Much have been writen and said about online banking security in Portugal, but some days ago I received an email from one of my banks regarding some recent security failures (if one can call them as so) that affected some of their costumers.
As with most of the client/bank activities, banks tend to hide some if not all of the security information, but as Internet is probably their most important client channel these days, of at least the one with greater growth and potential, and being a insecure media by nature makes them tend to be more clear. I state this because I know by experience that banks do almost anything to hide fraud problems they have, so that most of their clients consider their operations almost secure, and as banal as it might be.
The email stated a peculiar kind of fraud, phishing, one of the older forms of aquiring important third parties information, but in these version of the act meanning when someone copies the login windows of your bank (or any other website where one needs a login/password to enter), change the inner form, so that once a user enters his/her personal information (might not even be logins or passwords) it’s information instead of being sent to the bank their expecting the personal information is sent normally to a machine that’s compromise in a sense that whoever had all this trouble also has some kind of control over that machine so that he/her can recover the stolen info.
Addressing to a recent wave of these types of attacks in Portugal, most of the banks decided to take measures to inform their users about this type of occurrence, and opted from one of several options available today to secure this problem.
I don’t really recall if it was or not regarding to this problem, but sometime ago, one of my current banks had it’s login process changed, the motiv: Security! And I say: Pure bullshit! Yup! No extra security there my friends! Just a stupid process to lead the user in thinking that’s actually more secure, when it’s indeed opening the door, to the most ancient art of stealing passwords: deliberately watching someone introducing their passwords! 😀
I won’t stat which portuguese bank opted for this process, but I’ll explain the reasons that make me state this fact. Their login process begins with a rather common type of form:
but, as soon as you try to enter your login information, whether by clicking at the text boxes or by using the keyboard a new pop-up window opens (dawm! I hate pop up’s! Thank you Firefox!), and a “virtual keyboard” is loaded:
This means that in theory you couldn’t use your own keyboard to enter the information, rather than that the bank expects you to simply use your mouse to click by click enter your login information! I found this concept particular interesting in a multitude of ways. Starting from the fact that some browsers don’t open the new window at all, and even from those that opens (vast majority! clap! clap!) I have one in particular that still let’s you enter the input directly on the text boxes, so no advantage there! 😉
Other major security point here is the time one can scroll the mouse from key to key, as opposed to the velocity one clicks on multiple keys on the keyboard! Yup, it’s true, hackers love that extra time!
If this isn’t enough to you, I can also state that those hard and secure passwords that you can never spell out, but still can enter them by instinct, won’t work that way on the virtual keyboard, since you have to know them by memory, and they can’t memorize as simple action, but rather in a set of multiple actions (moving the mouse, press button, move again.. etc).
I’ve check the code that builds the page, but couldn’t find anything there that prevented me from programming a brute force attack to the script that receives the users login information, so to me, just one of those extra, fancy, loose time features!
But not all of the banks are trying to re-invent the wheel, one of my other banks uses the system I find more well designed, and from what an user can actually get some kind of security against these problem. They just randomly ask for some of the characters/digits that compose the users password. Across site you’re advised never to release your entire password, they even mentioned it on their mailings and paper documentation.
It’s not the most elegant solution, but at least in theory only the user knows the entire code and he never has to reveal it, which I find the most usable approach!
Just in case mind your back! 😉