Online Banking
Sometimes it is very interesting to know who makes the Online Banking system for how much money, because the leading European banks have such unrealistic atstoy that, alas, there is little end-user confidence in them. First of all, it’s not so much terrible and little-intuitive interfaces that frighten, as it is repelled by a completely miserable data access security system and application logic.
I confess, it is not clear who gave the goblins to develop such complex systems. Of course, I understand that everyone needs to be fed from something, and therefore doing “banana-software” is an order of magnitude more profitable than supplying an excellent and working product at once, which will require a minimum of time and resources from the customer to support. But, these are big, international banks and the image for them should be everything !!!
Well, in order not to stir up the water with a pitchfork from scratch - I will illustrate my thesis with a couple of living examples. To begin, consider the online services of one of the largest banks in the world - HSBC.
<lj-cut text = "Detailed Debriefing">
So, to get access to the login form of online banking, you must enter the intricate "Internet Banking ID" (Fig. 1). Of course, not a single normal homo-sapiens is able to remember something from the IB2894871987 series, and, alas, for some reason decided to amputate the function of autocomplete at the form field. But it’s not the point, because if you have at least one credit card number with at least one of your accounts, you can restore the “Internet Banking ID” in a couple of seconds.
Fig. one
After we successfully indicate this uncomplicated and difficult-to-remember ID, a pop-up window opens with a login form for internet banking (Fig. 2). A good 2/3 of those few visitors who have shown enough perseverance in order to reach this form suddenly fall from the chair, their eyes roll under the table. Wow, how safe it is - type in your date of birth and three numbers from the pin code! It can be seen that the engineers somewhere read about key-loggers and thought that if you ask only a part of the pin, then the attacker will never know its full version. It is strange that these geniuses did not think that key pressing loggers usually work for months (and for several years now they take screenshots of web pages and applaud them by ftp), and therefore finding out the whole pin is a matter of time and patience of the “evil hacker”.
Fig. 2
That's all . All that is needed for complete control of someone's finances. We entered these data and we have full access to all accounts (Fig. 3). From there, you can quickly press the key quickly (if you spend a couple of hours trying to figure out the interface) to transfer all the money to offshore and dump it there in order to sip a cocktail on a sandy beach. And where is there, sorry, safety? Having a bit of brains and time, you can easily find out the date of birth of the “victim” and his / her Banking ID and pin code. Who is guilty? What to do? Kill! Dismiss! In the link!
Fig. 3
Nota Bene: What is, by the way, amusing is the fact that HSBC uses the same identity verification system for telephone banking.
Barclay Bank, bitch - big and rich. I remember in the distant past their security engineers read a couple of lectures at our university about how they did Internet banking afigenski. It is a pity that even then - not impressed. Let's take a closer look.
So again, two steps in order to get into the womb of financial transactions. Again, the notorious “Banking ID” (Fig. 4), which, fortunately, remains in shape and does not require special training for the convolutions for later recovery (is it then necessary to do it at all?).
Fig. four
This is followed by the second step of authentication (Fig. 5), where dates of birth are no longer required of us, however, you need to enter a PIN code to access online banking and select a few letters from the drop-downs from our password. Undoubtedly, in Barclay, the whiskey in the IT division is still less than in HSBC. However, all the same herachat. Of course, security here is slightly higher than that of the first “patient”, but this still does not save us from key-loggers (although it gives them a decent gain in headaches). Entered all the data and, eureka, "we entered" (Fig. 6)!
Fig. five
I will not focus on the fact that the interface here, though more beautiful, is no better than the faithful “patient”. Again, you need a good half-hour in order to figure out how to transfer the grandma to some other account. Oh, how scary to live! Kill! Dismiss! In the link!
Fig. 6
Okay, what am I all about big and rich banks? Better tell and show a good example, developed by a small and poor bank - Bank Austria / Credit Anstalt.
So, the login takes place in one step (hooray hooray hooray), it’s enough to enter an eight-digit ID and pin (Fig. 7) in the form and, oh heurica, they are remembered by the browser, and therefore we don’t have to remember them in the future! Moreover, the login form is on the splash-page of the bank (which cannot be said about other "patients", because there one must have the talent of searching for information akin to Google as a robot).
Fig. 7
But-but! But where is the security here? Where is the authentication? And here is where - for any operation in the BA-CA online banking you need to enter a one-time PIN. A list of such codes is sent by mail in the form of a simple letter with a bunch of numbers (there are about 100 codes in it). For any operation, it requires “to confirm” - the system asks for “any PIN starting at 42” (it will be only one in the letter). Enter the numbers. Thus, the transaction is “signed” (legally true) and is also protected from any technological freaks, because all signatures are one-time and are available only in physical form. The fact that BA-CA simply has an excellent interface in the system (Fig. 8) - I'd rather just keep silent about that.
Fig. eight
Well, who's da biatch 'ere?
I confess, it is not clear who gave the goblins to develop such complex systems. Of course, I understand that everyone needs to be fed from something, and therefore doing “banana-software” is an order of magnitude more profitable than supplying an excellent and working product at once, which will require a minimum of time and resources from the customer to support. But, these are big, international banks and the image for them should be everything !!!
Well, in order not to stir up the water with a pitchfork from scratch - I will illustrate my thesis with a couple of living examples. To begin, consider the online services of one of the largest banks in the world - HSBC.
<lj-cut text = "Detailed Debriefing">
Bad Example - HSBC
So, to get access to the login form of online banking, you must enter the intricate "Internet Banking ID" (Fig. 1). Of course, not a single normal homo-sapiens is able to remember something from the IB2894871987 series, and, alas, for some reason decided to amputate the function of autocomplete at the form field. But it’s not the point, because if you have at least one credit card number with at least one of your accounts, you can restore the “Internet Banking ID” in a couple of seconds.
Fig. oneAfter we successfully indicate this uncomplicated and difficult-to-remember ID, a pop-up window opens with a login form for internet banking (Fig. 2). A good 2/3 of those few visitors who have shown enough perseverance in order to reach this form suddenly fall from the chair, their eyes roll under the table. Wow, how safe it is - type in your date of birth and three numbers from the pin code! It can be seen that the engineers somewhere read about key-loggers and thought that if you ask only a part of the pin, then the attacker will never know its full version. It is strange that these geniuses did not think that key pressing loggers usually work for months (and for several years now they take screenshots of web pages and applaud them by ftp), and therefore finding out the whole pin is a matter of time and patience of the “evil hacker”.
Fig. 2That's all . All that is needed for complete control of someone's finances. We entered these data and we have full access to all accounts (Fig. 3). From there, you can quickly press the key quickly (if you spend a couple of hours trying to figure out the interface) to transfer all the money to offshore and dump it there in order to sip a cocktail on a sandy beach. And where is there, sorry, safety? Having a bit of brains and time, you can easily find out the date of birth of the “victim” and his / her Banking ID and pin code. Who is guilty? What to do? Kill! Dismiss! In the link!
Fig. 3Nota Bene: What is, by the way, amusing is the fact that HSBC uses the same identity verification system for telephone banking.
Medium Example - Barclays
Barclay Bank, bitch - big and rich. I remember in the distant past their security engineers read a couple of lectures at our university about how they did Internet banking afigenski. It is a pity that even then - not impressed. Let's take a closer look.
So again, two steps in order to get into the womb of financial transactions. Again, the notorious “Banking ID” (Fig. 4), which, fortunately, remains in shape and does not require special training for the convolutions for later recovery (is it then necessary to do it at all?).
Fig. fourThis is followed by the second step of authentication (Fig. 5), where dates of birth are no longer required of us, however, you need to enter a PIN code to access online banking and select a few letters from the drop-downs from our password. Undoubtedly, in Barclay, the whiskey in the IT division is still less than in HSBC. However, all the same herachat. Of course, security here is slightly higher than that of the first “patient”, but this still does not save us from key-loggers (although it gives them a decent gain in headaches). Entered all the data and, eureka, "we entered" (Fig. 6)!
Fig. fiveI will not focus on the fact that the interface here, though more beautiful, is no better than the faithful “patient”. Again, you need a good half-hour in order to figure out how to transfer the grandma to some other account. Oh, how scary to live! Kill! Dismiss! In the link!
Fig. 6Good Example - BA-CA
Okay, what am I all about big and rich banks? Better tell and show a good example, developed by a small and poor bank - Bank Austria / Credit Anstalt.
So, the login takes place in one step (hooray hooray hooray), it’s enough to enter an eight-digit ID and pin (Fig. 7) in the form and, oh heurica, they are remembered by the browser, and therefore we don’t have to remember them in the future! Moreover, the login form is on the splash-page of the bank (which cannot be said about other "patients", because there one must have the talent of searching for information akin to Google as a robot).
Fig. 7But-but! But where is the security here? Where is the authentication? And here is where - for any operation in the BA-CA online banking you need to enter a one-time PIN. A list of such codes is sent by mail in the form of a simple letter with a bunch of numbers (there are about 100 codes in it). For any operation, it requires “to confirm” - the system asks for “any PIN starting at 42” (it will be only one in the letter). Enter the numbers. Thus, the transaction is “signed” (legally true) and is also protected from any technological freaks, because all signatures are one-time and are available only in physical form. The fact that BA-CA simply has an excellent interface in the system (Fig. 8) - I'd rather just keep silent about that.
Fig. eightLittle Figures
- HSBC IT R & D - 190 employees in the head office (how many in the world - I'm afraid to present)
- Barclays IT R & D - 170 employees in the head office (the world is clearly many more)
- BA-CA - 7 employees in the head office (there is no R & D in branches at all)
Well, who's da biatch 'ere?
')
Source: https://habr.com/ru/post/18318/
All Articles