I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.
If there is an option to use some kind of hardware token with your banking then I would strongly advise you to take that.
Having just a password to protect your bank account sounds pretty scary to me. That's about as juicy as it gets. I'm paranoid enough about my servers having 'just' a password to protect them (oh, and an ACL), if my bank accounts would have only a password I wouldn't sleep.
Every time I log on I have to use my chipcard in a little electronic device with an LCD display and a bunch of buttons on it, the chipcard generates a unique ID every time I log in. When I want to do an actual transaction I have to authorize it using 1, 2 or 3 challenges depending on the amount and destination of the transaction. It's less convenient than a password protected system but it's fairly secure.
It's also protected against the most common form of theft called 'skimming' because it uses the chip and not the magnetic stripe so a thief using the data on a skimmed card could only use that to use an ATM but not to access the internet banking section of the website of my bank.
In Denmark the currently-being-phased-in solution is a low-tech version of two-factor authentication. Instead of a hardware dongle, the centrally-administered "NemID" system issues you with a physical code card with some numerical codes on it. You enter your NemID password, your CPR number (Denmark's citizen-ID number), and the next unused code on the card. When there's fewer than 20 unused codes, the system notices and mails you a new card.
The downside is that there's now a single point of failure, albeit with more factors. If you get someone's CPR number, their NemID password, and their current NemID card with some indication on it of which the next unused code is (most people mark off the used codes), you can log into everything: all Danish banks, the tax authority, the municipal authorities, your library account, etc., etc.
They do try to minimize it by writing strongly worded warnings everywhere not to store your NemID password in your wallet. A typical wallet contains a Danish health card with CPR number, and the NemID code card, so it's fairly important that the NemID password not also be there.
The upside is that the NemID system gets the average citizen to a point where his/her family (and close friends) are the largest security problem. It is much more difficult for hackers in Argentina and Russia to get into your bank account when they need access to a piece of paper.
If is impossible to protect against your own family: the have hardware access to your computer, they can intercept all your paper mail, they know all details about your life, etc. So they are the perfect identity thieves.
Some Danes think they are clever and scan the paper card and store it as an image on their computer. Some people are just impossible to make a secure access system for.
The upside of the downside is that if anybody gets hold of your login details, then there is a single place to stop them instead of having to change 20 logins.
BTW. "NemID" translated to English is "EasyID". Within the next year, a hardware dongle will be available (e.g. for users who often login and uses up all the codes on a paper card in no time).
If there is one thing I would like it would be the option to specifically authorize a set of IP addresses allowed to access my bank account rather than the implicit way it is done right now.
I totally agree with this. I even had the SSH firewall rule of my Mumble voice server for my WoW guild set to only allow my home connection. One downside is if I'm ever given a different IP address by my ISP, I'd have to go to work and change it. Minor inconvenience but this isn't a crucial service.
Chase bank requires me to authenticate via a texted or emailed code if I log in to my bank via a browser I haven't used before. Not exactly the same, but a helpful additional precaution.
1. UserID is your date of birth and some random-ish number appended
2. It asks for three random characters from your password and your PIN
3. For any transaction you have the chip-card-plus-calculator-looking-device (and you need to know the pin for that.)
Personally I'm happy enough with the German system (username, password, random TAN from a piece of paper). At least I will be until my kids grow up :-).
This resembles the most common way of authentication for online banking in Germany (a PIN and a list of transaction codes, so-called TANs).
Do you always have to pick the next one-time code in the printed sequence? In Germany, you used to be free to pick any of the unused TANs, which made phishing really simple. Nowadays it's more common for a bank to challenge you to a randomly chosen TAN.
When I use NemID, it asks for code number NNNXXX, where NNN is the sequential number of the codes (to make it easy to find) and XXX is a "check" to prevent phishing.
Are you European? I only ask because my friend in London is the only person I've ever heard of using such a device.
Unfortunately, such a thing seems all but unheard of here in Canada.
Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online. I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me. I guess that's something, although I really don't know the exact circumstances that trigger the challenge.
The weird thing is that Blizzard will cheerfully sell you a $7 hardware token to protect your imaginary WoW gold and equipment, but I don't know of any US banks that offer one to protect your actual money.
Don't quote me on this, but I think banks are starting to lean on "possession of a trusted mobile device" as their two-factor authentication. The basic theory is that I give them a number I can receive SMSes at, and then any time they want to verify that the person operating my web browser is really me, they say "We just sent you a one-time password via SMS. Enter it, resend it, or talk to customer service."
This has significant advantages over dongles from the perspective of the bank: they don't have to get into dongle distribution, and people are probably better at keeping cell phones available than they are at keeping dongles available.
Most banks use the "you only get to try three times before your account is locked" method of security. It's pretty hard to bruteforce a password with only three attempts before you have to call customer service. At that point, you might as well print out a fake driver's license, walk into a branch, and ask to close "your" account.
E*TRADE offers this for free if you have a high enough balance ($5K?) between accounts. Unfortunately, our good friends at Mint.com have no way to deal with two-factor auth, so in my informal polls, all my friends who were using two factor switched back to password only so they could use Mint's reporting features.
The chips are most likely for EMV[1], which essentially puts some intelligence on the card in the form of an IC chip, and allows the card to make approve/deny decisions based on rules of the issuing bank. With EMV cards, the transaction is more like a negotiation, and the card may reject at any point.
Of course, like anything, there will be vulnerabilities, and in the interests of usability, some issuing banks will relax restrictions.
Because of the crypto involved in the back and forth communication between hardware and card, EMV transactions piss off a lot of customers, it can easily take 2-3 times more time to process a transaction when compared to a mag-swipe.
Though it does reduce the chance of your card getting skimmed. (Skimming is where your details are captured during the swipe. Yes, a swipe through the appropriate device reveals all the information required to completely duplicate the card.)
Actually, in Norway there are some banks that use the credit card chip for two factor authentication (the same which is used for EMV). You put the card into a small "reader" with a display, and out pops a number that you use when logging into the online bank. Most banks however use a dedicated device with a time-based one time password.
I'm not sure why, but I've seldom seen EMV transactions take longer than a regular swipe, but this might be because both 1 second * 3 is still not that big of a deal. (Or for all I know, it might be because they are only validating the credit card number..)
The interesting thing is that skimming is still possible, at least in Norway. It still happens that there is some kind of communication problem with the EMV system, and swiping the card is the fallback option. I guess this option will be turned off as soon as it works "all the time" and they can remove the magnetic stripe.
Correct, in fact there already are. Most of those will require at a minimum a hardware hack or access to transactions 'in progress' (modified terminals) and will usually only gain access to the data that is stored on the magnetic stripe, not to the other data stored on the chip (the chip contains a duplicate of the stripe data and some other data only available on the chip and not sent out over the wire used in challenge/response fashion).
The system is not 100% secure but is a bit better than just having a password and the fact that it requires access to the original card makes it a lot harder still (those cards can be stolen though, and combined with a bit of hardware and a 'yes' card (a card that always responds 'transaction authorized') you could fool online payment terminals).
But that's still a step removed from gaining complete control of a bank account using web based banking and a password.
> Our debit and credit cards are being replaced with cards with chips embedded
Do you want to know something scary about that. We've had Chip and PIN as the de-facto standard in the UK for some years now (although I do remember it coming in).
The really scary thing is; my parents remember it being widely used in Germany in the late 80's.
It is true that paying in stores with my German ATM card and its PIN was nothing new when I got my first bank account in the mid-90s. However, that system used the magnetic stripe of the card (which is why skimming is still so attractive here); smart-card chips on bank cards were introduced a lot more recently.
I only have my parents recollections about this (we lived in Germany in the late 80's, but I was 0 & so can't recall ;)) - possibly it was swipe & pin, I'd have to ask.
But when the Chip 'n Pin system came in here in the UK my Dad's first comment was "oh, they were using that in Germany in '87/88"
> Unfortunately, such a thing seems all but unheard of here in Canada.
That sucks!
> Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online.
Ok.
> I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me.
So the bank likely either keeps a record of 'known' IP addresses for you or they keep a cookie on the computer that they use to identify a computer that you've used at least once.
How annoying. It's interesting how we berate POF for not following 'best practices' but even institutions such as banks could do a whole lot better to protect their and their customers best interests.
Are you liable for fraud committed with your account online?
Or would the bank indemnify you if your password were used to clean out your accounts?
With one bank I must use the hardware token solution (and I am able to use any device, not just the one issued to me). With another bank I must register my mobile telephone number with them and they send me a text with an authorisation token whenever I need one.
I much prefer the hardware solution even though it is a major inconvenience when travelling light.
>Are you liable for fraud committed with your account online?
Not with TD Canada Trust, to an extent:
"As set out in our account agreements, you are responsible for maintaining the care, control and confidentiality of your Access Card number, Connect ID, and passwords. TD Bank Financial Group is not responsible for unauthorized access to accounts online or losses that occur as a result of you voluntarily disclosing your Access Card number, Connect ID, or passwords, or the careless or improper handling, storing or disclosure by you of this information. In the event of loss, theft, misuse or compromise of your Access Card, Connect ID, and/or passwords, you must notify TD Bank Financial Group immediately."[1]
The "Known IP" is a bit more complicated. I was travelling through South America recently, and could always access it from my phone. However, accessing from a hostel or internet cafe required answering a security question.
The system we use here has it's own vulnerabilities (after all, if your card is stolen and the pin is known then any token can be used to authorize transactions, and there are known ways to attack the card electronically) but it makes it at least a little bit harder.
On top of that we do have indemnification.
Combating electronic banking fraud is an ever lasting game of leap frog, it looks like the banks are at least one step too far behind. At least they have the extra challenge question, I hope you made them hard enough :)
I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.