[WEB SECURITY] New two-stage login procedure

Brian Eaton eaton.lists at gmail.com
Wed Dec 13 10:34:03 EST 2006

On 12/13/06, Gervase Markham <gerv at gerv.net> wrote:
> A financial institution with which I have connections has just come up
> with this:
> http://www.ingdirect.co.uk/email/capig2/animate.gif
> Leaving aside the inaccessibility of their chosen method of demoing,
> what do people think?

Interesting page.  I'm going to hold off judgement on whether this is
a good thing or a bad thing until I understand some of the unusual
features in these pages.  Here are a few things I noticed:

- You first enter both your customer number and your last name.  You
are given the opportunity to have the computer remember your customer
number, but not your last name.

I think requiring the last name as well as the customer number is
intended as a security feature.  If someone clicks the "Remember my
account" checkbox on a shared PC, someone who comes along to that PC
later won't be able to move on to the next step unless they can also
guess the last name associated with the account.  That might
discourage casual attackers who are just looking at information
sitting around on the harddrive of shared PCs.

- Then you are shown a little bit of information about the account,
including the last three digits of the account number and the last
date of access.

Showing you the last three digits of the account is an anti-phishing
measure; it is supposed to les you know that you are really
communicating with your bank, and not a phisher.  This is almost
certainly vulnerable to MITM attacks.  This may force the phishers to
write a bit of code to relay the account/last name information to the
real web site.  This might discourage casual scams, but I doubt it
will even do that.  However, designing login pages for banks is not
done casually.  I may be missing something here.  Is there some other
security feature on this page that would prevent MITM, perhaps?

The second security feature there, showing the last date of access to
the account, is good practice.  It gives someone a chance of
discovering unauthorized access to their account.  It's not shown in
the demo, but I wouldn't be surprised if they also display information
about the number of recent failed logins.

- Then you are prompted to enter some randomly selected digits of your
PIN, using an on-screen keypad.

Using an on-screen keypad is designed to defeat the older key logging
trojans that are still found in the wild.  This won't do anything to
slow down the newer trojans that capture mouse-clicks.  I dislike this
from an accessibility standpoint, but it's not too bad as one
component of the overall security system.  Shoulder surfing is a risk,
but I doubt shoulder surfing leads to wide-spread account compromises.
 They probably chose to increase the risk of shoulder surfing so they
could decrease the risk from trojans.

Using randomly selected digits of your PIN is a countermeasure against
newer trojans that do capture mouse-clicks.  If you are logging in
just one time from a shared PC, the newer trojans won't capture your
entire PIN, just a few digits.  Whether this does any good depends on
how long your PIN is, and how frequently the bank changes which digits
it asks for.

If the bank changes the digits with each new login attempt, that could
be a serious problem.  The attacker could keep requesting the page
over and over again, until the bank asks for three digits the attacker
already knows.  If the bank only changes the digits after a successful
login, that is better.

There's a trade-off here involving the number of digits they ask for.
If they ask for too many digits, they risk giving away too much
information to trojan horses.  If they ask for too few digits, the
digits become too easy to guess.  They ask for three digits, so there
are 1000 possibilities.  That's not enough to stand-up to a brute
force attempt.  Presumably they limit the number of attempts that can
be made before they disable the account.

I'd be interested to know the details of how they disable the account.
 Do they temporarily lock the account, for minutes, hours, or days?
Or do they require you to contact customer service to get the account

- You are also prompted to enter your memorable date.

I'm not sure why they ask for this.  Maybe because it increases the
number of possibilities for the secret code?  In theory this increases
the number of possibilities for the code from 1000 to 36,500,000.  In
practice the range is probably smaller, because memorable dates are
likely to be somewhat predictable.  I wonder if memorable dates end up
having lower entropy or higher entropy than passwords?

This may have been a compromise between usability and security.  They
didn't want to require users to remember both a PIN and a password,
but they needed to increase the entropy in the secret code used to
login to the account.  They compromised on PIN and date.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list