Who pays for fraud via wireless keyboards & man-in-the-middle attacks?

The bank teller would not be typing your passwords so these people would need to have a sniffer in your living room to get them directly from you, so on that basis I am less than worried. :-)

Fair enough, but the teller's passwords can be sniffed too, and they have the authority to transfer your funds to dodgy accounts. Probably (ironically) moreso than us as the customer. And yes, of course there is the bit about living room or office wireless sniffers as well. I just had one of those OMG "moments" while happily typing away on my wireless keyboard :-(

I'm also a bit ignorant about the information auditing process of banks and whether the consumer has any exposure to fallout from bank security loopholes. Any case examples on this particular subject would be most interesting.

It does seem extremely poor practice on behalf of the bank to use wireless keyboards for handling customer transactions whether passwords are entered or not. a possible exception is ewhere the keyboard to omputer link has strong encryption (Notice to patent trolls - thare may be prior art for this - if not there is now!).

Do you think that they use just passwords? I'd have thought two factor authentication would be more appropriate, even I use two factor authentication to log onto my home network.

That's one reason I don't do electronic home banking, as soon as my bank issues 2 factor authentication I'll start to use it.

You would also need access to their software and/or their computer system or are you imagining that they conduct business in the bank via the same public portal we all have access to as customers at home?

You are just imagining that the way it all works is rather more simplistic than it.

I just think it is rather arrogant to imagine that the banks wouldn't already have thought of all this and it must have taken them all of 10ms when the idea of wireless keyboards being integrated into their systems were first muted. :-)

You were talking about passwords.

The bank tellers will not have access to your passwords. No bank staff will have access to your passwords at all. Some back room staff may be able to see the encrypted version, but will not be able to reverse engineer that to get the original.

Mine does (Nationwide).

You have (in addition to your customer number) one typed in password (which you set - actually a choice of three), plus a 6 digit pin, where the system asks you for 3 random digits from it, which you

Just barely possibly, yes. But they may be encrypted, and there's more than one level of security in these bank systems. And then there's the issue of fraudsters getting physical access to the *internal* bank networks/systems, which is the only place these would work - *not* an easy proposition.

Not saying anyone should be relaxed about bank security, but the good old-fashioned methods of bribing or coercing bank employees, or placing a criminal 'insider' in a banking job are much more likely exploits IMHO.

Mike

But only from PCs connected and authenticated on the bank's internal network.

Sorry, that isn't 2 factor authentication.

That is one factor authentication "what you know" My bank does the same thing for phone banking, I don't use that either.

What you know + what you have + what you are

I do not think I am being arrogant. Some pretty stupid things are done. It may not have occurred to the bank's IT people that there could be a potential security breach.

Right.

Like the way I access some of my client sites, using a "fob" which pops up a number when a button is pressed (or another one that just changes every 60 seconds).

TBH, I don't think that is practical for banks to do with their customers. I can't find anywhere that gives price lists for either SecurID or Safeword, which are the two I have used most, but I am pretty sure they are several 10's of pounds for each fob.

And similarly with card readers, or other similar technology.

If they're using a wireless keyboard, all you need to do is buy the same wireless keyboard set from your local PC world, plug it into a mobile computer, like a laptop, open up notepad, or MS word or something similar, then position yourself somewhere within the range of the transmitter. As if by magic, all the text that they type will appear on your screen, at the exact same time as it does on their screen.

OK.

maybe it is more practical than I thought, although that is only for business customers, who make a lot more money for the banks on average.

And you really think you would not be noticed doing this (even if it were going to be of any use)?

LOL, No. I was just letting my imagination run away for a minute.

All Swedish banks do it. (One of my colleagues even had one to access his company's web based timesheet entry system)

I was charged for mine. 100Kr (7.5 GBP) per year (or more accurately, I was charged for the internet banking which required the fob).

It seems a small price to pay for piece of mind.

tim