Passwords for bank sites - change or not?

Discussion in 'Computer Security' started by Gualtier Malde, May 17, 2006.

  1. I regularly check accounts on the web sites of three financial
    institutions. One is a Canadian bank, the other a Federal credit union,
    and the third a Seattle-based bank.

    The first two have never asked me to change passwords over the years,
    while the Seattle bank makes me change every few months. It's a
    nuisance, but might be more tolerable if I could be reassured that it
    were necessary.

    The others are heavy hitters, while the bank is fairly small (but
    growing). Is the password change a necessity or is it perhaps making up
    for lazy security measures?

    gm

    --
    Remove "-nubby-" to correspond.
    Gualtier Malde, May 17, 2006
    #1
    1. Advertising

  2. Gualtier Malde

    Zoned Guest

    The bank that doesnt ask for a password change is the one I would worry
    about.
    regards
    Zoned - www.antirootkit.com
    Zoned, May 17, 2006
    #2
    1. Advertising

  3. Gualtier Malde

    Todd H. Guest

    Gualtier Malde <> writes:

    > The others are heavy hitters, while the bank is fairly small (but
    > growing). Is the password change a necessity or is it perhaps making
    > up for lazy security measures?


    Not regularly changing your password is a lazy security measure on
    your own part actually.

    The value in regularly changing passwords is that you limit the damage
    to an attacker that manages to dump a customer database but hasn't yet
    chosen to use what they've found, or has used it in a way not yet
    detected to you. It also adds value to a keylogging trojan
    situation whereby passwords have been captured from your machine and
    relayed to an attacke,r but not yet used or correlated to the account
    for which they're used.

    Banks want to make online banking easy for consumers--it keeps their
    human tellers less busy and keeps support calls down. The heavy
    hitters lack of a password change policy enforcement is a calculated
    risk. If they were interested in minimizing their liability, and
    maximizing your security, they'd implement such a policy. But they
    also factor in their cost of providing support to individuals who
    forget their passwords, or who only get online once every 3 months.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., May 17, 2006
    #3
  4. Gualtier Malde

    Jim Watt Guest

    On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:

    >The bank that doesnt ask for a password change is the one I would worry
    >about.


    It depends. If you have reason to think the password is compromised
    then it needs to be changed. Otherwise changing regularly only leads
    to confusion and the use of weaker passwords that are easier to
    remeber.

    AND if you get an email asking you to 'verify your details' it going
    to be a scam.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, May 17, 2006
    #4
  5. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Hash: RIPEMD160

    Jim Watt wrote:

    > On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:
    >
    >>The bank that doesnt ask for a password change is the one I would worry
    >>about.

    >
    > It depends. If you have reason to think the password is compromised then
    > it needs to be changed. Otherwise changing regularly only leads to
    > confusion and the use of weaker passwords that are easier to remeber.


    Any good password management policy will disallow weak passwords to begin
    with, even ones that don't mandate regular changes. And even if this
    weren't true, it's not given that forced password changes will lead to any
    such thing. It's possible, but that's entirely up to the user and no
    reason what so ever to not implement good password management policies.

    You're painting the picture with the same fallaciously broad brush every
    corporate minded shirt on the planet does, and advocating the exact same
    lackadaisical security policies they are, as a result. :(

    Scheduled password changes guard against brute force attacks and unknown
    compromises. Only changing them when you believe you might have to assumes
    you can't be owned without it being obvious. A dangerous state of mind in
    deed, but it sure is "convenient" from the customer's perspective, eh?

    <sigh>

    Marketing and ease of use taking precedence over common sense and proved
    security measures. Exactly *why* we have as many notable compromises as we
    do. :(

    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEa4nvno5iexlRIBERAyguAJ9kGtnNmwI1SrmErqLoIoQZifRjVQCg2yCN
    J/bDHBz4wCBnHLy1B+a7Ux0=
    =SDlX
    -----END PGP SIGNATURE-----
    Sheik Yurbhuti, May 17, 2006
    #5
  6. Gualtier Malde

    Jim Watt Guest

    On 17 May 2006 21:47:29 -0000, Sheik Yurbhuti <>
    wrote:

    >Jim Watt wrote:
    >
    >> On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:
    >>
    >>>The bank that doesnt ask for a password change is the one I would worry
    >>>about.

    >>
    >> It depends. If you have reason to think the password is compromised then
    >> it needs to be changed. Otherwise changing regularly only leads to
    >> confusion and the use of weaker passwords that are easier to remeber.

    >
    >Any good password management policy will disallow weak passwords to begin
    >with, even ones that don't mandate regular changes. And even if this
    >weren't true, it's not given that forced password changes will lead to any
    >such thing. It's possible, but that's entirely up to the user and no
    >reason what so ever to not implement good password management policies.
    >
    >You're painting the picture with the same fallaciously broad brush every
    >corporate minded shirt on the planet does, and advocating the exact same
    >lackadaisical security policies they are, as a result. :(
    >
    >Scheduled password changes guard against brute force attacks and unknown
    >compromises. Only changing them when you believe you might have to assumes
    >you can't be owned without it being obvious. A dangerous state of mind in
    >deed, but it sure is "convenient" from the customer's perspective, eh?
    >
    ><sigh>
    >
    >Marketing and ease of use taking precedence over common sense and proved
    >security measures. Exactly *why* we have as many notable compromises as we
    >do. :(


    All security is a compromise between making things difficult for the
    unwanted and not making it impractical for legitimate users.

    For instance if a bank insisted on a twelve digit password like
    rrgf84kJ32HJ& I would have trouble using their system and
    changing it regularly would be a severe problem.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, May 18, 2006
    #6
  7. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Jim Watt <_way> wrote:

    > >Any good password management policy will disallow weak passwords to
    > >begin with, even ones that don't mandate regular changes. And even
    > >if this weren't true, it's not given that forced password changes
    > >will lead to any such thing. It's possible, but that's entirely up
    > >to the user and no reason what so ever to not implement good
    > >password management policies.
    > >
    > >You're painting the picture with the same fallaciously broad brush
    > >every corporate minded shirt on the planet does, and advocating the
    > >exact same lackadaisical security policies they are, as a result. :(
    > >
    > >Scheduled password changes guard against brute force attacks and
    > >unknown compromises. Only changing them when you believe you might
    > >have to assumes you can't be owned without it being obvious. A
    > >dangerous state of mind in deed, but it sure is "convenient" from
    > >the customer's perspective, eh?
    > >
    > ><sigh>
    > >
    > >Marketing and ease of use taking precedence over common sense and
    > >proved security measures. Exactly *why* we have as many notable
    > >compromises as we do. :(

    >
    > All security is a compromise between making things difficult for the
    > unwanted and not making it impractical for legitimate users.


    Reasonable password management isn't impractical. Requiring a password
    change every 6 months isn't unreasonable. It's a marvelous policy, and
    no normal person should have any problem relearning a sufficiently
    strong password twice a year, or using a suitable method of storage and
    retrieval.

    You're trying to prop up an argument that flies in the face of every
    shred of common sense, and the advice of every knowledgeable security
    professional that ever lived. I seriously doubt you're going to get
    very far, but if you must you must I suppose. :(

    > For instance if a bank insisted on a twelve digit password like
    > rrgf84kJ32HJ&


    I take it that by choosing your example as you did you're waffling on
    your original statement that "changing regularly only leads to
    confusion and the use of weaker passwords", and arguing that only very
    hard to remember passwords would be problematic now? I already said as
    much Jim. It's still no reason for not implementing good security
    policies.

    Or are you going to now try and argue that something along the lines of
    '29globaldog*bananahouseJill' would be crackable in 6 months and too
    complicated for someone to relearn twice a year? Even if it meant
    protecting their investments and finances? Or maybe something like
    'GarvolapopImuswak'. Either example is more than secure enough, and
    certainly easy for someone to remember for 6 months after a brief study
    period. Very brief.

    By the way, your example was 13 characters, not 12. A minor niggle that
    has more impact on security than memorability, but an impact on both
    none the less.

    > I would have trouble using their system and


    I would not. I'd work out some sort of mnemonic, or keep hard to
    remember passwords secured away in a password manager or encrypted file
    that required an overly secure passphrase to access. Just as I do now.

    In the OP's scenario where we're assuming he generates his own
    passwords I'd use the above and/or devise random pronounceable strings
    or use Diceware.

    > changing it regularly would be a severe problem.


    I'm sorry to hear that. You might find these links of some assistance:

    http://www.diceware.com/

    http://www.pitt.edu/~wek3/rndpwd.html

    http://www.schneier.com/passsafe.html

    http://www.umm.edu/altmed/ConsHerbs/GinkgoBilobach.html
    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEbJo5no5iexlRIBERA2OMAJ0Y+W2ePGNb4F/GeQC+kc5TJJkODACgrBcx
    8ScqBwlMOT5EjcBfkkhOWno=
    =eZMm
    -----END PGP SIGNATURE-----
    Sheik Yurbhuti, May 18, 2006
    #7
  8. Sheik Yurbhuti <> writes:
    > Reasonable password management isn't impractical. Requiring a password
    > change every 6 months isn't unreasonable. It's a marvelous policy, and
    > no normal person should have any problem relearning a sufficiently
    > strong password twice a year, or using a suitable method of storage and
    > retrieval.
    >
    > You're trying to prop up an argument that flies in the face of every
    > shred of common sense, and the advice of every knowledgeable security
    > professional that ever lived. I seriously doubt you're going to get
    > very far, but if you must you must I suppose. :(


    the problem with passwords now start to crop up when you have a 100 or
    more different passwords. post in similar thread
    http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

    shared-secrets based authentication paradigm require unique password
    for every unique security domain ... as countermeasure to cross-domain
    replay/impersonation attacks. lots of past posts about shared-secret
    based authentication
    http://www.garlic.com/~lynn/subpubkey.html#secret

    references to an old april 1st, password corporate directive from
    1984
    http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in ARM


    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, May 18, 2006
    #8
  9. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Anne & Lynn Wheeler <> wrote:

    > Sheik Yurbhuti <> writes:
    > > Reasonable password management isn't impractical. Requiring a
    > > password change every 6 months isn't unreasonable. It's a marvelous
    > > policy, and no normal person should have any problem relearning a
    > > sufficiently strong password twice a year, or using a suitable
    > > method of storage and retrieval.
    > >
    > > You're trying to prop up an argument that flies in the face of every
    > > shred of common sense, and the advice of every knowledgeable
    > > security professional that ever lived. I seriously doubt you're
    > > going to get very far, but if you must you must I suppose. :(

    >
    > the problem with passwords now start to crop up when you have a 100 or
    > more different passwords. post in similar thread
    > http://www.garlic.com/~lynn/2006j.html#28 Password Complexity


    This is why utilities like password managers exist, where strong
    encryption and (hopefully) equally strong passwords protect the rest.
    Yes, it's a compromise, but it's preferable to weaker passwords that
    never change. Much more preferable.

    It's also probably irrelevant in the scenario at hand, as the OP didn't
    appear to have 100's of passwords to worry about. Only three were in
    question. :)

    > shared-secrets based authentication paradigm require unique password


    Obvious. Also irrelevant. Using unique passwords, storing them
    properly if necessary, and routine or necessary changes are *all* part
    of secure access management. One piece of that puzzle does not make the
    others any more or less significant.

    > for every unique security domain ... as countermeasure to cross-domain
    > replay/impersonation attacks. lots of past posts about shared-secret
    > based authentication
    > http://www.garlic.com/~lynn/subpubkey.html#secret
    >
    > references to an old april 1st, password corporate directive from
    > 1984
    > http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in ARM


    Is a parody suppose to be hard evidence now, or were you trying to
    inject humor? ;)

    >
    >

    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEbLQeno5iexlRIBERAyxEAJ4jShzbaRrI0uQP+gEtUrv9KBEI+gCeOL6a
    WIeJcr0TKRnA3gVrTRoCda0=
    =GzZi
    -----END PGP SIGNATURE-----
    Sheik Yurbhuti, May 18, 2006
    #9
  10. Gualtier Malde

    Jim Watt Guest

    On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <>
    wrote:

    >> the problem with passwords now start to crop up when you have a 100 or
    >> more different passwords. post in similar thread
    >> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

    >
    >This is why utilities like password managers exist, where strong
    >encryption and (hopefully) equally strong passwords protect the rest.


    Bullshit. If I have to use a 'password manager' to access my bank
    account it means that it has to be installed on every machine I use.

    >Yes, it's a compromise, but it's preferable to weaker passwords that
    >never change. Much more preferable.


    In practice none of the systems I use rely on a simple password, and
    include a good mixture of shared secrets.

    >It's also probably irrelevant in the scenario at hand, as the OP didn't
    >appear to have 100's of passwords to worry about. Only three were in
    >question. :)


    I certainly have a hundred or so passwords to remember and
    rrgf84kJ32HJ& is not one of them.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, May 18, 2006
    #10
  11. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Jim Watt <_way> wrote:

    > On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <>
    > wrote:
    >
    > >> the problem with passwords now start to crop up when you have a
    > >> 100 or more different passwords. post in similar thread
    > >> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

    > >
    > >This is why utilities like password managers exist, where strong
    > >encryption and (hopefully) equally strong passwords protect the rest.

    >
    > Bullshit. If I have to use a 'password manager' to access my bank
    > account it means that it has to be installed on every machine I use.


    Obviously not. If you're in a position where you have to auth from
    multiple locations, ideally your passwords and any management software
    shouldn't be installed on *any* of them. If it must reside on some of
    them, it should be limited to the bare, necessary, minimum.

    If you personally are installing your PM software on every machine
    you're using Jim, I submit you've breached yet another tenet of basic
    security. And that if you're not routinely rotating your passwords your
    methodology is severely flawed.

    > >Yes, it's a compromise, but it's preferable to weaker passwords that
    > >never change. Much more preferable.

    >
    > In practice none of the systems I use rely on a simple password, and
    > include a good mixture of shared secrets.


    You're tap dancing around how you manage to reliably access all these
    systems. Care to elucidate. ;)

    > >It's also probably irrelevant in the scenario at hand, as the OP
    > >didn't appear to have 100's of passwords to worry about. Only three
    > >were in question. :)

    >
    > I certainly have a hundred or so passwords to remember and
    > rrgf84kJ32HJ& is not one of them.


    Are you the original poster? No.

    If you have "a hundred or so" to remember, and can, it's almost sure bet
    your passwords are horribly weak. And even if you are that one in a
    billion person who can memorize passwords of sufficient strength to
    justify your "no changes" argument, your abilities are meaningless to
    the vast majority of mere mortals.

    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEbNiAno5iexlRIBERAydjAJ98k45yVeIvWYD+pESUddvFge5vKgCgyI6l
    spSOC+s1UaFc5pAZRPo8n4s=
    =05zc
    -----END PGP SIGNATURE-----
    Sheik Yurbhuti, May 18, 2006
    #11
  12. Jim Watt wrote:

    > On 17 May 2006 21:47:29 -0000, Sheik Yurbhuti <>
    > wrote:
    >
    >>Jim Watt wrote:
    >>
    >>> On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:
    >>>
    >>>>The bank that doesnt ask for a password change is the one I would worry
    >>>>about.
    >>>
    >>> It depends. If you have reason to think the password is compromised
    >>> then it needs to be changed. Otherwise changing regularly only leads
    >>> to confusion and the use of weaker passwords that are easier to
    >>> remeber.

    >>
    >>Any good password management policy will disallow weak passwords to begin
    >>with, even ones that don't mandate regular changes. And even if this
    >>weren't true, it's not given that forced password changes will lead to
    >>any such thing. It's possible, but that's entirely up to the user and no
    >>reason what so ever to not implement good password management policies.
    >>
    >>You're painting the picture with the same fallaciously broad brush every
    >>corporate minded shirt on the planet does, and advocating the exact same
    >>lackadaisical security policies they are, as a result. :(
    >>
    >>Scheduled password changes guard against brute force attacks and unknown
    >>compromises. Only changing them when you believe you might have to
    >>assumes you can't be owned without it being obvious. A dangerous state of
    >>mind in deed, but it sure is "convenient" from the customer's
    >>perspective, eh?
    >>
    >><sigh>
    >>
    >>Marketing and ease of use taking precedence over common sense and proved
    >>security measures. Exactly *why* we have as many notable compromises as
    >>we do. :(

    >
    > All security is a compromise between making things difficult for the
    > unwanted and not making it impractical for legitimate users.
    >
    > For instance if a bank insisted on a twelve digit password like
    > rrgf84kJ32HJ& I would have trouble using their system and changing it
    > regularly would be a severe problem.


    If you find using pseudo-random passwords and changing them every 6 months
    a "severe problem" you have absolutely no business at ALL hanging out in a
    security oriented newsgroup handing out advice.

    This is one of the dumbest debates I've seen here. Of COURSE changing your
    password regularly is a good thing. Only totally clueless newbies or
    completely lazy slobs would say otherwise.

    > --
    > Jim Watt
    > http://www.gibnet.com
    Borked Pseudo Mailed, May 18, 2006
    #12
  13. Borked Pseudo Mailed <> writes:
    > If you find using pseudo-random passwords and changing them every 6
    > months a "severe problem" you have absolutely no business at ALL
    > hanging out in a security oriented newsgroup handing out advice.
    >
    > This is one of the dumbest debates I've seen here. Of COURSE
    > changing your password regularly is a good thing. Only totally
    > clueless newbies or completely lazy slobs would say otherwise.


    i know quite a few people that have on the order of 100 passwords, and
    effecitvely only use online banking once a month for bill payment.
    remembering a pseudo-random password that you only used once a month
    (and possibly is one out of 100) is a non-trivial task. it is also
    somewhat difficult to convince such people that they have to change
    such password every six uses.

    one of the reasons that banking community is looking at moving to
    biometrics is that something like 30percent of the population are
    reported to write their pin number on their debit card. the knee-jerk
    reaction frequently has been that biometrics like fingerprints aren't
    very secure.

    the counter argument is ... not very secure compared to what? giving a
    person the choice of registering one of their fingers that is least
    likely to handle the card ... which becomes more difficult for a
    crook,

    1) to copy a pin written on a lost/stolen card and replay it

    or

    2) to lift a fingerprint (that isn't very likely to be there) off a
    lost/stolen card and replay it

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, May 18, 2006
    #13
  14. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Borked Pseudo Mailed <> wrote:

    > This is one of the dumbest debates I've seen here. Of COURSE changing
    > your password regularly is a good thing. Only totally clueless
    > newbies or completely lazy slobs would say otherwise.


    Or perhaps corporate minded "yes men" who buy into the assumption that
    ease of use takes precedence to security, even when security can be
    greatly improved with minimal inconvenience to customers. ;)

    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEbObgno5iexlRIBERA0xTAKCmWj45ce6axTbRWPlUKiDaBvrvigCfUSDm
    DkBa/ZSl0DbcyaAfrDDWnGw=
    =rBJ0
    -----END PGP SIGNATURE-----
    Sheik Yurbhuti, May 18, 2006
    #14
  15. Jim Watt wrote:

    > On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <>
    > wrote:
    >
    >>> the problem with passwords now start to crop up when you have a 100 or
    >>> more different passwords. post in similar thread
    >>> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

    >>
    >>This is why utilities like password managers exist, where strong
    >>encryption and (hopefully) equally strong passwords protect the rest.

    >
    > Bullshit. If I have to use a 'password manager' to access my bank account
    > it means that it has to be installed on every machine I use.


    Who the **** said you had to use a manager to access a bank account? If
    you only have a couple passwords you should be able to remember them even
    if they're secure. That's what Diceware is for, numbnuts.

    Gee, I wonder why you have to keep shifting the goal posts in this
    argument? Maybe you're full of shit again? What a surprise. NOT!

    >
    >>Yes, it's a compromise, but it's preferable to weaker passwords that
    >>never change. Much more preferable.

    >
    > In practice none of the systems I use rely on a simple password, and
    > include a good mixture of shared secrets.
    >
    >>It's also probably irrelevant in the scenario at hand, as the OP didn't
    >>appear to have 100's of passwords to worry about. Only three were in
    >>question. :)

    >
    > I certainly have a hundred or so passwords to remember and rrgf84kJ32HJ&
    > is not one of them.


    And you just remember them all, right?

    Lying fukwit.
    Borked Pseudo Mailed, May 18, 2006
    #15
  16. Gualtier Malde

    TwistyCreek Guest

    Anne & Lynn Wheeler wrote:

    >
    > Borked Pseudo Mailed <> writes:
    >> If you find using pseudo-random passwords and changing them every 6
    >> months a "severe problem" you have absolutely no business at ALL hanging
    >> out in a security oriented newsgroup handing out advice.
    >>
    >> This is one of the dumbest debates I've seen here. Of COURSE changing
    >> your password regularly is a good thing. Only totally clueless newbies
    >> or completely lazy slobs would say otherwise.

    >
    > i know quite a few people that have on the order of 100 passwords, and
    > effecitvely only use online banking once a month for bill payment.
    > remembering a pseudo-random password that you only used once a month (and
    > possibly is one out of 100) is a non-trivial task. it is also somewhat


    That's what I said.

    > difficult to convince such people that they have to change such password
    > every six uses.


    It's not difficult at all. In fact you can force them to do it. And
    people only using their online banking once a month would be less likely
    to bitch because they're probably not remembering passwords anyway.
    They're either writing them down on a sticky note and pasting to
    their monitor, or hopefully doing something a little more secure. Someone
    who memorized a good password by using it all the time is a LOT more
    likely to be annoyed by the change.

    Ever have the phone company change your number on you? I have. It SUCKS!
    Worse than writing checks for your January round of bills. ;-)

    >
    > one of the reasons that banking community is looking at moving to
    > biometrics is that something like 30percent of the population are reported
    > to write their pin number on their debit card. the knee-jerk reaction
    > frequently has been that biometrics like fingerprints aren't very secure.


    They're no more or less secure than anything else if mishandled, or if the
    protocols are breakable. That's the big bitch about PIN numbers these
    days, not writing them on the card. The hardware that's supposedly secure
    is crackable, and whether or not you use a 4 digit PIN, your fingerprint,
    or a retinal scan combined with a 100 character random password is
    meaningless.

    >
    > the counter argument is ... not very secure compared to what? giving a
    > person the choice of registering one of their fingers that is least likely
    > to handle the card ... which becomes more difficult for a crook,
    >
    > 1) to copy a pin written on a lost/stolen card and replay it
    >
    > or
    >
    > 2) to lift a fingerprint (that isn't very likely to be there) off a
    > lost/stolen card and replay it


    Most biometrics won't fall victim to lifted prints. They need to be
    attached to a real live finger. There are some gadgets and gimmicks out
    there that claim to simulate live fingers or allow you to use a faked
    print on your own finger, but last I knew they were experimental and
    unreliable.
    TwistyCreek, May 19, 2006
    #16
  17. TwistyCreek <> writes:
    > They're no more or less secure than anything else if mishandled, or
    > if the protocols are breakable. That's the big bitch about PIN
    > numbers these days, not writing them on the card. The hardware
    > that's supposedly secure is crackable, and whether or not you use a
    > 4 digit PIN, your fingerprint, or a retinal scan combined with a 100
    > character random password is meaningless.


    from the three factor authentication model
    http://www.garlic.com/~lynn/subpubkey.html#3factor

    * something you have
    * something you know
    * something you are

    the card is a "something you have" and the PIN is "something you
    know". the nominal assumption in multi-factor authentication is that
    the different factors are subject to different vulnerabilities.

    however the well established skimming activity has been able to
    harvest magstripe information (static data that supposedly represents
    the card, "something you have") and the PIN (static data "something
    you know") at the same time (at compromised and/or counterfeit
    terminals or devices) ... invalidating assumption about multi-factor
    authentication having independent vulnerabilities.
    http://www.garlic.com/~lynn/subpubkey.html#harvest

    some recent posts about "yes card" and recent chip&pin skimming:
    http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#25 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm22.htm#41 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm23.htm#16 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm23.htm#17 FraudWatch - Chip&Pin, a new tenner (USD10)
    http://www.garlic.com/~lynn/aadsm23.htm#19 Petrol firm suspends chip-and-pin
    http://www.garlic.com/~lynn/aadsm23.htm#20 Petrol firm suspends chip-and-pin
    http://www.garlic.com/~lynn/aadsm23.htm#25 Petrol firm suspends chip-and-pin
    http://www.garlic.com/~lynn/aadsm23.htm#26 Petrol firm suspends chip-and-pin
    http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"?
    http://www.garlic.com/~lynn/aadsm23.htm#30 Petrol firm suspends chip-and-pin

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, May 19, 2006
    #17
  18. Gualtier Malde

    Jim Watt Guest

    On Thu, 18 May 2006 16:05:02 -0600 (MDT), Borked Pseudo Mailed
    <> wrote:

    >Gee, I wonder why you have to keep shifting the goal posts in this
    >argument? Maybe you're full of shit again? What a surprise. NOT!


    Should I require any shit, I'll contact you further.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, May 19, 2006
    #18
  19. Gualtier Malde

    Jim Watt Guest

    On 18 May 2006 20:45:18 -0000, Sheik Yurbhuti <>
    wrote:

    >If you personally are installing your PM software on every machine
    >you're using Jim, I submit you've breached yet another tenet of basic
    >security. And that if you're not routinely rotating your passwords your
    >methodology is severely flawed.


    Perhaps you need to read what was said more carefully.

    I am not advocating the use of 'password managers' at all and
    arguing that they are not appropriate as I want to be able to access
    things from a wide range of machines.

    Good security does not depend on a simple password, and the
    actual electronic banking systems I use implement other measures.

    what I do object to is systems which insist on changing passwords
    where access is not particularly critical and as I do rely on
    remembering passwords and have a lot of them which are unique
    to the system changes are tedious.

    All security is a compromise betwen making things difficult but
    still allowing them to be usable. Electronic banking is targeted
    at the masses, not known for their caution.

    Its certainly about time a standard PC came with a smartcard
    reader to add another layer of authentication. However simple
    passwords are not enough for anything sensitive.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, May 19, 2006
    #19
  20. Jim Watt <_way> writes:
    > Its certainly about time a standard PC came with a smartcard reader
    > to add another layer of authentication. However simple passwords
    > are not enough for anything sensitive.


    part of the issue is that static data authentication are vulnerable to
    skimming/evesdropping/harvesting and replay attacks.

    there is issue with just straight-forward hardware token interface.
    this is one of the reasons for the EU FINREAD terminal specs.
    http://www.garlic.com/~lynn/subpubkey.html#finread

    it has been well recognized for a long time that PCs have a large
    number of vulnerabilities. FINREAD terminal was to isolate with
    relatively high integrity ... 1) the hardware token interface, 2) the
    PIN-entry interface, and 3) the display interface (for transaction
    authentication, was the value displayed for the transaction being
    authenticated, really the value in the transaction being
    authenticated).

    this was attempt to minimize that a compromised PC (with
    virus/trojans) being able to a) skim the PIN, b) perform interactions
    with the token w/o the owners knowledge, c) display one set of values
    for a transaction but perform a totally different transaction.

    the x9a10 financial standards working group had been given the
    requirement to preserve the integrity of the financial infrastructure
    for all retail payments.
    http://www.garlic.com/~lynn/x959.html#x959
    http://www.garlic.com/~lynn/subpubkey.html#x959

    one of the things done in resulting x9.59 financial standard was that
    it provided for the "authenticating" environment for also
    authenticating transactions ... i.e. the EU FINREAD standard call for
    a special high-integrity terminal ... but w/o the terminal also
    authenticating the transaction, there is no proof to the relying party
    that a EU FINREAD terminal is being used for the transaction ... aka
    the transaction might be done purely from the PC w/o a special
    terminal or might be done with a counterfeit terminal. the transaction
    is authenticated ... but the environment that the transaction is
    performed in is also authenticated.

    one of the other things that x9.59 did was recognize that current
    infrastructure has overloaded the account number ... it is required to
    be exposed for use in a large number of different processes ... but
    can be sufficient information for a crook to perform a fraudulent
    transaction. x9.59 defined that account numbers used for x9.59
    transactions can't also be used in unauthenticated transactions. this
    was a recognition that with the large number of business processes
    requiring the account number to be exposed ... that even burying the
    planet under miles of information hiding crypto ... it would be still
    be impossible to prevent account number data breaches and account
    number skimming.

    there is also the issue that numerous studies have continued to find
    that something like 70percent of breaches resulting in various kinds
    of identity and account fraud have involved insiders. this somewhat
    relates to my old post of security proportional to risk
    http://www.garlic.com/~lynn/2001h.html#61

    there are also a large variety of man-in-the-middle attacks against
    session oriented protocols ... that to eliminate the possibility,
    require that transactions are explicitly authenticated, in addition to
    any session oriented authentication (aka authentication performed
    separately and independent of explicitly authenticated actual
    operations).

    lots of past posts about exploits, vulnerabilities, attacks, and
    fraud
    http://www.garlic.com/~lynn/subpubkey.html#fraud

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, May 19, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim
    Replies:
    1
    Views:
    631
    =?ISO-8859-2?Q?Rafa=B3_=A3o=BFy=F1ski?=
    May 8, 2005
  2. mchiper

    Re: Bank of America or any Bank

    mchiper, Sep 6, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    529
    Frode
    Sep 13, 2003
  3. Richard Pearrell

    salary at Chevy Chase Bank and PNC Bank

    Richard Pearrell, Jul 26, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    946
    richard
    Jul 27, 2006
  4. Tony Neville
    Replies:
    7
    Views:
    1,591
    steve
    Sep 22, 2006
  5. Giuen
    Replies:
    0
    Views:
    865
    Giuen
    Sep 12, 2008
Loading...

Share This Page