Comments on: So funny I forgot to laugh

By: Pamela

Pamela — Sat, 19 Sep 2009 05:25:46 +0000

Great points – I suppose I think of a one-way hash as more of a bare minimum than “the” answer, but then considering that I called one-way hashes an industry best practice, perhaps I was setting the bar too low for banking best practices?

By: Raleigh

Raleigh — Thu, 17 Sep 2009 06:05:14 +0000

You have raised some good points. Here are a few things to consider. Using one way hash is not a good way to store passwords for e-commerce applications because anyone having access to hashed passwords can easily do a dictionary attack. Hashing algorithms are fast by design and you can hash around a million words on decent CPU. Try openssl speed to see what I mean here. Even a salt would not protect against this attack because the salt has to be stored some where and attacker can get that.

A better way to protect passwords is to use FIPS 140-2 Level 3 or above devices which provide industrial strength encryption. The key never leaves the hardware crypto card and all crypto operations are performed inside the device. That’s what most banks use.

Asking for random characters from your password does protect against key loggers. Seems like a good idea to me.

By: Daily Digs – 09.15.2009 « Security Stallions Blog

Daily Digs – 09.15.2009 « Security Stallions Blog — Wed, 16 Sep 2009 03:32:17 +0000

[...] This was one of the best / most disturbing banking related articles I’ve read in a while. It’s also why you shouldn’t do most any online business with HSBC. I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block. This one’s just downright “special” (and not really from today, but I ran across it in my feeds). [So Funny I Forgot To Laugh] [...]

By: rbobel

rbobel — Fri, 04 Sep 2009 19:58:38 +0000

I hate this kind of stupid stuff. Another peve of mine is week-ass password policies… I found a clasic in my own company http://www.bobbobel.com/the-number-one-reason-to-use-sso-password-policies/

By: johndiii

johndiii — Mon, 24 Aug 2009 17:05:06 +0000

Wow. How do you suppose something like this even gets deployed? I know that HSBC is a fairly large bank, so do they have some guy in the back room doing their web site? Highly unprofessional, and it speaks volumes about the organization itself. I’d be thinking about jumping ship, too. What are the odds that your password is transmitted to some client-side script in clear to check those characters?

I’ve noticed that lists of security questions seem to be more common these days. I’m not sure why, because they actually lessen security, particularly if the questions are badly chosen (like the ones in this example). My policy has been to give fake answers for things like mother’s maiden name, elementary school attended, and so on. With genealogy sites and classmates.com, this information is not that hard to find on the net. Of course, that means that I have to write the answers down somewhere – but it seems a better idea than trusting the web sites.

I’d be very tempted to enter “hacking bank web sites” for my favorite hobby in this case. :-)