You call it 'hacking.' I call it 'investigation' Here's a photo of what I had for lunch! Amazing!!! No it isn't amazing. It's your lunch. You gotta see the new 4k TV I bought today! Thanks for giving me a fascinating, if cursive, inventory of your consumer durables. Took Jonesy out for his walk and he chased a rabbit. Nice to have your pet's name. Could be useful. 28 …
As I have posted here before, I have actually been accused in an interview (for an IT Security job) of having something to hide due to my very small online footprint.
If I buy a pizza, it's to eat it. Not take pictures of it. Nor do I have any interest in other people pretending how great their life is compared to mine by the stream of selfies they post in "exotic" locations.
We're pretty much screwed anyway. Even if I try to take care where my personal information is held and that it isn't easy to get at, as long as someone else needs it and chooses to store it on Arsebook or Groogle, I can't stop a hacker getting it second-hand.
When it comes to authentication with banks, we are asked to give them information so 'they know who they are talking to', but they seem resolute not to let us as consumers have the same confidence in them. Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?
Is there any way for them to verify the Nth character of the password without having the password stored in the clear somewhere? If so, is there any point changing the password regularly when it's being stored in the clear on the bank's side and thus available for hackers anyways?
"When it comes to authentication with banks... they seem resolute not to let us as consumers have the same confidence in them."
I have had several phone conversations initiated, supposedly by HSBC, the then bankers for my then business which never got beyond my telling the caller I didn't believe they were from HSBC because they [cw]ouldn't prove it.
Strange, as a personal customer and a few arguments about them proving who they were first, they found a way:
"Our records say you were born on the nth day of the month; Could you confirm which month?"
or
"You have a standing order set up to $COMPANY. Can you tell me approximately how much it is for?"
I used to work for a large credit company in their call centre; when we called people we were supposed to just ask for a couple of details to confirm that the person who answered the phone was who we wanted to speak to, but in practice we generally (unofficially) used a similar system - "I see you live in NW1, what's the rest of the postcode?" and so forth. If the person at the other end wasn't who we wanted, we hadn't given anything away.
If they insisted, we asked them to call the number on their card.
Ha ha. In long ago more innocent days, I got a call from an HSBC rep who suggested a better pigeon hole (still within HSBC of course) for some dosh. After a lot of discussion (she needed to convince me!), I agreed. Then she asked for whatever the security was at the time. "But you called me!" So the call and discussion turned out to be pointless. Hmm, maybe HSBC could corporately sponsor the TV quiz game, Pointless.
> didn't believe they were from HSBC because they [cw]ouldn't prove it.
Yup - I've had those:
[Telephone noise}
>Hello, COCM here.
"This is [your bank] - we would like to discuss stuff with you. But first, we need to determine if it's really you".
>Can you prove you are from [your bank]? For example, can you tell me the last two digits of my bank account number? Can you tell me what the largest deposit (oo-er!) was in the last month?"
"No - because we can't be sure that you are you. You could be not-you!".
>Indeed. Same applies.
"But, but - we're the BANK! We wouldn't lie to you!"
>Cough, splutter, goodbye.
[Cue telephone cutoff noises and queries from Mrs COCM about who I was speaking to. She seems to be nicely learning paranoia^W caution from me..]
And, in case you did not know, like me, Santander do the 2nd, 5th, 8th thing too now, but only for new customers it seemed.
I noticed when my boy logged in. So I asked Santander if I could have the better log in please. They then just enrolled me (by sending a letter with the first part of the sequence).
So now they have:
1. Customer ID, you can set this how you wish but they give you a large number to start with. It is visible and not meant to really be secret.
2. A picture and phrase, not really sure how this works, it always shows the same ones, I don't have to select them except when I chose them. I presume that, when another computer is used, they ask you to choose the correct ones.
3. Selected characters from a password.
4. Selected digits from a pass number.
5. Answers to rather more complex questions than Mother's maiden name (for which I use a made up name BTW, why wouldn't you? just pick a movie star, anything reasonably memorable, they are not going to guess it in the tries available).
Also, despite not wanting someone to see your bank account contents, taking the money requires a new transfer and this *does* require 2FA so it has additional security.
Note: some years ago, someone called my bank using telephone banking and managed to enrol themselves into the new telephone banking security system and empty my account because, apparently, Santander had added secure telephone banking but did not require letters or on-line use before allowing it to be used. I had no idea it even existed since using the telephone to bank is as old-fashioned to me as using an abacus to calculate. This may be why Santander have a slightly superior system now. Yes, they did refund me and added £200 on top for my trouble.
My view is that I prefer 2FA, despite the article, Russian hackers cannot easily steal my phone. If a phone is stolen and then hackers are informed so they can then use the 2FA, the time expired will almost certainly be enough to prevent access, especially when a phone is locked, I could probably remotely wipe it before they accessed it. As for hacking my phone while I have it, even less likely given the phone OS I use.
Basically, you call the bank first when compromised, email accounts etc. pale in importance. I also know my phone isn't stolen when I log in to something like PayPal so the 2FA feels useful and very hard to defeat. My MS/cloud account is the same, first the password must be guessed and then the 2FA must be defeated, difficult; then you get to see my photographs and some invoices etc., not really worth it.
I would feel hugely better if the Bank used 2FA on top of all the other stuff, simply because I find it very easy to use.
It would be even cooler if they used the authenticator app system, already present, no text needed. But, being banks, they would have to have their own.
"If they need to contact me, they send me a letter.*
I show up, show my driver's license and bank card.
Then we discuss things face to face.
I see no need to change things.
*Yes, snail mail."
My bank is open Monday to Friday 9am-4.30pm.
My working week is Monday to Friday 9am-5.30pm.
This is extremely inconvenient. Even sorting out a mortgage necessitated taking a half day off.
I do believe that in the big cities banks open on a Saturday morning! With the associated parking costs visiting a big city entails, or trying to work out which buses are actually running from and to the sticks on a weekend morning.
"Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?"
I agree... I'm bored with having this conversation..
Caller: can you tell me the 2nd and 3rd letters of your password?
me: yes I can.
Caller: Er...
me: you called me, how do I know you are who say you are?
Caller: well, if you pass security I can tell you what's its about.
me: you called me.
caller: you can ring this number... 083545473839
me: *YOU* called me , why should I trust any number you give me?
caller: but I'm from your bank!
me: then prove it! You tell me what credentials you've got and I'll tell you if they're correct
caller: I can't do that because of security
me: Oh well.. bye then.
Obviously, you have no secure messaging with your bank, or don't use it.
I was discussing a real, in use, system. It is not too complicated and works like this (you were close, but not close enough).
From: pleasedonotreply@your.bank.co.uk
To: your.address@your.email.com
You have received a secure message.
...Followed by truly insane amounts of boilerplate disclaimer/registered addresses etc.
I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.
This is a useful system obviating the need to keep checking on the site to see if they answered one's question.
> I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.
No, it gets users into the habit of seeing that message and so expecting that from their bank, which increases the likelihood of alarm bells ringing when it's not there. Although, personally, I don't think banks have done anything like enough to instill this lesson. There should've been primetime TV ads for the last decade just saying "Hi. This is a message from every single bank in the UK. We will never ever ever send any of our customers an email with a link in it. If you get an email with a link in it, it's not from us, and you should never click it."
I've had the "But you called me!" argument with First Direct a couple of times -- except it wasn't an argument, as they just said "Sure, no problem. Call us on the usual number and ask to be put through to my department." Since they (unlike some) answer the phone dead quickly, not a problem.
"I can't recall the last time my bank called me, it has been at least a decade."
I get calls all the time - one from "Dept of Justice" with the guy being very threatening, saying I could be prosecuted if I didn't pay the fine. Official looking caller ID and all, scary as shit. I looked up the number and it was a Majic Jack number from San Bernadino. Somehow I didn't think it was the real DOJ.
The government doesn't call you anyway, they send mail. And if it is really nasty, the summons is delivered by the sheriff. But scammers use mail too. I once got something official from the "Department of Commerce" with a return address of 2000 Pennsylvania Ave, Washington DC NW, about 4 blocks from the White House. So I looked it up and it was a shopping center.
Yes, it still perplexes me that BT would want to outsource their IT security to Nigeria. I told the nice gentleman when he called to tell me that unfortunately BT had given my computer a virus that I was sure that I had only just spoken to one of his colleagues last week from somewhere in India. He even said the same thing, that there was an error with credit card details I had given him to 'fix' my computer and so he would have to send me a virus help file in order to resolve the problem. For some odd reason his help file was blocked by my anti-virus scanner: I wonder why.
my bank got this message when I kept refusing to give them information on the phone to identify myself, as I had no evidence who they were. As a result, I get virtually no sales calls, and we came to an arrangement re identification.
As regards security questions, you don't use your mum's real maiden name do you? I never have.
<snip> when I kept refusing to give them information on the phone to identify myself</snip>
I once applied for a job, and when the recruitment company called me they asked me to verify my postcode to prove my identity. I pointed out to them that the postcode they had for me came from the same CV that had my phone number, so if I wasn't who I claimed to be I would already have falsified the data they had. This put them in to stack overflow, repeat question until answered no matter how stupid the question is, at which point I decided that if they were this bad about just speaking to me the job description was bound to be gibberish too and gave up.
@salamamba too
"As regards security questions, you don't use your mum's real maiden name do you? I never have."
I did, but it got hacked, so I've had to dump her and get another mum. Right pain that was. The dog was really put out too. And it was such a hard letter to write to my favourite teacher to tell him I'd chosen another. I'm still working out how to replace my fingerprints... I think I can get new ones each month, at least until they rot.
Those "security questions" aren't. They are really just passwords that are usually stored in the database in clear text. Hackers don't look your mums name from public records, as they probably don't know who you actually are. They just get SQLi on some crappy website and dump the database. Then they know what answers you use for those questions and can pwn you on other websites.
For anything important,, I use keepassx to manage my passwords and have a script to generate answers for those questions from /dev/random. I store the answers in keepass along with the questions so I never have to remember anything.
"As regards security questions, you don't use your mum's real maiden name do you?"
I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?
"I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?"
I once knew someone who had recently got a dog and used his mums maiden name as it's name.
He signed up for online banking:
- Memorable name:
$maidendog
- Pet's name:
$maidendog
- Mother's maiden name:
$maidendog
One of the concepts that seems to be missing from "security" considerations of online systems is that of proportionality. That means, of course, that the security of access should be proportionate to the risk of unauthorised access - but conversely, that high-risk systems probably shouldn't depend entirely on online credentials because high-stakes attackers are inevitable and requiring them to post a letter or turn up in person is one of the most effective ways of thwarting brute-force or large-scale attacks.
Online access to my credit card account used to be fairly low risk, because all anyone could usefully do if they gained access was to pay my bill for me. Now any unauthorised user can change my registered email address, home address, access my credit score and do a whole bunch of other things that might threaten my financial security.
The solution to his is not to add biometric complexity so that I can continue to use the one low-risk function I've ever needed (to pay my bills) but to allow me to remove access to the higher-risk functions I don't want.
the banks would have to actually keep branches open
Not that this wouldn't be a good idea, but banks do (for the moment) have large networks of ATMs. It wouldn't be impossible to arrange that if you want to do something potentially risky - like change your address or transfer a large amount of money - that you have to visit a nominated machine and present your bank card. Might help Mr. D. keep off those lost kilograms, too.
Wouldn't it be nice if you could present your bank card to your PC instead and use the PIN to verify it is you.
Or even wave the wireless bank card at your PC or phone, it would remove a huge amount of issues in one fell swoop.
It could be additional after all because it is so easy for the owner to do, and so hard for others.
Barclays give you a little keypad like a small calc that you can plug your card into.
When you login online you need to enter the last four digits of the card.
Put the card into the keypad, and enter you pin.
That then gives you an eight digit code to type on the webpage.
It does the same whenever you want to add new payments or standing orders etc.
Seems about as secure as you can get it so far.
Nat-West gave me one of these card reader/pin generator things, when I opened an account with them about 8 years ago.
Four years later when I had to get around to adding a new payee, I had to ask them to send another one out as the last one probably got chucked out as a useless remote control.
Two years later again, and the dog had managed to chew this one up, so "please send a new one" again.
On my fourth now and can't find that...
"It wouldn't be impossible to arrange that if you want to do something potentially risky - like change your address or transfer a large amount of money - that you have to visit a nominated machine and present your bank card. "
This - and a lot of other options besides. For high-risk actions, there should be at least the *option* of a higher security requirement - eg I'd be perfectly happy knowing that my bank address can only be changed face to face with a member of staff in a branch on presentation of photo ID, or that to send over £1k to a new recipient requires a trip to an ATM to confirm, where for others that's too much hassle or otherwise impractical. So set minimum standards, but allow customers to choose higher ones to protect themselves if they wish.
I don't think that ahwquobehjdltfshohctyowa is guessable.
It is selected letters from words in a newspaper story.
Admittedly I'm not going to memorise it either. Not with 20 other passwords I also need to change once a month.
As for 2FA, a device could be stolen... and then I will report it stolen, and I will obtain a new one.
> As for my pet, IT chiefs would rather I give it a name comprised of upper- and lower-case letters, three numbers and at least one special character
No, they would rather that you didn't actually tell them your pet's name at all.
The questions asked can take any answer. It doesn't have to be related to the subject of the question (except where date or numeric fields are all that's available).
So a valid answer to the question: What was the name of your first teacher? could easily be "pork sausages". Since the computer asking the question has no way to know if you are telling the truth - and it probably doesn't care that 90% of respondents were born on January 1.
The only thing you then need is to remember which answer you gave to which question. Which is why everyone writes them down, anyway.
"No, they would rather that you didn't actually tell them your pet's name at all"
I suspect that was the point Alistair was making: That personal information security questions should be treated as additional passwords, rather than answered with the actual information the question asks for.
That has come as a great relief, due to a poor upbringing (the butler was an ex-con) we didn't have any pets, well none that we could name. The exceptionally large Wolfhound/Alsation cross was "come here you great tosser". We didn't get much mail either as Tosser (I used this name in secret when calling though the razor wire) had a tendency to deter the postmen by howling at the sight of a red van. Anyhow I now feel free to to use an imaginary pet name, Fluffy sounds nice....
There's a significant difference between telling friends and family that it's your birthday on Saturday and they're all invited down for a slap-up meal with all the trimmings, followed by an epic piss-up, and telling Facebook -- especially if you don't have sane privacy settings on your account and allow anyone in the world to view the data. You know F&F in an, ahem, F2F context. Sure, it's possible one of them might turn out to dabble in financial fraud via ID theft on the weekend, but if they do, they're very much more likely to pick on complete strangers. (Well, unless they're advanced sociopaths, granted.)
That said I do find it rather amusing to see people with fully open Fb profiles getting dozens of birthday greetings from people they only know online...
Just sayin'.
#beer because it's Friday \o/
I do find it rather amusing to see people with fully open Fb profiles getting dozens of birthday greetings from people they only know online...
Worse has happened. On 21 september 2012 a birthday party in Haren published on FB got out of hand. The police made 108 arrests. The damage was 843000 Euros. The mayor of Haren resigned on march 12 2013 after publication of the official report on the riots.
This
I don't have a favourite sports team or colour, and worst of all naming no names (to spare the blushes of First Direct) it doesn't make sense to disallow previously given answers to to non-variable factual questions when setting up security again (notwithstanding using junk data for these of course)
So am I now an old fart officially when I see the benefits (and charm) of:
... The sun was shining happily on this nippy day. I strolled into the lobby of the bank, and was greeted by Mr. Johnson, who smiled at me from behind his counter. "Good morning Ms. Page", he said, adjusting his specs, "And what can we do for you today?"
...
Some people seem to think that the multiple words option e.g. "Battery stapler horse" is the way to go. But I saw the XKCD cartoon about this some years ago and tried to memorise it. I've probably seen it two or three times a year since (More often than I visit some websites I have to log into) I've never remembered it yet! If on all the websites I used I had a different three or four word password only a memory champion would be able to remember them. n.b. I note both Alistair and I got it wrong anyway! Its correctbatteryhorsestaple.
Now did I capitalise any letters... what about websites that insist on: numbers, varied case, a low maximum length....
Part of the answer is for websites to not insist on complex passwords unless it is appropriate. I recommend people to use as complicated a system as they can do reliably. I wish I knew the full answer.
"Part of the answer is for websites to not insist on complex passwords unless it is appropriate."
The website insists on complex passwords to show that it was taking things seriously if challenged. The fact that everyone has to write down their passwords is Someone Else's Problem. Not theirs.
The point of the xkcd cartoon isn't so much that those four words are easily remembered as that any four random words are far easier to remember than the crap we're told to use for security reason yet also more difficult to crack -- because adding extra length to your password (generally) adds way more security than increasing the range of possible characters. You can add much more security by doing things like skipping or repeating the Nth letter of each word, or using joke spellings, so that none of them are in a dictionary. The initial letters of a memorable sentence make for an excellent password too: dead easy to remember but looks like a genuinely random string. The main problem with either of those systems is that most sysadmins refuse to give up on the whole "number, capital letters, punctuation mark" thing, so you have to use them regardless of how useful they are.
Instead of a password, I use a simple password-generation rule. Something along the lines of
[last three letters of company name] & [initials of memorable sentence] & [number of letters in URL minus 4] & [misspelt disctionary word]
gives excellent results: piece of piss to remember, the same rule for every site you use, yet a different actual password for every site.
Several sites I've used have allowed me to create my own security questions and my own answers - although on two occasions I've had to make use of these (password reset on both occasions) the systems then told me my answer was wrong - so I had to wait until I could ring a real human the next day and go through the system verbally - and it then worked...
I purchased something online and arranged for it to be delivered to an address I was going to be visiting, the company refused to process my order unless I emailed them a copy of my passport and a bill showing I lived at the delivery address, apparently the fact my IP address was in a different country from the country I wanted the delivery to was the trigger. I pointed out that email wasn't a secure method for sending a copy of my passport and I didn't have a bill for the address as I was just visiting it, ended up just cancelling the order
Lucy Porter had this in her set about 9 years ago:
"I went to the bank and they told me I needed a security question for telephone banking. I asked if there was a list to choose from and they said no, I could pick any question. So now it's great, whenever I call the bank the person on the other end has to ask me "You're not going out dressed like that are you?" and I reply "You can't tell me what to do, you're not my real dad!""
More security Q & A fun suggestions can be found here: https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html
"While biometrics are just another kind of shared secret,..."
Oh no they're not. Any biometric can only serve as only an identifier, not an authenticator. An identifier is permitted to be public (e.g. your name); an authenticator must be private to the legitimate parties (a shared secret).
Two fundamental and essential characteristics of an authenticator are that it can be changed and revoked. As a biometric can not be changed or revoked, and can in many cases not be private (e.g. fingerprints and DNA are left behind everywhere you go) it cannot legitimately be used as an authenticator.
It would be so nice if this basic principle would finally sink in...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
