Overseas Banks - Multi-stage Logon

[Taggart]

I'm in Canada, but I've recently found that at least a couple of banks in the U.S. have a multi-stage logon system. What I mean by that is they may ask for your card or customer id number on the first screen. Once you've entered this number you click on continue, and it takes you to another screen which asks for your password number, and perhaps other details. What makes this different is that you use the mouse to click the password numbers from a keypad on the screen. This I would think would defeat any keyloggers that may be on the computer that you use. Also you can shield the keypad with your hand while clicking on the numbers in case there's a hidden camera focused on you. Of course I'm thinking in terms of a traveller in Thailand wanting to access his/her overseas bank account in an internet cafe while visiting Thailand.

What do you think of this security measure? Do you think it's better than what many banks still use where the customer id and password number are on the same page, and you have to use the keyboard to key in the information?

[Soju]

Some logger programs can actually capture the full screen, so such techniques would only work against loggers that only log keystrokes. There are other security measures which are much better. For example, one of my banks uses a personal electronic security device for every login. When you login, you press the button on the device and it generates a unique number which you need to input. I'm not sure how it works, but you can't use the same number the next time. In addition, they have a anti-key logger program that pops up when you login. Another bank I use has a printed security card which is unique to each individual. There are various numbers (I think 32 in total) and a matching code that you must type in that corresponds when prompted. If you get it wrong three times in a row, it requires a trip to your bank to allow you to access your account again.

There's numerous ways that someone can get your password using internet banking. I wouldn't feel safe with any method that relied strictly on security measures on the computer side. There needs to be an independent method of entering a variable code such as I just described to make it safe. I never use my internet banking from a public PC anyways, but absolutely would never dream of it without one of these additional security measures.

[Crossy]

My Luxembourg bank uses:-

1. A password chosen by myself

2. A pass number, 5 sets of 4 digits, the site randomly requests one digit from each group (full number is on a card supplied by the bank)

3. A digital certificate stored on my PC

4. I believe they also log the CPU serial number (I couldn't log on after replacing my CPU).

Very secure, but impossible to use from an internet cafe. Once I've got past the security I can perform any transaction online, even international transfers.

[Soju]

My Luxembourg bank uses:-

1. A password chosen by myself

2. A pass number, 5 sets of 4 digits, the site randomly requests one digit from each group (full number is on a card supplied by the bank)

3. A digital certificate stored on my PC

4. I believe they also log the CPU serial number (I couldn't log on after replacing my CPU).

Very secure, but impossible to use from an internet cafe. Once I've got past the security I can perform any transaction online, even international transfers.

I also have a digital certificate with my internet banking, but I store it to a USB flash drive and then can use internet banking from my home or office. Though if they check the CPU serial number, that would be a show stopper for internet cafes.

[calibanjr.]

For example, one of my banks uses a personal electronic security device for every login. When you login, you press the button on the device and it generates a unique number which you need to input. I'm not sure how it works, but you can't use the same number the next time. In addition, they have a anti-key logger program that pops up when you login.

My HSBC HKG account works that way. I think it's pretty hack-proof, but I think if I lose my little number generator toy, it would be a real pain to do anything online.

[crocodilexp]

you use the mouse to click the password numbers from a keypad on the screen. This I would think would defeat any keyloggers that may be on the computer that you use. Also you can shield the keypad with your hand while clicking on the numbers in case there's a hidden camera focused on you.

What do you think of this security measure? Do you think it's better than what many banks still use where the customer id and password number are on the same page, and you have to use the keyboard to key in the information?

Some of the very simple keyloggers I've seen can record click locations, along with the active application / web page URI, which could give the attackers the cue that the password is being entered. Since most keypads are arranged in a 3x4 matrix:

1 2 3

4 5 6

7 8 9

0

It would be really easy to defeat this system.

There is no foolproof fix for this problem (as long as you don't have full access to a machine), but there is a simple improvement -- offer number buttons in random order (changed every time the page is visited).

Pros:

+ The attacker cannot figure it out by just going back to the page and retyping the clicks.

Cons:

- The page (with the orignal layout) is in the cache anyway -- user must remember to clear the cache.

- Screen-capturing keyloggers still easily defeat it.

The only way to substantially improve security is to use two-factor authentication -- some sort of a hardware token (see http://en.wikipedia.org/wiki/Hardware_token). It would require the clients to to carry a small, cheap device (~$5), and remember a password, but it's a good security tradeoff.

[Taggart]

So the message I think I'm getting from the respondents, is that even though in some cases the banks security logons have improved substantially, especially when a multi-step login and hardware or security token is used, still nothing is 100% hackproof and under no circumstances should a shared computer be used.

The other thing I've noticed is that looking through the past postings at the computer section here, your own home computer could be infected. Go to a bad website, open the wrong e-mail, or an e-mail from a friend with an infected computer, and a good hacker program can shut off your anti-virus program, and infect your PC, without you even knowing it. So much for having a firewall, anti-virus, and anti-spyware programs on your computer.

[Soju]

So the message I think I'm getting from the respondents, is that even though in some cases the banks security logons have improved substantially, especially when a multi-step login and hardware or security token is used, still nothing is 100% hackproof and under no circumstances should a shared computer be used.

The other thing I've noticed is that looking through the past postings at the computer section here, your own home computer could be infected. Go to a bad website, open the wrong e-mail, or an e-mail from a friend with an infected computer, and a good hacker program can shut off your anti-virus program, and infect your PC, without you even knowing it. So much for having a firewall, anti-virus, and anti-spyware programs on your computer.

I would say that the banks that use a hardware device are probably virtually hackproof. Not 100%, but close enough to not worry about it much. BUT, if you are using a computer at an internet cafe in Thailand, there is a very good chance that a key logger might be installed. If some hacker sees a login to online banking, they're going to try to use your password, but then be unsuccessful at the hardware stage. But in doing so, they may lock you out of your account and require you to visit your bank to reset your password. Why go through all that hassle? If I had an emergency situation and needed to use an internet cafe to do internet banking, I guess I would if I had a hardware security device, then immediately change my password upon returning home. If I needed to use internet banking regularly from on-the-road, I'd only do so via my own laptop together with a hardware security device.

If you must use internet cafes, at least find out how to check the computer for commonly used key loggers and don't use the computer if you find one.

[Sophon]

If some hacker sees a login to online banking, they're going to try to use your password, but then be unsuccessful at the hardware stage. But in doing so, they may lock you out of your account and require you to visit your bank to reset your password. Why go through all that hassle? If I had an emergency situation and needed to use an internet cafe to do internet banking, I guess I would if I had a hardware security device, then immediately change my password upon returning home.

Changing your password upon returning home would make no difference what-so-ever.

You use your permanent password to log in to your hardware device, which then in turn issues the one time password you use to logon to internet banking. If caught by a key-logger a fraudster would think he could logon to your internet banking by using the one time password, and could as you mention cause you to be locked out. However, as your permanent password is only registered on the hardware device changing it would make no difference, and you could still be locked out of your account.

Anyway, the inconvenience of being locked out sure beats someone emtying out all your bank accounts.

Sophon

[Taggart]

Hi Soju:

>>>then immediately change my password upon returning home.<<<

It depends on how long before you get home. If we're talking about a tourist who may be visiting Thailand, if he checks his account weeks later, when he gets home, the major damage may already have been done. I thought about perhaps changing the password, right after being done with the banking, but I'm assuming the hacker will see you changing the password through his own keylogger, or whatever software, he's using to spy on you.

>>>If you must use internet cafes, at least find out how to check the computer for commonly used key loggers and don't use the computer if you find one.<<<

I'm not technically oriented, but it seems to me I've read that a hacker can change the settings on your anti-virus program. If that's true, and indeed the case, that tells me your own home computer can be corrupted by a hacker and you wouldn't even know it. So where's using Firefox, anti-virus, anti-spyware, and a firewall going to help you with this problem?

[Soju]

Hi Soju:

>>>then immediately change my password upon returning home.<<<

It depends on how long before you get home. If we're talking about a tourist who may be visiting Thailand, if he checks his account weeks later, when he gets home, the major damage may already have been done. I thought about perhaps changing the password, right after being done with the banking, but I'm assuming the hacker will see you changing the password through his own keylogger, or whatever software, he's using to spy on you.

>>>If you must use internet cafes, at least find out how to check the computer for commonly used key loggers and don't use the computer if you find one.<<<

I'm not technically oriented, but it seems to me I've read that a hacker can change the settings on your anti-virus program. If that's true, and indeed the case, that tells me your own home computer can be corrupted by a hacker and you wouldn't even know it. So where's using Firefox, anti-virus, anti-spyware, and a firewall going to help you with this problem?

Sophon and Taggart,

Yes, I'm fully aware that the hacker may get your password and login and "do the damage" of causing you to go to the bank to reset your password before you get back home to change your password. But if I did have to use internet banking from an internet cafe, and I got back home and my account had not been disabled due to a hacker, then I would immediately change my password at that point. Chances are the hacker will try to access your account very soon after he gets your password, but he may not check for hacked passwords daily. It's much easier for you to just change your password at that point than to take a chance that the hacker was just slow in trying to hack you and then requiring you to go to the bank later.

Regarding how to protect agains keyloggers, I think yuo're better off asking that question in the Internet and Computers forum where you'll get more expert replies. But no method is foolproof. With a bit of knowledge though you can certainly screen out some of the keyloggers. No matter how safe you think you're being, you should always assume that if you're using an internet cafe, there is at least a moderate chance that someone will get your password and try to access your account and so you should be prepared.