Dmitry Belyavsky (beldmit) wrote,
Dmitry Belyavsky
beldmit

Банковская безопасность для параноиков

I have an account with one of HSBC's banks and in my case their password
use is pretty impressive. (I don't know how it varies around the world
with different instances of HSBC.)

1. They chose the password, not me. (So not duplicated elsewhere, at
least not initially.) Short, alpha-numeric.


2. When I login, they want my account number. Their Javascript doesn't
allow pasting, I used to use X11 middle-click pasting but one day they
decided I was a specific piece of Windows malware and locked me out
until I had my computer professionally cleaned. I managed to talk them
out of that for my Linux machine--but I don't middle click any more. (I
actually ended up talking to someone pretty real.) They are watching
their attacks, maintaining a security model on each customer.

4. They want the answer to a security question (effectively a password I
have chosen).

5. They want their password--but only a few positions, they show a form,
graying out boxes for positions they are not interested in.

In their model they are keeping track of when they have used which
character positions (when a keyboard sniffer might have discovered a
position). They seem to settle on the same character positions for a
long time, until something interesting happens (such as logging in with
a smart phone app), then they shift them. I bet their HTML doesn't
obviously reveal which positions they are requesting, to make the
sniffing harder.

They are being pretty clever to make up for terribly endpoint security.


Первоисточник

This entry was originally posted at http://beldmit.dreamwidth.org/406780.html. Your comment? (comment count unavailable comments)
Tags: security
Subscribe

  • Немного лытдыбра

    Съездил в Прагу. Надо было отправить Галю в Москву закрыть программу 10 класса. Одну. Очень нервничал, что завернут, но девица благополучно доехала и…

  • Ещё один штрих к портрету эпохи

    При затоплении Молого-Шекснинской низменности людей переселяли, произвольно оценивая сумму компенсации за обустройство на новом месте. Но песня не о…

  • Менеджмент во время «Битвы за Британию»

    Где-то по сети ходил текст про то, как реорганизовали в первые дни Битвы за Британию менеджмент выпуска истребителей и всё вокруг, потому что пришёл…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 3 comments