Comments on: Banking on Secure Personal Images http://foolswisdom.com/banking-on-secure-personal-images/ A fool and his blog are soon parted. Sat, 22 Nov 2008 11:41:15 +0000 http://wordpress.org/?v=2.7-beta2-9617 hourly 1 By: Lloyd http://foolswisdom.com/banking-on-secure-personal-images/comment-page-1/#comment-23566 Lloyd Fri, 30 Mar 2007 15:47:52 +0000 http://foolswisdom.com/banking-on-secure-personal-images/#comment-23566 Hi Chris, Reading your comments makes me realized how biased I am against Bank of America both because of the online and in person experience I had with its representatives. (And am still having.) Hi Chris,

Reading your comments makes me realized how biased I am against Bank of America both because of the online and in person experience I had with its representatives. (And am still having.)

]]> By: Mark Jaquith http://foolswisdom.com/banking-on-secure-personal-images/comment-page-1/#comment-23353 Mark Jaquith Fri, 30 Mar 2007 08:38:06 +0000 http://foolswisdom.com/banking-on-secure-personal-images/#comment-23353 Done right, a key fob could prevent phishing. 1. Key fob gives you a nonce (NONCE1, a substr() of a hash of KEY1, which changes every time you refresh) 2. You input NONCE1 into the site 3. The site gives you KEY1 4. You input KEY1 into the key fob 5. Key fob verifies that substr(hash(KEY1)) == NONCE1 6. If they match, it gives you NONCE2, which is used to access the site, else, it gives you a mild electric shock (ok, not really) Annoying, but I think that'd act as both authorization and verification of authenticity. Done right, a key fob could prevent phishing.

1. Key fob gives you a nonce (NONCE1, a substr() of a hash of KEY1, which changes every time you refresh)
2. You input NONCE1 into the site
3. The site gives you KEY1
4. You input KEY1 into the key fob
5. Key fob verifies that substr(hash(KEY1)) == NONCE1
6. If they match, it gives you NONCE2, which is used to access the site, else, it gives you a mild electric shock (ok, not really)

Annoying, but I think that’d act as both authorization and verification of authenticity.

]]> By: Chris Vance http://foolswisdom.com/banking-on-secure-personal-images/comment-page-1/#comment-23273 Chris Vance Fri, 30 Mar 2007 04:51:18 +0000 http://foolswisdom.com/banking-on-secure-personal-images/#comment-23273 I only have experience with the Bank of America login solution from my home computer, and am comfortable with their UX. It's all about reducing your vulnerability to phishing attacks and increasing trust in their site. The trick is to pick an image and text caption that you strongly associate. Once this is in place, it reduces the possibility of someone catching you with a phishing page and randomly choosing the correct image, because the caption will not match. I guess the Bank of America login experience is different when logging in from a different computer; I don't have experience with this, but I'm fairly sure they ask one of your three security questions (something you know). Other banks might use an RSA SecurID or a similar key fob. Non-sophisticated computer users may find this frustrating to use as well. There's nothing about the key fob itself that prevents phishing -- the SiteKey program addresses this issue. I only have experience with the Bank of America login solution from my home computer, and am comfortable with their UX. It’s all about reducing your vulnerability to phishing attacks and increasing trust in their site. The trick is to pick an image and text caption that you strongly associate. Once this is in place, it reduces the possibility of someone catching you with a phishing page and randomly choosing the correct image, because the caption will not match.

I guess the Bank of America login experience is different when logging in from a different computer; I don’t have experience with this, but I’m fairly sure they ask one of your three security questions (something you know).

Other banks might use an RSA SecurID or a similar key fob. Non-sophisticated computer users may find this frustrating to use as well. There’s nothing about the key fob itself that prevents phishing — the SiteKey program addresses this issue.

]]> By: Mark http://foolswisdom.com/banking-on-secure-personal-images/comment-page-1/#comment-23103 Mark Thu, 29 Mar 2007 21:45:22 +0000 http://foolswisdom.com/banking-on-secure-personal-images/#comment-23103 My wife is far from comfortable on the web. She also checks (runs) our finances and checks things daily. All the bank did was change one sentence and she stopped. Just that one change turned the familiar to the unfamiliar. But she was in a regular environment with no rush to see details. Maybe the banks should say "This is YOUR screen" and let the customer change it (widgets!) so they have more control and it becomes theirs. My wife is far from comfortable on the web. She also checks (runs) our finances and checks things daily. All the bank did was change one sentence and she stopped.
Just that one change turned the familiar to the unfamiliar.
But she was in a regular environment with no rush to see details.

Maybe the banks should say “This is YOUR screen” and let the customer change it (widgets!) so they have more control and it becomes theirs.

]]>