My bank has issued card with a matrix of characters. It looks like this:
The contents is fake, the numbers of rows and columns are correct. Obviously every customer has his own card.
I login with a (easy to guess) account code + (hopefully strong) password. Then 3 characters of the card above are asked, say B4, C2, J1. At each login, the requested cells are different. However, when a login attempt fails due to entering the wrong characters, the same cells are requested again. After 3 attempts the account is blocked for 24 hours.

How safe is this?

jlinkels

It's debatable, and it depends how you choose to look at this. On the one hand, you can consider the array as a 50-character sequence, or ordered array. Just think of this as a 50-character password that you cannot change. So you are being asked for (1) a public key, aka your account number or identifier, (2) a private key, aka your password, and (3) selected characters from the bank-issued, quasi-private key.

On the other hand, you could consider each of the three required characters from the matrix to be three individual, single-character passwords. Furthermore, being asked that all three be correct exponentially decreases the chance that someone could guess the proper character at random. But then being given three chances to enter this information will recoup some of the lost opportunity.

But in general, after a finite number of logins you will exhaust all random combinations of three characters from the matrix, so it is probably only of marginal benefit unless your bank changes the matrix at frequently irregular intervals.

Is it better than a straight username/password login? Probably. Is it as secure as it could be? Hardly. If the bank wanted to get really creative, they could harness the matrix arrangement of characters more fully - think of being asked to perform advanced algebraic calculations utilizing particular entries, and then being asked to perform calculations on those answers. That would be far more advantageous than just strictly recalling the characters.

Likewise the definition of "safe" plays a part - who is this information being kept private from? It might keep out the casual "crackers," but if this is all transmitted over SSL et al then you are also relying on the strength of external libraries.

1 members found this post helpful.

All I can say is, "I could never explain it to my grandmother."

And that will probably turn out to be the system's downfall.

this second factor authentication which add new security layer to your login. I prefer the Mobile sms sent by banks with the code or hardware tokens because once you lost it you can report to block the account, IDs can be copied without your knowledge however this is not the optimum security practice but its still good.

Safety depend on many factors actually, From client side keep this ID away from anyone and use secure connection to login to your account with safe browsing. From server side deal with reputable bank

Wow, a new system that looks like it was designed to be implemented with punched cards!

And it doesn't sound secure at all. Wouldn't getting a copy (photo, photocopy, etc) of the matrix be trivial?

Excellent - I've still got a box of them somewhere ...

Better than just the account #/password my bank (still) uses.

Seems to be overly complex for minimal benefit. I don't think it will catch on. If the card is re-issued often then it might be of some benefit, but otherwise it will be just as useful as the three numbers on the back of your credit card.

This is dubious. Do they at least also request the same cells again if the password is wrong even if the characters are right? Otherwise they are leaking info about your credentials.

Specifically, 50 choose 3 = 19600. Which isn't a whole lot, but assuming the rate limiting to 1 a day works that is 53 years.

This doesn't sound especially usable for humans.

Yes.

I don't think physically stealing it (even temporarily) should be considered trivial.

It provides some security against keyloggers, it's better than just 3 constant numbers. Also, while it's still common to hand over your credit card to others (to pay them), presumably you wouldn't do that with this card. On the other hand, if the attacker can install a keylogger on your machine, presumably they could install something that listens to the whole session, so they would only need 50/3 ~ 7 sessions to figure out the whole matrix... (this requires something more specialized than a keylogger though).

Isn't it 50*50*50=125000?

And who knows, what bank will do if (for example) 3-digits combinations was entered wrongly 15 times in a row (5 days * 3 attempts)?
Bank may just block this account, and send you invitation to visit them to be sure that it was not an attempt to crack an account.

Looking at that card, it looks as though the characters are the 26 capital alphabetic characters plus the 10 digits 0-9, so according to my mathematics, the chance of a random guess being correct is 1 in 36^3 (=46656).

My father has Alzheimer and he still seems to use it.

I think I agree. Although I have never been able to figure out what to enter for '0'. I think I always enter zero, and I think I never tried OH. I have about 4 accounts with different cards and I never see the OH used. Maybe more characters are excluded. But yes, basically it is 36 * 36 * 36. The same cell is never asked twice, but the cell contents can be identical for multiple celss. So it is not 36 * 35 * 34.

If you enter the wrong password you don't get the questions for the cell contents.

It never happened, so I have no idea. I do know that I never noticed that my account was blocked by logins I did not perform myself. But that of course doesn't say a thing.

I am afraid it is. Many people carry this card in their wallet. OTOH, neither the name, nor the account number is written on the matrix card. But since the card is often carried in the wallet together with the bank's debit card, which does carry the account number this is a risk. Like I said, the login name is easily derived from those data. I don't carry the cards.

About those code generating tokens some banks issue: I have one which generates 6-digit key. The odds to guess that key correctly is 1 in 10e6. Although the chances to guess are less I am not sure practically one system is more safe or less safe than the other. Both systems block after 3 invalid attempts.

jlinkels

(Alzheimer's ...)

My prayers for your father . . .

---

(Punched Cards ...)

Yessir, I still have my "card saw," and I am a proud member of the "dropped an entire box, and a few of the cards vanished under a three-hundred-pound printer and I had to dig them out without getting high-potted" club.

No, because they won't ask you the same cell twice, start with 50*49*48 = 117600. And since it doesn't matter what order they ask in, divide by possible permutations: 3! = 3*2*1 = 6; 117600 / 6 = 19600.

If they are doing their job, then yes.

So the password can be attacked independently of the card. That's not very good.

But only people physically close to you can steal it. That's a minority of humans.
It's harder to copy at least.

If someone will get access (even temporarily) to the card, you'll lose your money. No matter how many symbols contains that matrix.

To get it secure enough, you need to remember the matrix and burn a card.
No one can steal symbols from your head.