[Fwd: Re: Co-op Bank and Verified by Visa]
John Lamb
ukcrypto at lawnjam.com
Mon Jun 22 22:44:40 BST 2009
On Mon, Jun 22, 2009 at 03:00:09PM +0100, Roland Perry wrote:
> In article
> <C0BFE9BC4DE1C54E96C3901CD7A8F16E1D58BC05A2 at EXSAN02.campus.ncl.ac.uk>, C
> R Ritson <c.r.ritson at newcastle.ac.uk> writes
> >How about insisting on a pass PHRASE so that the dialog can ask for N from
> >M random words in the pass phrase? Has this been done anywhere?
>
> That's in effect what happens for those banking/etc sites which have a
> number of shared secrets and ask you one or the other at random.
Nationwide's implementation of this is, erm, interesting - they ask for
three pieces of 'memorable data' when you register for their internet
banking, but will then accept any of the three when you are logging in -
they never ask for a specific one (which is good, as I can now only
remember one of them).
Better still, for "added security" they asked for three additional
pieces of information (first school and mother's maiden name were two I
think) on login a while ago - this immediately sounds like phishing, but
I did check the cert and phone them at the time - but have since never
asked for these secrets again!
They also ask for three random digits from your passnumber on login,
which makes some sense - but if you refresh it will ask for a different
three digits, so if you have captured a login once you can keep
reloading the page until it asks for the ones you know.
john
More information about the ukcrypto
mailing list