« Solving “Unknown Device” Errors when Upgrading Windows “SunPlus” Opt-out Instructions »
Anti-phishing “Virtual Keyboards” Cracked
Posted November 27, 2006 – 8:28 am by Yakov Shafranovich in Spam and EmailI recently had the pleasure of seeing someone login into an online bank (HSBC USA), which has recently started to use what they claim is “two factor authentication”. In reality, it is simply two passwords - one entered via regular HTML form, and a second entered via a very annoying virtual keyboard which is supposed to be secure. Now comes word via Slashdot, that these types of countermeasures are easily crackable.
The moral of the story - Any security measures that are running client side is inherently not controlled by you, and thus cannot be fully trusted (unless they are hardware based such as SecurID).
What does work? How about some of the tips mentioned by Bruce Scheiner in his post such as asking additionally security questions if a customer logins in out of country, etc.
P.S. Another security point to take up with HSBC - they use a two step process - first the username, then the second step does the password. However, this allows someone to verify whether a specific username exists or does not exists - a well known “no-no”.
Tags: hsbc, phishing, security —
Permalink | Trackback URL | This post has
