Security, Only Skin Deep?
Its not secret that Indian banks now encourage online banking. This is very cost-effective for them, and hassle free for the customers. One major worry of course, is security. With great powers comes great responsibility, and banks do anything to project a secure image of their online services.
Case in study, my favourite spammer and email address vendor bank citibank.
The Citi, of course, never sleeps. Sometime last year they introduced a javascript based virtual keyboard for logins. This was designed to ensure that key-logging trojans don’t log passwords, but it only lulls the user into a false sense of security.
Security that never sleeps
Firstly, it makes passwords themselves less secure by making them case-insensitive and shorter. Moreover, since evil hax0rs have already broken into your box to install key-loggers, whats stopping them from installing a screen capturing program to record your clicks? Better still, why not redirect the poor user to the hax0r’s own version of the virtual keyboard and log the password? Oh yeah, and its already been compromised.
That’s not all. Enter a wrong password and it takes you to a page with a message that reads “For your protection you’ve been logged off. Please close all your active windows and try login again“. Theres more. The window itself self-destructs in a few seconds. Cool ain’t it? Wait there’s more. You’ll not be able to login without closing all your browser windows.
In fact, this fantastic security measure is more annoying than useful. All it does is maps the failed login to a cookie on your machine which expires with the browser session. As long as the browser sends the cookie (citibank.co.in, JSESSIONID), you’ll not be able to login. If it was indeed an illegal attempt, this is akin to catching a thief red-handed and subsequently asking him to carry a tag branding him a robber. Delete the cookie and you’ll be able to login again. In fact, they offer the solution themselves. Close all the browser windows, and you’ll be able to login again. If you’re a wannabe hacker, why wouldn’t you try again this way?
All this “security measure” does is annoy the legitimate user when he inadvertently enters the wrong password. Absolutely nothing else. Most other banks deal better with this. They offer you 3 tries and lock you out until you contact them offline.
These are just two fancy toys masquerading as “security measures” designed to make the user feel comfortable. I believe that the real measures should be transparent to the user. If their in-your-face security features are so useless, I for one, would begin to wonder if any of their security measures are any good.
Rants, Tech 
RSS 2.0