|
|
Post by mrclondon on Dec 12, 2013 18:28:54 GMT
A thumbs up from me for P2x platforms to restrict withdrawals to a nominated account both from the security and typo points of view.
Squirrl (a largely defunct P2B platform) require a pin number sent via SMS to be entered to confirm just about every transaction on the site including withdrawals. The only downside I've found is the pin is only valid for 10 minutes or so, but if you are outside the UK (and I find particularly so in the Far East) it can take more than 10 minutes for sms messages to reach your mobile. And when I'm in our Swiss office (very close to the German border) sms messages frequently go awol as my phone keeps switching between a Swiss and German network.
The approach currently being rolled out by first direct to the login security issue is informative and relects the high regard with which they are held for customer service. Customers are being offered a "Secure Key" code generator, but the use of this is not mandatory. The historic username + characters from password + security question answer remains a valid login route but with some account functionality (such as defining a new destination payee) disabled, whilst using the secure key during login gives full access to the account. This strikes me as a very sensible balance and means I don't have to carry the secure key around with me ... and if I need to do a restricted transaction when not at home there is a 24/7 call centre to do it for me.
Whilst I agree that the login security of all P2x platforms could do with improving, I agree with Chris that great care needs to be taken to not make access too restrictive. For me random characters from passwords / security questions would be a good starting point.
|
|
mikeb
Posts: 1,072 
Likes: 472
|
Post by mikeb on Dec 12, 2013 19:06:52 GMT
To make matters worse some of the answers to questions are the same on multiple platforms so hackers could log into multiple platforms using data obtained from one site. No personal criticism of you intended, but the problem you cite above is of your own making  If you answer the security questions, if you could call them that, with honest answers then you are just asking to be done over. Especially if you are of the Facebook et al persuasion! "Mother's Maiden Name" is pretty useless, given the free Internet genealogy sites. So are most of the variations on these themes, so the only defence against stupid security is to subvert it by giving corrupted, modified, or plain wrong answers, then be consistent about it. If any site ever tried to research and "verify" the information, they'd find it was wrong, but then -- if they can tell it's wrong, they must know the right answer, therefore someone else could research the right answer, wiping out the security illusion at a stoke. So, start coming up with fake pets, memorable places you've never been, and a family tree to make the mind boggle.
|
|
|
|
Post by westonkevRS on Dec 12, 2013 19:13:04 GMT
I'm not going to go into the detail of RateSetters fraud prevention technologies, policy or processes for obvious reasons. However for lenders we do offer the option of the SMS PIN solution for our more nervous friends. Specifically in the account settings segment it says:
"You can choose to use a PIN code for authorising updates of your contact details.
PLEASE NOTE THAT you must have a valid mobile number recorded in our system in order to receive a PIN.
You will be asked to enter this code when you attempt any change to your contact details.
If you choose to have PIN security, a PIN will be sent to your contact number ##########.
> Please ask for PIN
> Require PIN on login"
|
|
|
|
Post by batchoy on Dec 12, 2013 22:00:41 GMT
"Mother's Maiden Name" is pretty useless, given the free Internet genealogy sites. So are most of the variations on these themes, so the only defence against stupid security is to subvert it by giving corrupted, modified, or plain wrong answers, then be consistent about it. And there's the rub, for the questions to provide any form of security you need to be inconsistent about it otherwise you might as well give the correct answer; to date I either had well over two hundred different mothers or my grandparents did a lot of remarrying but I need to remember which sites I gave what answers so I have to write them all down in my little black book, which goes against all the recommendations for maintaining security. Which brings us back to the point that P2P sites need to think about implementing proper systems of security.
|
|
ribs
Probably not James Marshall
Posts: 148
Likes: 151
|
Post by ribs on Dec 13, 2013 16:30:44 GMT
Ladies and gentlemen, I present to you... LASTPASS: lastpass.com/I literally have no idea what my passwords are. I have one strong password for lastpass, which is encrypted (if you forget the password, you're stuffed) which unlocks all my other randomly generated passwords. Adobe.com was recently hacked. All passwords stolen, including mine. But best of luck to the hackers that want to use it. It doesn't work anywhere else. A beautiful system that puts me back in control. If you're (rightly) paranoid about such things, I cannot recommend it enough. |
|
|
|
Post by chris on Dec 13, 2013 16:47:58 GMT
It's a good service and is much much better than writing things down or using the same password everywhere, but it's important to remember that as good as this service is it only serves to isolate each login from the others by allowing them all to be different. If your lastpass account is compromised (and the AES256 encryption used does have some known attacks so isn't infallible - unfortunately no encryption scheme is) then people gain access to everything you've protected. But you're right, if a single account on a single service is compromised then that should be isolated to that one service. Not much comfort if that's your P2P site or bank though.
|
|
|
|
Post by jevans4949 on Dec 13, 2013 18:23:41 GMT
I like the idea of using a separate device and service to gain access to your account using a time based cryptographic key, much like Barclays bank uses. Combined with a username and password I feel that would be adequate protection for most users and much better than the existing schemes used by all other peer to peer sites. But I'd need a lot of persuading to make that mandatory from day one without first seeing what the takeup was like and gathering feedback from users. The other problem here is that people are going to end up with a drawer-full of these gizmos. Everybody in my house has an identical HSBC one; I had to put names on the back with tape labels. I also have a separate one for an HSBC business account. It would be worse than having a wallet full of credit cards.
|
|
|
|
Post by chris on Dec 13, 2013 18:26:27 GMT
Authy uses an app on your phone (and at one point your desktop but that no longer seems supported unless I'm missing something), and there are other mobile solutions as well. I agree with you that a drawer full of devices is silly.
Personal dislike of the core idea is also why I think it should be an opt-in system.
|
|
|
|
Post by uncletone on Dec 13, 2013 19:48:04 GMT
I like the idea of using a separate device and service to gain access to your account using a time based cryptographic key, much like Barclays bank uses. Combined with a username and password I feel that would be adequate protection for most users and much better than the existing schemes used by all other peer to peer sites. But I'd need a lot of persuading to make that mandatory from day one without first seeing what the takeup was like and gathering feedback from users. The other problem here is that people are going to end up with a drawer-full of these gizmos. Everybody in my house has an identical HSBC one; I had to put names on the back with tape labels. I also have a separate one for an HSBC business account. It would be worse than having a wallet full of credit cards. I'm pretty sure that these devices are anonymous - that is, they are not defined in any way to a person/account/card. If provided by a bank, they work with any account holder within that bank. Any identification is provided by the card you slide into it. My opinion, as always, is not clouded by definitive knowledge.
|
|
|
|
Post by batchoy on Dec 13, 2013 20:39:13 GMT
The other problem here is that people are going to end up with a drawer-full of these gizmos. Everybody in my house has an identical HSBC one; I had to put names on the back with tape labels. I also have a separate one for an HSBC business account. It would be worse than having a wallet full of credit cards. I'm pretty sure that these devices are anonymous - that is, they are not defined in any way to a person/account/card. If provided by a bank, they work with any account holder within that bank. Any identification is provided by the card you slide into it. My opinion, as always, is not clouded by definitive knowledge. The Natwest ones are certainly anonymous we have four between two of us, they are kept in the same draw so we use the one that comes to hand first and we have not yet had a problem. As you say its the person/account/card combination that is the key not the device.
|
|
|
|
Post by bracknellboy on Dec 13, 2013 20:46:23 GMT
I hate the b*****y things. And I think my long standing FD account is shortly going to force me down a similar route.
|
|
pikestaff
Member of DD Central
Posts: 2,188
Likes: 1,546
|
Post by pikestaff on Dec 14, 2013 1:31:47 GMT
I'm pretty sure that these devices are anonymous - that is, they are not defined in any way to a person/account/card. If provided by a bank, they work with any account holder within that bank. Any identification is provided by the card you slide into it. My opinion, as always, is not clouded by definitive knowledge. The Natwest ones are certainly anonymous we have four between two of us, they are kept in the same draw so we use the one that comes to hand first and we have not yet had a problem. As you say its the person/account/card combination that is the key not the device. Our Nationwide ones also use a card and are interchangeable. The HSBC one does not use a card. It may have to be set up for the specific account.
|
|
|
|
Post by jevans4949 on Dec 14, 2013 2:56:31 GMT
The HSBC personal device looks like a small calculator; you have to set it up with its own PIN, which you use to unlock it. It generates a random number to log in to your account, also to validate online payments for new payees.
The HSBC business device just has a single button to generate a number, but AFAIR you have to register it to your logon ID initially, so there is possibly something unique in the code.
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Dec 14, 2013 12:37:52 GMT
But we're also looking at external two factor authentication systems such as Authy. I'd be interested to know what you guys think. It's hard to have a meaningful opinion on Authy because their site seems to provide little information about its potential vulnerabilities. It appears that it mandates customers purchasing a compatible mobile phone and paying mobile phone service charges, so that appears to be one very significant negative factor. However, it does support text messages, though it says only for other cellphones, so its unclear whether they are supported for text-enabled landlines like those BT provides to all domestic customers who turn on the capability. If landline texts are supported that would reduce the potential cost and the theft risk. If Android phone emulators for Windows and other PCs are supported that would reduce the potential cost. I'll compare it to one worse than nothing at all two factor scheme so you can compare if you know more about it than I do: the First Direct and HSBC one. This generates a token but the token can be captured by man in the browser attacks or relayed via a middleman web site. The same token is used for logging in and setting up new payees - there is no different one needed after logging in for setting up new payees. The token is completely unrelated to the computer that is carrying out the transaction or the account being paid, so the token value can be used to authenticate any transaction, while the consumer is being shown either the one they think they are carrying out or a bogus failed login or please wait result. The net effect of this one is to let the bank falsely claim that the use of the token proves that the consumer authorised the transaction carried out rather than just logging in and hence attempt to transfer the fraud risk from the bank to the consumer. Since the net effect is to transfer risk from the bank to the consumer it's of negative value to consumers. The FD version seems to have one very substantial improvement over the HSBC version: HSBC requires the use of the token for all logins by anyone who has it, FD leaves it optional. So FD customers will only necessarily be at risk in sessions where they anticipate creating a new payee or other higher security activities and log in with the token so they can do that. If they avoid using the token for other logins, most will be protected by the lack of token. So if you go with some two factor scheme, please be sure that: 1. The tokens are linked to the computer trying to use them. 2. The tokens are linked to the destination of the transaction. 3. The tokens are linked to the type of transaction. 4. The tokens are linked to time. 5. The tokens are only required for higher security operations to limit the number of uses and potential exposure. Get all those right and at least man in the middle and man in the browser attacks will be harder or perhaps impossible to use for theft if you get a good payee link. You should be able to reduce the pain by making it optional for customers, perhaps until their accounts are of a certain substantial minimum value. A saved bank account with partial display of the details and some security around changing that like an email to a not recently changed email address and a delay of a few days before it can be used along with a change confirmation email could also help. Hopefully you'll manage to do better than FD has done. Their new introduction of a poor system managed to reduce my opinion of their security.
|
|
|
|
Post by chris on Dec 14, 2013 13:39:07 GMT
james - I take on board all you say and broadly agree with you. The challenge we face is finding an off the shelf solution that provides all of that, that in turn isn't going to cost us or the end users a ridiculous amount of money to implement. We could roll our own but that would be a substantial stand alone project of its own and would take many many months to implement and roll out, and would ideally involve someone with prior experience. Maybe in time we could even partner with some of the other platforms to share resources on such an endeavour to provide an industry wide solution. In the mean time though I'd rather find an off the shelf solution and provide some measure of additional protection for our lenders even if ultimately it is superseded. Maybe that's Authy, maybe there is another better option. Of course if a suitable solution can't be found then we would have to focus on ultimately providing our own solution.
|
|
If you answer the security questions, if you could call them that, with honest answers then you are just asking to be done over. Especially if you are of the Facebook et al persuasion!
