Circle Bank plays with two-factor authentication

Leichter, Jerry leichter_jerrold at emc.com
Thu Sep 28 16:40:28 EDT 2006 

| Circle Bank is using a coordinate matrix to let
| users pick three letters according to a grid, to be
| entered together with their username and password.
| 
| The matrix is sent by email, with the user's account
| sign on ID in plaintext.
| 
| Worse, the matrix is pretty useless for the majority of users,
| with less usability than anything else I saw in a long time.
| This is what the email says:
| 
|   The following is your Two Factor code for Online Banking for
|   username (sign on ID changed here for privacy reasons).  You will be
|   required to enter the grid values associated with the three
|   Two Factor boxes presented with each sign-on to Online Banking.
|   Please save and store this Matrix in a safe yet accessible place.
|   The required entries will be different each time you sign-on.
| 
| 
|                 Two Factor Matrix
| 
|     A    B    C    D    E    F    G    H
|     _    _    _    _    _    _    _    _
| 
| 1    0    8    4    2    1    1    7    5
| 
| 2    7    4    9    9    2    4    2    0
| 
| 3    3    6    0    6    9    9    0    6
| 
| 4    6    4    5    1    4    6    8    4
| 
| 5    1    7    6    8    6    5    9    2
| ...
Wow.  A variation of an idea I suggested back in the '70's....  The
problem then was with telephone calling cards.  As those of us old
enough will remember, at one time you didn't have a cell phone with you
at all times (or at any times).  You had to use these things called pay
phones.  Long distance calls were expensive, and you had to dump a whole
bunch of change in to make them work.  Very annoying.  So you got a
calling card, which often charged to your home phone number.  Calling
cards had a fixed PIN on them.  "Shoulder surfers" would hang around
heavily used phones - commuter train stations were a good spot - watch
as you entered your account number/PIN, memorize it on the spot and then
sell it.  These could move remarkably quickly - my wife's PIN was stolen
this way, and in use within seconds after she hung up.  Over the next
hour or so, until the fraud people picked it up, it was used to make
several hundred dollars worth of calls from several locations in New
York.

Anyhow ... my suggestion was that a similar table be printed on the back
of the card.  (I would have put a multi-digit number at each
intersection point and only ask for one value.  All told, I'm not sure
which approach is better - but with good printing technology you can use
much smaller fonts than when you rely on people printing things out
themselves.)  I also suggested that the numbers be printed in a color -
light blue, red against a grey background - that would make it hard to
photocopy.

No one ever did anything like this with phone cards.  Interesting to see
the idea re-invented for a different purpose.  (Hmm, if I'd patented it,
the patent would be running out soon, even assuming I went for the
renewal.)  Now if only they hadn't done the actual implementation so
stupidly....

							-- Jerry



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list