Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Is your banks Online security policy making it more of a target for Phisher's? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is your banks Online security policy making it more of a target for Phisher's?
This morning in the Handler's secret room, we were having a discussion about financial institutions and there supposed security policy making them a lucrative target for spamming and phishing.  Our discussion centered around
how they attempt authenication and if this authenication actually increases the likelihood that your account will be compromised. 

One example:
A bank or financial institution implements a security policy that requires you to answer a question in addition to your user id and password.  This sounds great right, a "two factor" method of identification.  Well, maybe not...  You see, if you can't answer the guestion correctly in addition to your correct user id and password, your account gets locked out.  Ok so now what.  You call the bank and say darn it all my account got locked out....  What does the bank say?  Ok we will reset your password, what email address do you want the new password sent too. Oh, by the way - the new password email will not come from us.  We have someone else send it.  Hmmmm....  Oh - by the way, you may want to check your spam filter because the email make get stopped.

Seriously, What are they thinking? 

What do you think?  Does your bank or financial institutes method of authentication make you a more lucrative target?


279 Posts
ISC Handler
Dec 4th 2006

Sign Up for Free or Log In to start participating in the conversation!