylePflug (898555) | about 9 years ago | (#13832222)

If this is as much a failure and inconvenience as those hellish CVV2 codes on my debit card, I'll explode. What use is a second number if it's on the same card and in teh same forms as the first number? Furthermore, what's the use of a second number if it's UTTERLY INVISIBLE after a week of use? Piece of crap.

*Prevented from ordering harvey danger album 'cus he can't read his CVV2 number and is pissed.*

Re:If this.. (1)

dracocat (554744) | about 9 years ago | (#13832315)

Just a small difference, but any merchant you use your card with is not allowed to store the CVV2 code while they can store your account number and expiration date.

I know, not a big difference, but you did ask.

Re:If this.. (1)

KylePflug (898555) | about 9 years ago | (#13832344)

Ahh. Interesting. I didn't know that.

I suppose that prevents criminals from gathering your information and spending it after you make a purchase. Except, oh wait, why would the criminals obey the prohibition on storing CVV2 codes in the first place?

I'm very angry at my CVV2 code.

Physical access. (3, Funny)

ElDuderino44137 (660751) | about 9 years ago | (#13832322)

Don't let anyone fool you.
If you gain physical access to a device ... you will get in.
These n-factor authentication schemes ... may delay you ... but I doubt it.

Step 1: Remove hard drive from device.
Step 2: Run away really fast.
Step 3: Rule the world.

For once something I WANT the aussies to copy... (0, Troll)

jonwil (467024) | about 9 years ago | (#13832367)

Our government seens to be copying everything from america these days (cf FTA etc) so hopefully they will follow suit and require finantial institutions here in oz to do this.

Although in any case, my new account is with an insititution thats probobly too small to be worth trying to phish (Police & Nurses Credit Society)

Not worried (0)

Anonymous Coward | about 9 years ago | (#13832391)

for whatever the banks do, i'm sure it's the best
coz i would do so if there's millions counting on it

-- []

Two Factor Withdrawls (4, Funny)

faqmaster (172770) | about 9 years ago | (#13832400)

The two factor system has always worked well for me. I have no problem making withdrawls using a gun AND a note.

/. = trolls? (1)

sunwolf (853208) | about 9 years ago | (#13832414)

This article has recently been linked from . Please watch out for any [] trolls [] that may target this article.
Is this just asking to be defaced, or what?

how much you want to bet (1)

sl4shd0rk (755837) | about 9 years ago | (#13832416)

They make one your drivers license number, and the other your ss#.

Check authentication (1)

soundvessel (899042) | about 9 years ago | (#13832429)

Screw this security/privacy enhancement. Why do we still have anything more than 24 hour holds on deposited checks? There should be no holds. Why hasn't the government compelled the banking industry to update their infrastructure to enable instant check processing? The amount of money that consumers would save (and banks would lose) in processing fees, overdraft charges is outstanding. Is this because checks are processed and signatures compared by hand? Is this really a sustainable system?

Do3Ll (-1, Troll)

Anonymous Coward | about 9 years ago | (#13832435)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?