I received an email from EmigrantDirect today warning that the process for logging into their website for online banking is about to change. The new process will be similar to ING Direct’s security feature involving a unique sign-in ID, an image, and a pass phrase.
If you’re a customer, you might have received this email. They are staggering the transition, so it’s possible that customers haven’t received the notification. Here is the full text of the communication:
Dear Customer,
Our new login process adds an additional layer of security to protect your American Dream account(s).
To begin the new login process:To use the new login process:
- You will be asked to complete a one-time enrollment during which you will select an image and create a unique phrase or description to accompany the image.
Federal guidelines require that all internet banks implement this procedure by the end of the year and your account will be selected for enrollment within the next 30 days.
- You will see your selected image and phrase every time you log in from your registered computer so you will know immediately that the site is indeed EmigrantDirect.com and it is safe to enter your password.
- You may register as many computers as you like, but we suggest that you only register computers that are private, such as your home computer.
Please do not reply to this e-mail as your reply will go to an unmonitored mailbox. If you have any questions, you may send a message from your secure Message Center once you are logged on, or call Customer Service at 1-800-836-1997, seven days a week, 8:00 AM – 11:30 PM ET.
Subscribe
11:10 pm (reply)
I hate to be a killjoy but, as an information security professional, I can tell you that the type of login you are talking about does little to actually protect your information from determined criminals. Within hours of ING deploying their new login scheme there were keyloggers with a new “feature” that would capture small sections of your screen around your mouse pointer when you clicked it which allowed the criminals to capture your PIN even if you use the on-screen number pad.
In addition, once the malicious software is on your system they can steal the cookies from your browser that store info about those pictures that everyone is using or stick in the middle and conduct their own electronic transfers. It’s a lot of sizzle and very little steak, if you know what I mean.
10:57 am (reply)
Isn’t the idea of the pictures that I am supposed to recognize them? We have so many bank accounts, I can’t even remember which pictures go to which accounts.
4:19 pm (reply)
@ Madison: The point is not just to have a picture associated with your account. It is supposed to be the combination of your picture and word or phrase that is supposed to ensure that you are communicating your your bank and not a phishing site.
When you are setting up the pictures, I always use meaningful phrases that will jog my memory when I am logging in. For instance, if you have a picture of an orange. Don’t use the phrase “An orange” associated with it. Instead use something meaningful like a song lyric, “I’ve got my spine, I’ve got my orange crush.” Now, even though you may not remember which picture is which, the phrase should hopefully jog your memory.
10:44 am (reply)
@ Toby: As an information security professional, you then know that most thieves and unsavory characters tend to go for low hanging fruit before tackling something more sophisticated.
The point behind the modifications isn’t that the system is absolutely secure, it’s simply that they’ve added extra layers of security to make it just a little more difficult for the majority of script kiddies.
The reality is that if someone wants your information bad enough, they’re going to get it. It doesn’t matter what you do, or how you do it. The key here is that it now takes more effort and more technical know-how to get to what they’re after.
As you’re aware, the process of creating security measures to defend against security breaches is very cyclic by nature. Sooner or later the thieves ramp up on the new security measures, and then the business has to adapt and create a new hurdle. Then we start over again.
It’s an improvement, and as an information security professional, I would expect you to applaud the effort to at least improve security based upon what you know of the business involved, and the nature of security in a digital world.
Thanks.
1:22 am (reply)
@ general: I agree that thieves tend to go for low-hanging fruit before tackling something more sophisticated. However, I think you are over-estimated the amount of sophistication and complexity inherent in these new “security measures.”
In our industry we call it “security theater”. Looks great. Looks secure. Makes for great press-releases. Doesn’t do a lick of good as far as increasing security.
My job is not to make things completely secure. It is to balance the risk versus the cost of security measures. So when I say that these new measures don’t do any good, I mean that the total cost (monetary, user experience, etc.) is not worth the “increased security” (trivial). The money these companies spend is not to increase security, rather it is to increase the appearance of security to their customers. Given that this increases customer trust it is still probably money well-spent but don’t, for a second, think that they’ve improved security in any meaningful way.
Also, I don’t think you realize the threat that is out there. It’s not little Johnny hacking your computer from his mommy’s basement anymore. Organized crime is out there. They are well-funded. They have professional programmers writing their software and it is really well planned and well implemented.
Virus signature databases doubled in size over the past year and anti-virus vendors are struggling to keep up. An estimated 25% of the 600 million computers on the Internet today are thought to be parts of botnets. 150 million zombie machines out there that might do anything from attack a site, to resend spam, to collect your personal information. It is considered by many to be a virtual pandemic.
So pardon me if I don’t jump up and give a standing ovation to an under-arm-fart-noise rendition of Beethoven’s 5th. I think I’ll hold my applause for a real performance.