Originally Posted By: haertig
Anytime I go to a sensitive site (my bank, etc.) I make a habit of first attempting to login using a bad password - on purpose.

This is an interesting concept, and I checked it out with one of my clients, a major issuer of credit cards, and this is a good way to "test" a site before you proceed - EXCEPT - that some sites have a 3-strikes you're locked policy, so if you're on the REAL site, you enter the wrong PW once, you now only have 2 tries to get it right. Maybe not a big deal, but sometimes I'm all fumble fingers.

Also, in the same discussion, we talked about products like "Roboform" and other local password storage systems and we all seemed to agree that these are short-term solutions, as they assume computer=person, and increasingly people are thinking "This computer" not "My computer" - in other words, any old computer will do, since so little of your online life is stored locally anymore.

Finally, in terms of Identity Theft (and we were victims), by far, the leading source of identity theft is paper. This was the case for us (cell phone service applications were being copied and sold by a nefarious customer service agent) and, in our research for big credit card company, it is the case for most cases where an individual's identity was stolen. That said, there are breaches that have nothing to do with the internet. The capture of some 40 million credit card numbers at TJ Maxx stores was done not by "phishing" or DNS poisoning, it was done by simply monitoring the wireless networks at retail locations and capturing card data.

Since so much of my work is in putting telecommunications and financial services operations online, I'm acutely aware of the risks and protections in place.

Quite frankly, I'm more worried about the quality of my online banking experience than the security of it.

And as far as DNS cache poisoning, there's a lot to worry about there, however, there's a lot more to a secure login page on a major bank than a blob of UI code shot over to the user. You could scrape and match the domain, look, feel and even the basic back-end functionality of a credit card of bank site, and still not match what the companies have in their back pocket in case DNS cache poisoning becomes a real problem.

I saw an authentication method last month that is not yet in use that is utterly brilliant, simple, and most amazingly, does away with passwords entirely, while adding a level of quality to the user authentication process. This was at a security conference.

Instead of a password, you are presented with 5 pictures. 4 of the 5 pictures are ones YOU uploaded when you set up the account, 1 is not.
You click on the 1 that is not yours.

Then, you are presented with a list of 5 vendors with transactions on your account. 1 is not a transaction you made. You click on the 1 that are NOT your transaction.

Ultimately, you're going to carry a NetKey on your keyring. Paypal and Etrade and many others issue these. They are a small device with a calculator-like display screen that displays a 6 to 8 digit number. Every 60 seconds, the number changes in an unpredictable fashion, but the pattern is known to the issuer. When you want to log in, you must enter the number (or "token") on your device. This technology is old and established, long used in the business world. There's even a software version of the number-generating device that runs on the blackberry. The point is that the days of username and password being the only way to log in, and the vulnerabilities therein, are soon to end.