OT rant - electric caller with badge

But this system relies on the callee having (and remembering) a detailed knowledge of how the system works. Many will not and could fall for this. The password system could easily give them a false sense of security and they may reveal more than they would otherwise do.

I often thought this - if you've at any point managed to get hold of someones bank login id, it'd be easy enough to get onto the login page, phone up pretending to be the bank and then ask for whatever characters the bank is asking for. Once logged in, you could politely end the call. But then it clicked - that the banks that I use either require a confirmation code from a card reader and one of my bank cards or they ask for an additional PIN or the full password to authorise a new payee. So even someone getting into my account this way would be unable to tranfer any money anywhere except to my existing payees or accounts - not much use for theft!

SteveW

So enlighthen me. What can the scaller do with the partial password other than hope that they are asked for the same two characters when they try to access your account?

MBQ

e:

Thanks for taking the time to explain. That is a vulnerability for the One Account, assuming they can get hold of the login id.

The Alliance & Leicester business bank system also recognises that it's a different computer (or even a different XP user account on the same computer) the first time it's used and you have to supply a whole lot more passwords to get in. A genuine caller would never ask for those passwords.

MBQ

To which the correct response would be to get them to try the same answer again, to eliminate any possibility of it having been misheard or mistyped.

Oh indeed, and I am sure this is a reason systems are not used like this. Its a shame however that the option is not there for those that can understand the subtleties since it would shortcut scammers drawing attention to themselves in some cases.

Things like the card reading hand held terminals for online authentication could have been made far more secure (although less user friendly) by the simple expedient of not reporting whether the PIN entered was correct or not.

Hardly. A real caller would recognise the tripwire and direct the person to phone in on a published number on a security matter. A scammer would not and only be able to say its right or wrong. Either response would alert the mark that something is up.

Having gained the confidence of the user they have a good chance of getting accurate answers for any further question they ask.

Assuming they were aware of what a tripwire password is for. I'm not claiming everyone would fall for this, but I would expect quite a few would.

When it's me being called I do just that, without bothering with any tripwires etc.

Businesses should *not* phone customers and ask for security information. I had a prolonged conversation on this topic with a bank employee. He said that the information requested is insufficient to access the account, so there's no problem. I said I thought that was naive and we agreed to differ.

e:

e:

Not in my experience. They don't ask for any further personal information. If they did I would know something was fishy straight away. They may ask about or discuss the operation of the account. It's very easy to tell from my own knowledge of the account if they are genuine.

MBQ

Which is why many banks have switched to "two factor" authentication. Now you not only need to know secret stuff, but you also need to have something (i.e. the matching debit card etc).

Alas the implementation that most of them have used is still a tad on the weak side. It also opens up a couple of new attacks that previously did not exist.

It also does not defend against electronic "man in the middle" attacks either.

A detailed analysis of the technology can be found here: