« The Scotty Principle
MySpace, Facebook, LinkedIn - Prime Targets for Phising »

Banking in the Dark

In light of the recent phising scam email my wife recieved recently, this current article at CSO Online describes why banks are having some challenges ensuring you as a consumer know that when they send you information or request action, it is truly from them.

A typical online banking website prompts you for a username and password combination to prove that you are indeed who you claim to be. The rise of phishing over the past few years has raised the question “How does your bank prove who it is?”

Many technologies and procedures have been developed in an attempt to make this authentication a two way process. The most common method is the display of a personalized image. In this case the login process looks something like this:

  1. When you first create your online banking account the valid server allows you to choose a picture from a group of pictures.
  2. You then type in a phrase to describe that picture in a way that only you would. The server then uses this picture and phrase to verify that it remembers this account creation.
  3. When you later arrive at the login page you are prompted for a username.
  4. A check is done for a secure cookie which was left on your machine last time you visited.</li>
  5. If the machine is not recognized (i.e. the cookie doesn’t exist) then you are prompted with a security question to answer. Upon answering it the cookie is set on your machine.
  6. You are then shown that picture and phrase you set at account creation. At this point you are prompted for your password.
  7. You type in your password and are now granted access to the site.

There is a flaw in this process. It has to do with the secure cookie and security question. The secure cookie piece is supposed to be a flag to the user. You should only see the security question if you are on a new machine that you haven’t used to access the site before. Do users understand this? What if I delete my cookies often? Then this security question will always be a part of my login process. This is where the attacker has wiggle room to take advantage of the system.

The entire article is located here.

This entry was posted on Wednesday, May 16th, 2007 at 2:22 pm and is filed under Scams.

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.

  • RSS Windows Security

  • RSS Wired Security

  • RSS The Register - Security

  • RSS Security Focus

  • RSS CSO

  • RSS Sans

  • Archives

  • Bloglisting.net - The internets fastest growing blog directory
  • My Zimbio

  • RSS Linux Security

  • Event Calendar

    « Dec iCalendar Feb »
    January 2009
    M T W T F S S
     1234
    567891011
    12131415161718
    19202122232425
    262728293031 

  • VincentArnold.com

  • Categories

    Annoucement Attack Vector Book Education Forensics Gadgets Gaming General Government InfoSec Information Security Information Systems Information Technology Intellectual Property iPhone 3G Just because it's cool Law Methodologies Metrics Military Mobile Tech Movies News Penetration Testing Politics Privacy Scams Sci-Fi Security Breach Society Sports Technology Tools Travel Uncategorized World News