?

Log in

No account? Create an account

Online banking - John C. Kirk

Mar. 3rd, 2010

09:33 pm - Online banking

Previous Entry Share Next Entry

Comments:

[User Picture]
From:susannahf
Date:March 4th, 2010 12:08 pm (UTC)
(Link)
That all sounds like very sensible advice

Incidentally - you mention 2-factor authentication. When I use this to verify transactions with the Co-op, they always remind me to do an extra check step. The way their system works is that once you've entered your pin on the card reader, it asks you for a numerical transaction code, and then it provides you with a response to this, which you enter on the website. So the co-op website gives you the transaction code, and you give back the response.
The last 4 digits of the transaction code *always* correspond to the last 4 digits of the recipient's account number. Now, theoretically, I shouldn't have to check this, right? Because I'm using the co-op's site and they are giving me all this data. But what if there was a man-in-the-middle attack that was feeding me data from the co-op but then, when I try to make a transaction, changing the destination of the money? Everything would look OK except that those 4 digits would almost certainly not match. And I would go "eeep", cancel the transaction, and phone them up. And even if the scammers were clever enough to remove that code from the html they served me, all the many times I've used the system have trained me to check this number, because it's highlighted as a really important step each time (including what to do if they don't match).

The power of user edumacation.
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:March 4th, 2010 12:13 pm (UTC)
(Link)
Re-reading, when I refer to removing "that code", what I mean is the code that goes "oi check that those numbers match THIS IS REALLY REALLY IMPORTANT, if they don't match then don't enter anything and call us on this number NOW!"
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 08:02 pm (UTC)
(Link)
That sounds useful - I don't have 2-factor authentication with Lloyds TSB, so if someone intercepted my passwords then they could do as many transactions as they liked.
(Reply) (Parent) (Thread)