My case in point is https://www.virtuallythere.com/ the system run by Sabre to check and manage any reservation done via Sabre. The default access mechanism is just to enter your Sabre reservation code and passenger name. But you can also sign-up for a permanent login which I assume gives you access to more functions.

When you try to sign up, you are asked to invent a password, but make sure you follow the following rules:

“Should contain a minimum of 7 characters and maximum of 12 characters.
Should contain at least one numeric character.
The same character cannot appear more than twice in the password.
The same character should not repeat more than twice in a row.
There should be no spaces in the password.
The password cannot contain the characters Q,q,Z,z. ”

What’s wrong with letters Q and Z ? Why would they not be allowed ?

Albert

Having to reach out to the legitimate site to grab the security image and display it on the dummy site in the middle of the login process makes the problem quite a bit harder.

Naive question — what good are the images at all? If the evil site is doing a MITM attack it will be able to show you the images, can’t it?

In the spirit of full disclosure, I will mention that when Peoples Federal Savings Bank did exactly the same thing to me in 2001, I went ballistic. See the full story here, and the first message I sent them about it here. However, there was a big difference. At that time, Massachusetts was using social security numbers as driver’s license numbers by default, and as a result, most people’s SSNs were as close as their wallets. If a thief stole someone’s wallet, he’d be likely to get both their ATM card and their SSN, thus giving the thief full access to their account.

I disagree with your assertion that the answers to the security questions are “public knowledge.” I think the number of people who would be able to determine who your third grade teacher was is rather small, and how could anyone but you know your “favorite vacation spot”? Besides, if this kind of thing concerns you, then you can make up your own question, or you can just decide what answer you are going to give whenever you have to answer a security question at any site, even if the answer has nothing to do with the question.

I’m a bit conflicted about the security images. On the one hand, since I don’t fall for phishes or allow the computers I use to get infected with trojans or viruses that would redirect my attempts to contact my bank, those images are never going to provide me with any extra security. On the other hand, perhaps they do enhance security for people who are stupid enough to fall for phishing messages; of course, they would do that only if said people are smart enough to actually notice if the security image is missing or wrong, and I highly doubt that most people are. So I suppose you’re right that overall they’re useless. I wonder if any of the sites that use them have done any real-world research to find out whether they have any benefit.

The thing about reputable companies sending emails with links to third-party Web sites is a huge issue that is reported on over and over again in such forums as the RISK Digest. Some of those reports have been from me . So I’m totally with you on that. I simply can’t imagine why there are still companies that are stupid enough to send out emails with links that don’t point back at their domain.

I haven’t seen any publications on how secure these types of measures are. Computer scientists tend to lean toward studying things which have theoretical answers (hey, I understand, I was a math major). Things like the practical ability to connect zip codes, SSNs, and family information are harder to study without actually practicing cracking.

And then there’s the “security image” thing which has become popular recently, which in its current versions (no ability to upload my own image, nor for all practical purpose to choose my image) is probably useful for people with only one online account but nearly useless for those of us with many. To me, those images have already become just more noise on the site. I realize that they have to use something non-textual because otherwise most users would confuse their password and the bank’s password. But for goodness sake, let me tell the bank what pass-image I want them to use.

It’s a slightly different issue, but I just got email from PGP Corp … with lots of links pointing to manticoretechnology.com, including some which claim to point to PGP.com. I don’t claim there’s anything dangerous about the actual links (Manticore is totally legitimate as far as I can tell), but the “fake link” bit is such a huge issue in phishing that I have to consider it just outright wrong for a company which claims to support security measures to send out fake links.

OK, I’m running off at the fingers and it’s your blog.

Edward

============================================

Welcome to Apple Bank’s new, enhanced online banking system

If you have not logged in since September 30th, please pay careful attention to the following instructions before you do so:

User ID Requirements: Your User ID must be 8 to 20 characters in length and must include only letters and numbers. Do not use spaces or special characters. If your User ID already meets these requirements, there is no need to change it. If your User ID does not meet these requirements, please call CustomerLine at the number below to have it changed.

Temporary Password: For security reasons, you will need to use a NEW TEMPORARY PASSWORD to login. Your Temporary Password is the last four digits of your social security number followed by the five-digit zip code on your account. After you login, follow the instructions on choosing a permanent password.

=============================================

Their new password requirement is

You have entered a temporary password. For security purposes, please enter a new password that is between 8 and 32 characters. The password must contain at least one letter, one number and a special character from the following list:
~`@#$%^&*()_-+={[}]|\:l”‘.?/ and space.

===========================================

And then they want an open-ended “security” question — you make up the question as well as the answer, as if most users had any idea of what a secure question would be, and the examples are the standard fare of basically public information:

===========================================

Before you can access your account information, you must set up a Personal Authentication Question and Answer. This question/answer helps validate your identity so you can immediately create a new password in the event you forget yours.

The question should be easily answered by you but difficult for others to guess. The answer must be 5 to 32 characters and can be a combination of letters, numbers and symbols. Examples of questions and answers:
Question: Who was your third grade teacher? / Answer: Mrs. Simmons
Question: What is my favorite vacation spot? / Answer: Montserrat

Your Personal Authentication Question and Answer should be treated like any other confidential information.

Enter a new password of 6 to 10 characters, including 2 letters and 2 numbers. Do not enter your user name, image name, answers to your security questions, spaces, or special characters, such as /’-.”.

With Fidelity already on the shame list, it seems that security is not a well-defined concern in investments.

WF has a separate mobile interface, which I did not attempt to test, since I’m not interested in using it and in any case it does not apply to the standard web interface, since you have to explicitly enable it. Obviously it is possible that different password management might apply there.