Phishing

I agree, (2) would seem to be a good idea, such devices can be pretty cheap and some years ago I did have a couple of customers who used them to authorise ordinary logons. They would have the advantage you could use the bank from any PC without needing authorisation or putting another device in it (neither particularly feasible in with internet cafe's etc)

Simplest solution would be for on-line accounts being only able to make payments to payees that you had notified the bank 'off-line' in person or by phone, unless the customer specifically asked for the facility to be able set up new payees on-line (and the risk of this was hammered home to them).

The vast majority of people only ever move money to a small number of regular payees.

Even if you did want the facility to set up on-line payees, the banks should offer the customer what financial limits should apply to these on-line set-up payees. i.e. any payee set-up online cannot have more than x amount transferred to them in any set period.

With these measures, even if someone did get your logon details what could they do with them? And the cost, nothing if you thought about security and designed it in from the beginning.

But, banks being the greedy bastards they are, don't actually want to deal in person with their customers any more and would sooner they didn't actually come into their branches or phone them.

JB

What your are suggesting is how to validate the *customers* machine.. if someone is phishing it has no affect... they (the phisher) can just ignore it / asssume its right

What is needed is for a customer to be able to validate a *banks* machine,

Only way I can see is a "threeway" handshake

- you give the bank a (public) password

- the bank returns a (private) password

- if the password is valid, you reply with a (private) password

Not at all, the keypad validates not only are you someone that knows the logon/password, but that you have possession of the keypad. That cannot be obtained by phishing. The ones I saw went something like this;

System presents you with a number. You enter the number into the keypad The keypad displays a different number which you type in and is then validated.

This system is by no means foolproof, but is much harder to break into than a simple account no/password.

What you propose, can still be obtained by phishing, ie the message might say "due to a system error",or "due to a security problem, we need you to enter a new secret pasword for us to ask you. Please enter the old one for verification." or something like that.

As an aside, I believe the general advice of not responding to phishing attempts is fundamentally misguided. If everyone who got one put in a random number/password, the phishers would find it very difficult to sort out the good from the bad.

The now defunct first-e had Transaction Authorisation Numbers. You had to enter one to authorise each transaction, and each one could only be used once. Of course, there was a problem if you did not have the list with you when you wanted to make a transaction.

And if you're visually impaired? Try using the non-visual option to sign up with hot Mail etc, and then come up with a solution to those, too.

If seeing such a device is a problem, how would you see the screen to logon or do your transactions anyway? And nothing to stop some accounts being marked as not using this system, and those having a 'PIN' that you entered in place of the challenge/response.

There are such things as Braille terminals and text-to-speech systems.

Good. So thats them covered then. And a text to speech converter in the challenge/response device wouldnt add more than a few p to the price anyway since it would only need to read a few digits out.

No it's not covered, as these visual systems rely on users being able to see the text in an image, and need to specifically stop access technologies from being able to read the text (otherwise the computer knows)

There is a second option which is the sound file, and the combination covers everything but VIP/deaf combinations, which if covered, are covered by a human registration system, not nice, but the only realistic cost effective method.

Jim.

Exactly. Again I suggest you try signing up to Hot Mail. When it says: if you can't see this box click here, you'll get an extremely fuzzy audio version, to stop robots, but I couldn't make head or tail of it.

I'm not sure what your point is. At present, my barclays on line banking has no specific visually handicapped help (AFAICS!) for logon. So a challenge /response isntead of logon would be no worse than that, and logon as now could be retained for those who ask for it. For everyone else, a CR system would provide much more security at minimal cost.

Yes. I have no problems with Lloyds on line, but this is due to the Disability Discrimination Act as much as anything. Even so, I needed sighted help to set it up - can't remember why now. I guess your little gizmo needn't have fuzzy speech, and, as you say, as it only needs to speak numbers or letters, it could come with a preset speech unit. As it's a one-off thing, would it matter if anyone heard or saw the output, as long as he didn't barge in and throw you off the machine after you'd logged in, which is pretty irrelevant.

how would this challenge/response system stop man in the middle attacks?

all the phishing site needs to do is live log-on to the bank site with the details obtained from the phishing attempt wouldn't they?

Jim.

Yes thats the beauty of a one time system. Unless they have the device, they cannot get in. Even if they saw a prompt of "1234" to which you replied "5678" then even if next time 'they' tried to logon they were also prompted with "1234" again, the proper response wouldnt be "5678" (well it might be, but again its unlikely)

2 points. 1)Firstly,lets not fall into the trap of thinking that because a system isn't foolproof its not worth doing. No system can be 100% secure, all systems are trade offs. A cheap (maybe 50p each?) device seems like a pretty good trade off. It cannot be easily hacked, cannot be easily replicated, could be enhanced for disabled login with text->speech (or accounts could be configured not to use it or have a second static pin) and even seeing an actual challenge response pair is of no help to an eavesdropper (see below*).

2)A phishing attempt wouldn't break a challenge response system at all since it cannot reuse the challenge*....and since phishing attempts are by no means live, I'm not sure what 'live logon' means in respect of phishing.

Whats a spoof site going to do? Even the most dumb user might think something is up if it asked you to input a response to all 9,999 possible inputs for a 4 digit challenge!!...and even if they did that, you dont get the same answer again so it would be pointless. They might have the actual password and user name but that wouldnt be enough to get in.

Scripsit "Tumbleweed"

It could play ye olde man-in-the-middle game: Get a genuine challenge from the real bank, get the real customer to divulge the right response; gain access and immediately drain whatever accounts are found.

Since phishing sites arent doing that at present (at least I have never read of such an attack) I am guessing (I dont know) that there is a reason this doesn't work today, so it wont work with a CR system either. Anyone know? If it does work, then one could argue that even passwords and user IDs are pointless :-)