Security with online banking, whats cool!

Today I was reading about how a few banks have started to adopt a creative solution to increase the security of their web portals for online banking. I was quite impressed by what they came up with. They were using cell phones; specifically they were transmitting a security code to your cell phone that you would then use along with your password to logon to their portal. To me this seems like a great way to achieve two-factor authentication without the typical impact a user would incur. Now to get access to your account an attacker would need what you have, your cell phone, and what you know, your password, which would greatly increase the difficulty of any brute force attack. As well as thwart any phishing scheme or keylogger you might come across.
Since the code is also transmitted out-of-band i.e. through your cell phone and not the web, it requires access to both your username/password and your cell. With the password expiring in a short (10 min) time and only good for one use, it serves as good as any token could. With the distinct differentiation that most users carry a cell phone by impulse, where a token they would not. Another great benefit to the bank and possibly lead to a more wide spread implementation would be that the user already has the equipment necessary, a cell phone, which is not the case with a Token. Providing a security code through a cell phone could be the strongest, and most usable form of authentication we’ve seen yet in online banking.

Art of Possibilities

I’ve been really busy lately and have not been able to finish a book in a long time, but I finally had some free time and was able to sit down and read Art of Possibility. What a good choice it was. While the book itself was all about changing perspectives and incurring change, well at least that’s what I took away from the book, I really liked the stories about his experience as a conductor, and inspiring young musicians. If you get a chance I would check it out.

For the arts no doubt

My friend pointed my in the direction of Ben Zander, who is a very exuberant advocate for the Fine Arts. Check it out.



The Art of Possibility, by Ben Zander and his wife Roz Zander is definitely on my reading list, if even a portion of his energy is reflected in the book, it should be a great read.

Oh my look at those Feature Sets!

I love TED presentations, they’re great! I was watching a TED talk by Barry Schwartz, and he gave a very intriguing presentation on the effect of choices. I believe it is a great talk for anyone who has influence on UI, in any product or service, since we have to make decisions as to creating a feature (setting) rich environment or a simplistic subset, and the associated opportunity costs.


I really enjoy the points which he makes as to with more options you have more expectations, and are less, if not impossible, to satisfy. No excuse for failure, with choices you do better but feel worse. And while this presentation mostly focuses on consumer choices, such as the quantity of different salad dressings at a super market I believe the basic concept can be applied to most user interactions, from software UI to marketing. To often we provide the user more options than they ever would desire, with the excuse of providing options, when in reality we’re just creating disappointment. This presentation just reenforces my belief that less is more, when considering options.

Phishing for you

With the growing number of illegitimate emails sent growing into the billions, the chances of one getting through your spam filters grow everyday, but what happens when its worse then spam, and confidential information is in the balance? Through this web log we will walk through a simple phishing scam and ways to protect yourself and your company.

The Victim

Sandy considered herself an avid ebayer, she used to go to garage sales ever weekend, but since she found eBay it was like having all the worlds garage sale all the time. So now instead of going out Saturday morning looking for stuff, all she had to do is log onto her computer and start searching for the things she wanted. She could look anytime she wanted.

By this point in time she was used to getting emails from eBay, and other eBayers about product and auctions she won. But today was different. Today she received an email from eBay informing her that her account information was out of date and needed to be updated, else her account may be disabled. Not wanting her account to be disabled, she clicked on the link in the email and logged into the website.

Upon logging in she was greeted with a message that informed her that her bank account number that was entered was invalid, and she needed to re-enter it to update her information. After entering the bank account she was thanked for her cooperation and informed that the account was now up to date. Glad that her account wasn’t going to get locked out she decided it would be a perfect time to check on her auctions.

The Attacker

As a web developer I found myself jumping from contract to contract, never staying at one place. This was getting ridicules though; I was out of work for four weeks and didn’t have any prospects for a new contract any time soon, to top it off I didn’t have any savings left. So I figured I would put my skills to work for myself, and create “my eBay.” It would be a place for eBayers to come, and give me access to their accounts information.

The plan was simple really, just lift eBay’s layout so that people thought that they where really at eBay when in reality they where logging into my site. Once logged in I asked nicely for there personal information and thanked them kindly. I always found people where much more responsive when you thanked them after a job. So I went about setting it up, the site and sending out emails to possible eBay users.

The Description

Phishing is a form of Social Engineering where in one form an email will pose to be from a legitimate company. This email is normally phrased in a way to eliciting information from you that could cause the loss of company, financial, or personal information. It elicits this information by building credibility as the legitimate company, then create a plausible, and urgent reason for you to act on that information.

This could be through the use of a form in the site that looks like it sends the information back to the legitimate site, but in reality send the information to the fraudulent site, or executing an action on the phishing server. It is also implemented through fake sites that mimic the legitimate location, and may even pass-on you and your credentials to the legitimate site after acquiring the information they desire.

• Phishing is a psychological attack and as such requires psychological training to combat them. The best course of action is to be aware that these types of attacks are possible, and to be wary of any email that elicits private information.

• Credible sites should never request any personal information through an email. If you do believe that the email is legitimate and that the site needs information always go directly to the site from a web browser, and not through links or forms provided in the email itself.

Phishing is a growing way of obtaining private information from people, avoiding the difficulties normally associated with breaking into the system itself. Effectively eliminating many of the safe guards a typical security perimeter implement for protection; leaving corporate, financial and personal information protected only through you or your users ability to decipher legitimate emails from fraudulent ones.

There is no golden bullet to prevent phishing, however there are things you can do to reduce the threat. First is to understand the phishing is more that spam, it’s more like a virus. For corporations email addresses from the website should be removed, and address standards reviewed, to verify that they aren’t easy contrived. Next education is crucial to increase Phishing awareness and appropriate responses, such as the ability to proper identify phishing attempts, through verification of the sender, message content, and links.

Typography

Typography is a beautiful, powerful thing; too bad its not really used much any more. When used effectively Typography can be a brilliant medium to convey a message. Watching the 2005 keynote of OSCON, I was pleasantly surprised to see the use of Typography to convey the concept of Identity 2.0. Whether you are interested in the concept of Identity 2.0 or not, the deliver of this presentation is brilliant. Its a powerful instrument especially when utilized to create emphases within a presentation, such as in this keynote address.

Dick Hardt, 2005 OSCON keynote

To lunch or not to lunch

First of all I’m a fiend for outdoor bistros, I think they are the greatest thing since slice bread when the weather is nice. Yet no one seems to have them in the western states. So when I was down in Boise this last weekend, I was ecstatic that not only was it great weather but their was a patio open for lunch. Not knowing what it was or how good they were I was determined to try them based on the patio alone.

Once we sat down and received our menus, I finally was enlightened as to what we where going to be having for lunch, pizza. So after finally narrowing our choices down to two, we inquired as to whether we could have half and half, making everyone happy. Of course we where pleasantly informed, so delving back into the throws of our order we finalized our decision, everyone in agreement at last. Or at least we thought. On return of our waitress, we where devastated, baited without all the terms and conditions, we were. While we could still do half and half, we would have to start with the traditional, and add toppings, resulting in a price almost equivalent to the two pizzas on their own. Delivery was key, since we had already established a heighten expectation; this information was more impact full now than if the option had never been available. What cunning deception, not deterred we returned to the negotiating table to pound out our order.

Through pure determination we narrowly came to an agreement on a pizza, with one stipulation no spinach. As our terms and conditions where presented to the waitress, we calmly waited for a response, while a turbinate river raged inside us, desperately waiting to see if they would be accepted. Which to our joy they were without any counter.

In what seemed like an eternity we waited for our food to arrive, grateful when it finally did. To our dismay the terms and conditions had been breached, there it was in plain view of everyone, spinach. This matter was escalated; the upper echelon of management was now involved. In an effort to gain control of the downward spiraling situation, they purposed a complete scrap and replacement of their contract deliverables. The tables turned, we consulted and presented are counter, we would pick the spinach off ourselves. A cunning retort, by arguing against our best interest, our opponent was perplexed to say the least. Retreating but not retiring, he had to rethink after such a blow.

Alas he returned with a revised counter, our original order half and half extra large, for our troubles. Not to be out done we had to think quickly, but stumbled… Before remembering or original offer, we retorted with a small pizza to go.

Success, a deal made. All and all it was a great pizza place, with excellent management.