[Fwd: Re: Co-op Bank and Verified by Visa]

[Peter Fairbrother]

John Lamb wrote:
> On Mon, Jun 22, 2009 at 03:00:09PM +0100, Roland Perry wrote:
>> In article 
>> <C0BFE9BC4DE1C54E96C3901CD7A8F16E1D58BC05A2 at EXSAN02.campus.ncl.ac.uk>, C 
>> R Ritson <c.r.ritson at newcastle.ac.uk> writes
>>> How about insisting on a pass PHRASE so that the dialog can ask for N from 
>>> M random words in the pass phrase? Has this been done anywhere?
>> That's in effect what happens for those banking/etc sites which have a 
>> number of shared secrets and ask you one or the other at random.
> 
> 
> Nationwide's implementation of this is, erm, interesting - they ask for
> three pieces of 'memorable data' when you register for their internet
> banking, but will then accept any of the three when you are logging in -
> they never ask for a specific one (which is good, as I can now only
> remember one of them). 
> 
> Better still, for "added security" they asked for three additional
> pieces of information (first school and mother's maiden name were two I
> think) on login a while ago - this immediately sounds like phishing, but
> I did check the cert and phone them at the time - but have since never
> asked for these secrets again!
> 
> They also ask for three random digits from your passnumber on login,
> which makes some sense - but if you refresh it will ask for a different
> three digits, so if you have captured a login once you can keep
> reloading the page until it asks for the ones you know.

That's especially useful for website phishing - the fake website simply 
claims "Authentication Failed", and asks for three different digits, 
thereby getting six digits.

If you expect to enter three new digits at the second attempt, then you 
will think nothing about it, and assume you made a mistake the first time.

And six digits is enough to prevent a fraudster from having to refresh 
lots of times when he does his online fraud, once or twice will be enough.

-- Peter Fairbrother