I wonder if the banks have ever considered how they have
contributed to the problem. If their pages were straight
up, no pop-up's, no JavaVirus, etc.... it would be far easier
to tell their customers:
I wonder if the banks have ever considered how they have
contributed to the problem. If their pages were straight
up, no pop-up's, no JavaVirus, etc.... it would be far easier
to tell their customers:==============================================================
Here is what our page looks like:
But of course, that would not be glitzy enough....
My bank does pretty much what you suggest. Have a look here
https://ibank.barclays.co.uk/fp/1_2c/online/1,26806,logon,00.html
and if that link has timed out or something, just go here
https://ibank.barclays.co.uk/
and click the Log-in button.
Barclays also uses a "memorable word" in addition to
the PIN code. They repeatedly tell us that no-one
from Barclays will ever ask us to reveal this
memorable word. It's only use is for a simple
challenge-response where the website asks for
two specific letters from the word and we select
them from drop-down boxes to defeat keyloggers.
Nice example of layered security that keeps the
criminals snapping at the heels of the guy next
door, i.e. CitiBank et al.
--Michael Dillon
No matter how often they told customers that, a sufficient percentage
would ALWAYS be susceptible to the fraudsters' social engineering ...
That feature seems to be hard-coded into the class $customer
Barclays also uses a "memorable word" in addition to
the PIN code. They repeatedly tell us that no-one
from Barclays will ever ask us to reveal this
memorable word. It's only use is for a simple
challenge-response where the website asks for
two specific letters from the word and we select
them from drop-down boxes to defeat keyloggers.
Nice example of layered security that keeps the
criminals snapping at the heels of the guy next
door, i.e. CitiBank et al.
Lots of european banks issue sheets of onetime passwords.