Post Feed
Comment Feed

About Me

My MP3 Player

Coldplay - A Rush of Blood to the Head I am Legend - (audio book) Dream Theater - Live at Budokan Rage Against the Machine - Rage Against the Machine

New Comments

2017 Archives

July All Archives...

Bank Website Security

Saturday, December 17th, 2011

Banks can't really afford to screw around with their website security. With viruses and spyware recording keystrokes on users' computers, money can disappear from accounts in the blink of an eye. So banks need to go a few steps further than just requiring a username and password on their websites to protect accounts.

One of the banks I'm currently with used to require a username and basically two different passwords. The second one, called a security key, having to be "typed" on a virtual keyboard using the mouse. I think this was a very good technique to combat things like key-loggers and spyware.

So in an effort to keep things fresh, in November they changed how the security key works. Now instead of requiring you to click in the whole key, they ask for the characters at 3 seemingly random places in the key:

hsbc's security key question

Sure this mixes it up and I'm sure their intent was to have you type different characters each time, but I'm not sure this is an upgrade. First, instead of requiring a really long string of characters now they're down to 3. Second, my security key is rather long and intricate and trying to figure out what the 6th or 18th or 19th character is in my head is practically impossible. This forces me to write it down, which breaks the first rule of passwords: you don't write them down!

The last problem I have with this setup has to do with the data the bank stores. In order to authenticate people the bank needs to have your password stored in their system. More accurately, they should have a one-way hash of your password. So when you login they hash the password you supply and see if the resulting string matches what they have in their database. This way they don't know your password and more importantly if they were to be compromised, your password is still safe. With this new security key mechanism they either need to have your password stored in plain-text or have a hash of every possible 3 digit combination of the key. Either way it seems your password could be easily figured out if you had access to the data on their end.

Make a comment!

Numbers from below


Email Address

Website URL

Remember me