How secure is this system to access my bank account
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The contents is fake, the numbers of rows and columns are correct. Obviously every customer has his own card.
I login with a (easy to guess) account code + (hopefully strong) password. Then 3 characters of the card above are asked, say B4, C2, J1. At each login, the requested cells are different. However, when a login attempt fails due to entering the wrong characters, the same cells are requested again. After 3 attempts the account is blocked for 24 hours.
It's debatable, and it depends how you choose to look at this. On the one hand, you can consider the array as a 50-character sequence, or ordered array. Just think of this as a 50-character password that you cannot change. So you are being asked for (1) a public key, aka your account number or identifier, (2) a private key, aka your password, and (3) selected characters from the bank-issued, quasi-private key.
On the other hand, you could consider each of the three required characters from the matrix to be three individual, single-character passwords. Furthermore, being asked that all three be correct exponentially decreases the chance that someone could guess the proper character at random. But then being given three chances to enter this information will recoup some of the lost opportunity.
But in general, after a finite number of logins you will exhaust all random combinations of three characters from the matrix, so it is probably only of marginal benefit unless your bank changes the matrix at frequently irregular intervals.
Is it better than a straight username/password login? Probably. Is it as secure as it could be? Hardly. If the bank wanted to get really creative, they could harness the matrix arrangement of characters more fully - think of being asked to perform advanced algebraic calculations utilizing particular entries, and then being asked to perform calculations on those answers. That would be far more advantageous than just strictly recalling the characters.
Likewise the definition of "safe" plays a part - who is this information being kept private from? It might keep out the casual "crackers," but if this is all transmitted over SSL et al then you are also relying on the strength of external libraries.
Last edited by ordealbyfire83; 01-08-2015 at 07:34 PM.
this second factor authentication which add new security layer to your login. I prefer the Mobile sms sent by banks with the code or hardware tokens because once you lost it you can report to block the account, IDs can be copied without your knowledge however this is not the optimum security practice but its still good.
Safety depend on many factors actually, From client side keep this ID away from anyone and use secure connection to login to your account with safe browsing. From server side deal with reputable bank
Seems to be overly complex for minimal benefit. I don't think it will catch on. If the card is re-issued often then it might be of some benefit, but otherwise it will be just as useful as the three numbers on the back of your credit card.
However, when a login attempt fails due to entering the wrong characters, the same cells are requested again.
This is dubious. Do they at least also request the same cells again if the password is wrong even if the characters are right? Otherwise they are leaking info about your credentials.
Quote:
Originally Posted by ordealbyfire83
But in general, after a finite number of logins you will exhaust all random combinations of three characters from the matrix, so it is probably only of marginal benefit unless your bank changes the matrix at frequently irregular intervals.
Specifically, 50 choose 3 = 19600. Which isn't a whole lot, but assuming the rate limiting to 1 a day works that is 53 years.
Quote:
If the bank wanted to get really creative, they could harness the matrix arrangement of characters more fully - think of being asked to perform advanced algebraic calculations utilizing particular entries, and then being asked to perform calculations on those answers. That would be far more advantageous than just strictly recalling the characters.
This doesn't sound especially usable for humans.
Quote:
Likewise the definition of "safe" plays a part - who is this information being kept private from?
Yes.
Quote:
Originally Posted by dugan
Wouldn't getting a copy (photo, photocopy, etc) of the matrix be trivial?
I don't think physically stealing it (even temporarily) should be considered trivial.
Quote:
Originally Posted by metaschima
Seems to be overly complex for minimal benefit. I don't think it will catch on. If the card is re-issued often then it might be of some benefit, but otherwise it will be just as useful as the three numbers on the back of your credit card.
It provides some security against keyloggers, it's better than just 3 constant numbers. Also, while it's still common to hand over your credit card to others (to pay them), presumably you wouldn't do that with this card. On the other hand, if the attacker can install a keylogger on your machine, presumably they could install something that listens to the whole session, so they would only need 50/3 ~ 7 sessions to figure out the whole matrix... (this requires something more specialized than a keylogger though).
Specifically, 50 choose 3 = 19600. Which isn't a whole lot, but assuming the rate limiting to 1 a day works that is 53 years.
Isn't it 50*50*50=125000?
And who knows, what bank will do if (for example) 3-digits combinations was entered wrongly 15 times in a row (5 days * 3 attempts)?
Bank may just block this account, and send you invitation to visit them to be sure that it was not an attempt to crack an account.
Looking at that card, it looks as though the characters are the 26 capital alphabetic characters plus the 10 digits 0-9, so according to my mathematics, the chance of a random guess being correct is 1 in 36^3 (=46656).
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Original Poster
Rep:
Quote:
Originally Posted by sundialsvcs
All I can say is, "I could never explain it to my grandmother."
My father has Alzheimer and he still seems to use it.
Quote:
Originally Posted by allend
Looking at that card, it looks as though the characters are the 26 capital alphabetic characters plus the 10 digits 0-9, so according to my mathematics, the chance of a random guess being correct is 1 in 36^3 (=46656).
I think I agree. Although I have never been able to figure out what to enter for '0'. I think I always enter zero, and I think I never tried OH. I have about 4 accounts with different cards and I never see the OH used. Maybe more characters are excluded. But yes, basically it is 36 * 36 * 36. The same cell is never asked twice, but the cell contents can be identical for multiple celss. So it is not 36 * 35 * 34.
Quote:
Originally Posted by ntubski
This is dubious. Do they at least also request the same cells again if the password is wrong even if the characters are right? Otherwise they are leaking info about your credentials.
If you enter the wrong password you don't get the questions for the cell contents.
Quote:
Originally Posted by Teufel
And who knows, what bank will do if (for example) 3-digits combinations was entered wrongly 15 times in a row (5 days * 3 attempts)?
Bank may just block this account, and send you invitation to visit them to be sure that it was not an attempt to crack an account.
It never happened, so I have no idea. I do know that I never noticed that my account was blocked by logins I did not perform myself. But that of course doesn't say a thing.
Quote:
Originally Posted by ntubski
I don't think physically stealing it (even temporarily) should be considered trivial.
I am afraid it is. Many people carry this card in their wallet. OTOH, neither the name, nor the account number is written on the matrix card. But since the card is often carried in the wallet together with the bank's debit card, which does carry the account number this is a risk. Like I said, the login name is easily derived from those data. I don't carry the cards.
About those code generating tokens some banks issue: I have one which generates 6-digit key. The odds to guess that key correctly is 1 in 10e6. Although the chances to guess are less I am not sure practically one system is more safe or less safe than the other. Both systems block after 3 invalid attempts.
Yessir, I still have my "card saw," and I am a proud member of the "dropped an entire box, and a few of the cards vanished under a three-hundred-pound printer and I had to dig them out without getting high-potted" club.
No, because they won't ask you the same cell twice, start with 50*49*48 = 117600. And since it doesn't matter what order they ask in, divide by possible permutations: 3! = 3*2*1 = 6; 117600 / 6 = 19600.
Quote:
And who knows, what bank will do if (for example) 3-digits combinations was entered wrongly 15 times in a row (5 days * 3 attempts)?
Bank may just block this account, and send you invitation to visit them to be sure that it was not an attempt to crack an account.
If they are doing their job, then yes.
Quote:
Originally Posted by jlinkels
If you enter the wrong password you don't get the questions for the cell contents.
So the password can be attacked independently of the card. That's not very good.
Quote:
I am afraid it is. Many people carry this card in their wallet.
But only people physically close to you can steal it. That's a minority of humans.
Quote:
I have one which generates 6-digit key. The odds to guess that key correctly is 1 in 10e6. Although the chances to guess are less I am not sure practically one system is more safe or less safe than the other.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.