|
|
Post by zanygame on Nov 3, 2023 22:20:14 GMT
Why can't banks have a password they can give me.
"Hello Mr Zany this is Stuart from nikitanrun bank, Can I discuss some unusual activity on your account"
"Hi Stuart, yes but before I do can you give me the 3rd and 12th letter of my given password.
"Certainly Mr Zany, its E and H, don't forget to change your password at the end of the Month.
Wouldn't it be good if security went both ways.
|
|
|
|
Post by steppenwolf on Nov 4, 2023 8:24:37 GMT
Because the idea of a password/PIN is that you never write it down. So the password/PIN that you're given by the bank is given to you once in secure letter and you're meant to memorise it and destroy it. The bank itself doesn't keep that data in any recognisable form. It's held in a security machine encrypted under a master key, that again no one knows because it's made up of several parts that are input by several people. And there is no function to generate that data in the clear. All you can ever do is present the security machine with the whole PIN (encrypted under your own transmission key) and ask it if it's right.
Maybe there is a way of doing what you want, but I can't think of one. Plainly "Stuart" must not know your PIN (or "bank-PIN"), so he must have a way of decrypting secure data held on the bank's database. But that's a No-no. Stuart could very easily find out your "bank-PIN" and that's an invitation to fraud.
|
|
|
|
Post by zanygame on Nov 4, 2023 9:21:02 GMT
Because the idea of a password/PIN is that you never write it down. So the password/PIN that you're given by the bank is given to you once in secure letter and you're meant to memorise it and destroy it. The bank itself doesn't keep that data in any recognisable form. It's held in a security machine encrypted under a master key, that again no one knows because it's made up of several parts that are input by several people. And there is no function to generate that data in the clear. All you can ever do is present the security machine with the whole PIN (encrypted under your own transmission key) and ask it if it's right. Maybe there is a way of doing what you want, but I can't think of one. Plainly "Stuart" must not know your PIN (or "bank-PIN"), so he must have a way of decrypting secure data held on the bank's database. But that's a No-no. Stuart could very easily find out your "bank-PIN" and that's an invitation to fraud. I'm not talking about one they give you. I'm talking about one you give them. Separate from your own login ones. As for storing that data they store your pin number, they store your passwords that let you access your account. As for Stuart knowing the password I have, I could ask him for the 3rd and 12th letters and he could type 3 and 12 into the bank computer and it give him those letters. Not perfect but all its doing is confirming it is Stuart from my bank. Better that than a scammer pretending he's my bank and asking me loads of security questions before he'll say what he wants to tell me. How else can I check it really is my bank. They suggest you hang up and call your bank directly but if you ever tried that you will find you can never get back to the person who called you, and you sit in a queue waiting for your call to be answered when you've just been told there is suspicious activity on your account. |
|
|
|
Post by steppenwolf on Nov 4, 2023 10:10:02 GMT
"As for storing that data they store your pin number, they store your passwords that let you access your account."
Obviously, but the only record they have of your PIN is encrypted under a secure key known ONLY to their security machine. NO PERSON knowns that PIN apart from you (and that's in your memory only). There is NO way that anyone at the bank can find out your PIN in the clear. And any attempt to mess with the security machine will result in the destruction of the master key.
What you want is for the bank to have another password/PIN that's unique to you, so they're also going to have to store that data. The difference is that the bank staff (Stuart) needs to be able to generate that data in the clear in order to answer your questions. You could say that you only need two characters but there's obviously nothing to prevent Stuart getting the whole data if he wanted to. So it's wide open to fraud. There is NO way that Stuart could find out your own PIN.
|
|
|
|
Post by zanygame on Nov 4, 2023 10:25:28 GMT
"As for storing that data they store your pin number, they store your passwords that let you access your account." Obviously, but the only record they have of your PIN is encrypted under a secure key known ONLY to their security machine. NO PERSON knowns that PIN apart from you (and that's in your memory only). There is NO way that anyone at the bank can find out your PIN in the clear. And any attempt to mess with the security machine will result in the destruction of the master key. What you want is for the bank to have another password/PIN that's unique to you, so they're also going to have to store that data. The difference is that the bank staff (Stuart) needs to be able to generate that data in the clear in order to answer your questions. Y ou could say that you only need two characters but there's obviously nothing to prevent Stuart getting the whole data if he wanted to. So it's wide open to fraud. There is NO way that Stuart could find out your own PIN. There obviously is. Stuart can only access two letters at a time and the machine logs what Stuart is doing. Further every time your bank contact you and use the password they request you to change it. So if Stuart keeps ringing you in the hope of gaining all your password letters he's riding for a fall. Your pin ands password are useless as a method of identifying your bank as you say, thy don't have access to them. Do you have any suggestions on how you might recognise your bank. There have been a spate of frauds recently where the fraudsters appear to prove to you that they are real and your bank are the fraudsters trying to stop them saving your money. And each new fraud gets better. This is no longer a bloke trying his luck, but a multimillion pound business with tech and assets. |
|
|
|
Post by Fairsociety on Nov 4, 2023 11:23:23 GMT
Then we have the fraudsters who put people 'under their spell', and steal their life savings, telling them to lie to their banks. WTF, these aren't even thicko people, most who are duped are pretty level headed people, their only downfall is GREED. Then when they find out they were conned they demand the bank reimburse them, .......... No chance. One example .. www.bbc.co.uk/news/uk-england-leeds-67208755 |
|
|
|
Post by zanygame on Nov 4, 2023 12:10:05 GMT
Then we have the fraudsters who put people 'under their spell', and steal their life savings, telling them to lie to their banks. WTF, these aren't even thicko people, most who are duped are pretty level headed people, their only downfall is GREED. Then when they find out they were conned they demand the bank reimburse them, .......... No chance. One example .. www.bbc.co.uk/news/uk-england-leeds-67208755Yes I watched one the other day (Might be the same one) where the bank got them to do a selfie holding a note saying the bank have warned me not to do this. You can't help everyone. |
|
|
|
Post by Fairsociety on Nov 4, 2023 12:21:53 GMT
Then we have the fraudsters who put people 'under their spell', and steal their life savings, telling them to lie to their banks. WTF, these aren't even thicko people, most who are duped are pretty level headed people, their only downfall is GREED. Then when they find out they were conned they demand the bank reimburse them, .......... No chance. One example .. www.bbc.co.uk/news/uk-england-leeds-67208755Yes I watched one the other day (Might be the same one) where the bank got them to do a selfie holding a note saying the bank have warned me not to do this. You can't help everyone. Unfortunately all sense goes out the window when get rich quick Greed kicks in. |
|
|
|
Post by Orac on Nov 4, 2023 21:17:46 GMT
Just cut the cable to Africa and the subcontinent. 80% of the problem gone.
Call centres can move back to slough
|
|
|
|
Post by steppenwolf on Nov 5, 2023 8:31:49 GMT
"As for storing that data they store your pin number, they store your passwords that let you access your account." Obviously, but the only record they have of your PIN is encrypted under a secure key known ONLY to their security machine. NO PERSON knowns that PIN apart from you (and that's in your memory only). There is NO way that anyone at the bank can find out your PIN in the clear. And any attempt to mess with the security machine will result in the destruction of the master key. What you want is for the bank to have another password/PIN that's unique to you, so they're also going to have to store that data. The difference is that the bank staff (Stuart) needs to be able to generate that data in the clear in order to answer your questions. Y ou could say that you only need two characters but there's obviously nothing to prevent Stuart getting the whole data if he wanted to. So it's wide open to fraud. There is NO way that Stuart could find out your own PIN. . Further every time your bank contact you and use the password they request you to change it. So if Stuart keeps ringing you in the hope of gaining all your password letters he's riding for a fall. Your pin ands password are useless as a method of identifying your bank as you say, thy don't have access to them. Do you have any suggestions on how you might recognise your bank. There have been a spate of frauds recently where the fraudsters appear to prove to you that they are real and your bank are the fraudsters trying to stop them saving your money. And each new fraud gets better. This is no longer a bloke trying his luck, but a multimillion pound business with tech and assets. Basically what you want is the equivalent of the bank's telephone password where, when you phone up the bank you have to provide two letters out of your password to confirm who you are. So you want to give the bank their own telephone password for when they phone you. The thing is that the telephone password they give you is NEVER held in the clear anywhere on the bank's system. A fraudster who hacked into the bank's system can never find PINs or passwords of any kind because they're all held in an encrypted form which can only be decoded by a security machine. So when you phone your bank they ask you for 2 characters from your password and they are then verified by sending a request to the external security machine which says yes or no. No one in the bank knows your telephone password. What you could do to mirror this system is for the bank to send you a unique (to you) bank password that the bank must use to identify itself -- say by telling you two characters of the password of your choosing. The problem is that this bank password would have to be held securely encrypted - otherwise anyone who hacked into the bank's system could find all these passwords. So, in order for the bank to give you the two characters it would need a command to the security machine to release these characters in the CLEAR. This is a No-no in security systems. The minute you have a command that reveals parts of passwords in the clear it's pretty obvious that a fraudster who has access to the bank's system can reveal all these passwords. What you want to do is perfectly sensible. But I can't think of a secure way of doing it that doesn't rely on the customer fully replicating the banks' security system. Maybe there could be a way of doing it using the banking app, but I think if there was the banks would have done it by now. It's an interesting problem. |
|
|
|
Post by johnofgwent on Nov 5, 2023 8:35:42 GMT
Because the idea of a password/PIN is that you never write it down. So the password/PIN that you're given by the bank is given to you once in secure letter and you're meant to memorise it and destroy it. The bank itself doesn't keep that data in any recognisable form. It's held in a security machine encrypted under a master key, that again no one knows because it's made up of several parts that are input by several people. And there is no function to generate that data in the clear. All you can ever do is present the security machine with the whole PIN (encrypted under your own transmission key) and ask it if it's right. Maybe there is a way of doing what you want, but I can't think of one. Plainly "Stuart" must not know your PIN (or "bank-PIN"), so he must have a way of decrypting secure data held on the bank's database. But that's a No-no. Stuart could very easily find out your "bank-PIN" and that's an invitation to fraud. In reality the utility companies already do something similar for people considered particularly vulnerable. Callers to homes of blind people for example. The customer sets a password in their customer records which they can indeed change as often as they like, after every visit for example, and the engineer / meter reader / whatever gives the said password at the door. So the process already exists for companies dealing with the public in their homes. The question is why don't companies that call you offer the same. It would be trivial for me to add this feature to our bank’s customer database and audit by database trigger all access to that data field including device / account etc. Yes **I** and a handful of the system designers with god and demigod database access COULD access that area AND erase the audit log but the erasure itself would be recorded and flagged. I can’t create a perfect system but i can have a damn good go |
|
|
|
Post by zanygame on Nov 5, 2023 8:43:15 GMT
There obviously is. Stuart can only access two letters at a time and the machine logs what Stuart is doing. Further every time your bank contact you and use the password they request you to change it. So if Stuart keeps ringing you in the hope of gaining all your password letters he's riding for a fall. Your pin ands password are useless as a method of identifying your bank as you say, thy don't have access to them. Do you have any suggestions on how you might recognise your bank. There have been a spate of frauds recently where the fraudsters appear to prove to you that they are real and your bank are the fraudsters trying to stop them saving your money. And each new fraud gets better. This is no longer a bloke trying his luck, but a multimillion pound business with tech and assets. Yep. So how does the bank check the letters I give them? Precisely, so they store it safely, just as they could their own password for me. No difference. I still see this very slightly more insecure system as better than what we currently have. The bank could auto generate a new password for your account after each call. Last time my wife had a call from the bank, the man on the phone said it was a real issue getting people to trust who they were. He suggested she answer one of the security questions incorrectly on purpose because only the bank would no if that was the case. Crazy work around. Fair do's. That's for minds greater than mine. |
|
|
|
Post by zanygame on Nov 5, 2023 8:49:51 GMT
Because the idea of a password/PIN is that you never write it down. So the password/PIN that you're given by the bank is given to you once in secure letter and you're meant to memorise it and destroy it. The bank itself doesn't keep that data in any recognisable form. It's held in a security machine encrypted under a master key, that again no one knows because it's made up of several parts that are input by several people. And there is no function to generate that data in the clear. All you can ever do is present the security machine with the whole PIN (encrypted under your own transmission key) and ask it if it's right. Maybe there is a way of doing what you want, but I can't think of one. Plainly "Stuart" must not know your PIN (or "bank-PIN"), so he must have a way of decrypting secure data held on the bank's database. But that's a No-no. Stuart could very easily find out your "bank-PIN" and that's an invitation to fraud. In reality the utility companies already do something similar for people considered particularly vulnerable. Callers to homes of blind people for example. The customer sets a password in their customer records which they can indeed change as often as they like, after every visit for example, and the engineer / meter reader / whatever gives the said password at the door. So the process already exists for companies dealing with the public in their homes. The question is why don't companies that call you offer the same. It would be trivial for me to add this feature to our bank’s customer database and audit by database trigger all access to that data field including device / account etc. Yes **I** and a handful of the system designers with god and demigod database access COULD access that area AND erase the audit log but the erasure itself would be recorded and flagged. I can’t create a perfect system but i can have a damn good go That's my view John. The subject moved towards HOW it could be done, when what I really wanted to look at was WHY its not being done. |
|
|
|
Post by steppenwolf on Nov 6, 2023 7:25:37 GMT
Zanygame said: "Precisely, so they store it safely, just as they could their own password for me. No difference."
I knew this would be difficult. The difference between the bank identifying you as a valid caller (case 1) and you identifying the bank as a valid caller (case 2) is that:
Case 1: You provide the bank with the two letters (that you have memorised) and they're sent off to the security machine and the security machine replies with correct or incorrect (nothing more)
Case 2: You ask the bank to provide the two letters. The bank can't memorise the password except by storing it on the database. And it HAS to be held encrypted on the database or any hacker can find it. So the bank has to decrypt your password in order to give you the two letters. So your security has been completely compromised because the hacker will also be able to decrypyt it.
Your problem is to be able to store the bank's password securely and still be able to supply a selection of letters to the client. If there's a simple way of doing that then I suggest the bank would be doing it already.
|
|
|
|
Post by zanygame on Nov 6, 2023 7:31:36 GMT
Zanygame said: "Precisely, so they store it safely, just as they could their own password for me. No difference." I knew this would be difficult. The difference between the bank identifying you as a valid caller (case 1) and you identifying the bank as a valid caller (case 2) is that: Case 1: You provide the bank with the two letters (that you have memorised) and they're sent off to the security machine and the security machine replies with correct or incorrect (nothing more) Case 2: You ask the bank to provide the two letters. The bank can't memorise the password except by storing it on the database. And it HAS to be held encrypted on the database or any hacker can find it. So the bank has to decrypt your password in order to give you the two letters. So your security has been completely compromised. Your problem is to be able to store the bank's password securely and still be able to supply a selection of letters to the client. If there's a simple way of doing that then I suggest the bank would be doing it already. Hi Steppen. Yes I got that. I even proffered a solution. I agree with John, it could be done relatively easily. I am more interested in solutions for the problem of how my bank identifies itself to me. |
|
