Hi

I might be out of line asking this here, but linuxquestions is my favorite forum and therefore, I think you guys will know the answer to it.

Secure for me means with a token, either syncronous or asynchronous or a one time pad (two factor: what you know and what you have). Password and username is not secure, since a simple phishing or keylogger attack will empty your account in no time.
And, the bank will surely take no responsibility for funds that are taken away due to their own lax security.

Does anybody know banks that offer this type of secure authentication for private customers?

thanx

Markus

I don't know of a US bank off the top of my head, but it might be worthwhile to take a moment to read:

• Two-Factor Authentication: Too Little, Too Late
• German police: Two-factor authentication failing
• Phishing attack evades bank's two-factor authentication

Well, thanx for pointing that out.
It is obvious that two factors is more secure than just one factor, since there is much more effort involved. It is just so very easy to snatch a password and username.

>Hackers sent the customers emails falsely claiming
> to be from ABN Amro. If recipients opened an
>attachment, software was installed on their machines
>without their knowledge.

Well, that sounds like Windows to me. Thankfully, on my Linux machine, there is no installing or accessing root (admin) priviledges without me entering my password. So that would be impossible. And .exes don't execute well on Linux ;-)

Would appreciate any pointers to two factor authentication banks. One factor is just criminally insecure. I just cleaned up a friends computer, he did not have antivirus protection and the computer (XP) was infested with over 50 viruses. Now the clue: the son was doing e-banking on that machine, with Bank of America....and they don't offer two factor. *brrrrr* *shaking-of-disgust*
Who is the responsable security officer for that bank?

Markus

When I sign in on a new computer my bank not only asks the username/password but then it asks a question from a set of 3 that you had answered earlier when you initially set up. When you return it has a security picture with a word that you associated with the picture so you know it's not someone spoofing. Not sure if that's what you are asking about but that came to mind.

Why would a keylogger or other evil program necessarily need to install itself through root in order to get your information?

I'm sure there's enough permission escalation exploits and stack overloads and whatnot out there to overtake even the vigilant. The only safe online banking is NO online banking, no matter what your operating system is.

Well, normally they use root priviledges. To escalate priviledges in a secure OS is not that easy really. You need to build in a lot of intelligence into that mechanism and probably also need user cooperation.
I guess it all depends on the security architecture that your OS has and need for an antivirus protection on it is a good hint.
Architecture must include Security from the very start, no retrofitting can be done. Retrofitting security on a OS (that had none before) will leave holes: Legacy modes to ensure compatibility with older less security minded programs (like Vista has it) is a big NO NO. Think hut that gets fortified with strong 5 inch steel doors and powerful windows, but still has one window and door that are of 1 inch plywood, where the key is on the sill, for the old janitor that does not know how to operate the fancy armored door.

But it is easy to generalize that all OS are the same security wise, although there are facts that prove otherwise.

Cheers

Markus

-----------------------
You mis-interpret what I wrote. All OSs have vulnerabilities. That is not the same as generalizing that all OSs are the same in terms of security vulnerabilities. Then factor in the fact that you have at least three computers systems, and most likely three OSs, involved in any on-line banking transaction: your home computer; the internet carrier, and; the bank's computer. Most likely you would have many computers with their own OSs and whatnot along the way, as your messages get passed off from one to the other.

In late 2008 Hannaford Brothers, an East coast US grocery chain, found that its credit card machine system had been hacked, and tens of thousands of card numbers stolen, because of a security flaw that allowed interception between the step where Joe Sixpack swiped his card at the cashier's terminal and the step where the information was encrypted for transmission to his bank so the transaction could be completed.

So the only safe online banking is NO online banking. Look at it this way: If you never bank online, you'll have little problem being able to say, and probably prove, that the transaction is false when your account is hacked.

Sending someone a check with your bank's routing number, your account number, your address and an ID proving signature, now that's just plain stupid.

I do all my banking online. It's amazing how many people believe all this "hacker" propaganda.

---------------------
I just give paper checks. I don't give ID proving signature. I just left my cellphone company because they started insisting on giving them my driver's license when I went in to pay my bill each month. I had a contract with them and my address is on the check, and I'd dealt with them for almost two years, and suddenly they "need" my driver's license? Bull.

Besides, paper trails are just that: trails that lead to and fro. No one in China is going to send my bank a check "from me" without my bank knowing that it came from China. The same cannot be said of internet transactions. How many people on this board know how to spoof connections? 'nuff said.

BTW, you'll find that paying online involves giving the other party your bank's routing number and your account number, unless you put everything on credit cards, which seems to be the heart of the problem for corporations. Even then, when you pay your credit card, the credit card company has your bank info.

Paying by credit card is fine: There are federal laws limiting your liability. Online banking, however, has few, if any protections, and the last I heard, those were at the sufferance of the bank. Now THAT'S stupid.

Not sure about US Banks but I love the Business model.

1) Money from you "Ostensibly goes to Bank"
2) Money never reaches Bank.
3) Bank charges you "Late Fee" of 35 USD or whatever due to delayed payments.
4) Bank also complains to Government -- We are going Bust please give us some money.
5) Trillions of Dollars go to Bank
6) Bank CEO's etc walk away with HUGE Pensions etc etc.
7) You've just got a SECOND charge of 35 USD or whatever because your money didn't reach Bank in time (due to their own stupidity) - so that's 70 USD on an overdraft of 1 USD -- lovely work if you can get it.

And so it goes on.

Don't most bad words in English have 4 letters -- any co-incidence in the number of Letters the word BANK has.

Cheers
-K

Heck, the government (note it's not MY government) even runs ads for the bankers. I just saw one saying you'll end up flipping burgers if you have a bad credit report. Just in case there was any doubt who all these politicians are really working for...

Anywho, paying online eliminates my #1 security risk: people with "friends"/Jesus/Allah/Buddah/CIA/NSA/KGB/whatever in their heads. No crazy people involved, no problems for me.

Domo arigato Mr. Roboto!

Yes, Banks do overcharge and charge you ridiculous fees for stuff that only computer systems are involved. Asking 20 bucks for wire transaction is plain robbery, it never costs that much, not even a hundredth of that.

I have been thinking that it would be time to open a low cost online bank that focuses on very low fees. It would be the first ever, since all other Banks seem to be out to make tons of money by ripping off customers. There is a whole organized thing, otherwise you could not explain the ridiculous fees they ask, strangely enough it is overpriced everywhere, in any country.

Now paypal is new, but also they do a gigantic rip off.

So it is time for an alternative and I am sure people would flock like crazy, being unhappy with banks. This business idea, even though the profit margin would be very slim would be extremely profitable, drawing in billions and billions of funds from frustrated Bank customers.

Markus

"low cost online bank that focuses on very low fees" Wasn't that WaMu's original marketing?

Its US law that all (online) banks have to use a two factor authentication, but there are different ways they implement it.
As far as it being safe or not, its super easy to copy/forge checks so using those as opposed to online isn't any safer.

Swiss Banks perhaps ...


Linux

This is not true. When you pay your bill online from your bank, you give your bank the payee's account info and they send the payment. Now if you go to the web site of your payee then you have to provide your bank's information.
There are two ways to pay online, either the pull or push. The pull is where you sign in to say the electric companies web site and plug in your bank's information, the push is where you plug in your electric account bumber into your bank's web site. Now I'll agree that the push method can be less safe, espically where there are crap companies out there like ATT which can and do screw up bills often and take the wrong amount. So use the push method from your bank where your bank just sends a $ amount to the payee at the payee's account # you specify, the only thing that can go wrong there is you plug in the wrong account # but at least the payee doesn;t get any of your info.