My bank loses (security) plot
Well folks, it has finally happened...
The bank I bank with has decided that only requiring 2 digits to be typed in online when loging into online banking makes their site somehow more "secure". They quote on their site that this will help protect against key loggers - which shows their Test/QA department can't use any test automation ;) If they did they'd instantly know that capturing data from drop-down lists is easy as a-b-c (hey we do it all the time), and replaying the data as easy as c-b-a. What is more, it is EASY to capture such data without the user ever knowing (which makes for a great April 1st joke... apparently).
I phoned them and spoke to a member of their Technical Department and asked him about this today and his response was (paraphrasing as I wasn't able to record the call):
1) "It DOES protect against key loggers as it means that a key logger won't get the data in one go" (to which I replied: "big deal - presumably the Average Joe will log into their bank account a few times a day when your system times out giving the logger all the ammo it needs?");
2) "And anyway even if someone gets the PIN they still need the second piece of information" (to which I replied: "do you mean that publicly available 'place of birth' information?")
Oh and if it is truly the case that a fraudster getting a PIN does not matter (I sure hope they recorded the phone call!) then why ask me for ANY PIN?
This is a brilliantly bad example of a company putting its toes into the security soup without asking the number one fundamental question:
DOES THIS PROPOSAL ACTUALLY MAKE IT ANY SECURER... REALLY... DOES IT...?
My take.. the answer is a resounding "No". I'm sure they would argue otherwise - but just in case a member of their Test/QA is reading this... stick your hand up, question this decision, ask and refuse to budge until taken seriously.
The oddest thing is that after stating the above I ought to say that in principle I am in favour of asking for "x" digits out of "y", but just not 2 out of 4 (as this represents just a 1 in 100 chance of getting the right combintaion) - and certainly not on the pretence that this provides some measure of protection against a key logger. As a starter for 10, how about 3 digits out of 6 as per some other companies? Better still, how about revisiting the whole premiss by which this decision was made.
-C
The bank I bank with has decided that only requiring 2 digits to be typed in online when loging into online banking makes their site somehow more "secure". They quote on their site that this will help protect against key loggers - which shows their Test/QA department can't use any test automation ;) If they did they'd instantly know that capturing data from drop-down lists is easy as a-b-c (hey we do it all the time), and replaying the data as easy as c-b-a. What is more, it is EASY to capture such data without the user ever knowing (which makes for a great April 1st joke... apparently).
I phoned them and spoke to a member of their Technical Department and asked him about this today and his response was (paraphrasing as I wasn't able to record the call):
1) "It DOES protect against key loggers as it means that a key logger won't get the data in one go" (to which I replied: "big deal - presumably the Average Joe will log into their bank account a few times a day when your system times out giving the logger all the ammo it needs?");
2) "And anyway even if someone gets the PIN they still need the second piece of information" (to which I replied: "do you mean that publicly available 'place of birth' information?")
Oh and if it is truly the case that a fraudster getting a PIN does not matter (I sure hope they recorded the phone call!) then why ask me for ANY PIN?
This is a brilliantly bad example of a company putting its toes into the security soup without asking the number one fundamental question:
DOES THIS PROPOSAL ACTUALLY MAKE IT ANY SECURER... REALLY... DOES IT...?
My take.. the answer is a resounding "No". I'm sure they would argue otherwise - but just in case a member of their Test/QA is reading this... stick your hand up, question this decision, ask and refuse to budge until taken seriously.
The oddest thing is that after stating the above I ought to say that in principle I am in favour of asking for "x" digits out of "y", but just not 2 out of 4 (as this represents just a 1 in 100 chance of getting the right combintaion) - and certainly not on the pretence that this provides some measure of protection against a key logger. As a starter for 10, how about 3 digits out of 6 as per some other companies? Better still, how about revisiting the whole premiss by which this decision was made.
-C
