It is the author's opinion that there are several flaws with the security of the internet banking systems regarding user security. This does not discuss, or raise issues with the security of the backend system, but instead with the methods given to users in order to log into the system.
The recently new 'feature' of having to select 3 characters of a password in plaintext is a straightforward blunder. These characters are in plaintext (eg. not hidden), and are openly selectable on the screen. Anyone watching this selection process can easily see the letters being picked. After only watching this process three times, it would be possible an intruder to hold all the characters of the password, or at least a significant amount (over 50%), assuming the password is 8 characters long.
The flaw in this feature can be easily addressed by providing three separate password boxes, therefore letting the user press the key to select the password characters. The output of these characters is masked when a HTML password input box is used.
It could be argued that an intruder could still watch for keyboard input, however, this action is shorter than having the characters displayed on the screen for the duration of this particular login stage. It could also be argued that the computer may have a malicious keyboard input log being kept, thus storing keypresses. This however, is a greater implication of the security of the machine, something harder to breach than being in the casual proximity of the user entering characters displayed on the screen.
All passwords are selected by the user. While this is not a bad thing, it would be beneficial to combine a user-picked password with either one generated by the system, or a user-picked password with a theme, such as 'memorable place' or suchlike.
Generally, users are known to pick weak passwords, even when given a minimum length to use. By giving the user a generated code, this would be harder for an intruder to guess. However, the user may write this down, or keep it logged elsewhere. Another solution would be for the user to be asked to pick a 'themed password' such as a favourite place, place of birth, etc, anything which a common password cannot be applied to.
Use one self-picked password and a themed password.
If the user's account has been compromised, does the user know? If an intruder had logged into an account, and taken details of statements and other sensitive data, and then logged out, would anyone spot this single interception? Maybe this was carried out from the same computer as the rightful user, making it harder to notice to some kind of monitoring system.
When a user logs in to the system, tell them the last time someone logged in.
This is a simple and quick method that makes the user think and act immediately, and should lead to the alarm being raised quicker once an intrusion has been made. The correct parties involved can then take measures to secure the account with new passwords, etc.
Make sure that there are a maximum amount of failed log in attempts per login.
This has been used on other internet banking systems, and provides piece of mind to the user and also prevents casual password guessing. This could be extended to also catch an intruder guessing user account numbers and password combinations also.
Add a maximum amount of tries to the log in process before the user has to make contact with the bank.
The author raised a few of these concerns with LloydsTSB's online banking department before. These were lodged through the only online contact method, consisting of a feedback form. The author received no response, and also saw no improvements to the system.
Put in place better contact facilities, and publicise email addresses that can go to targeted and appropriate parties, such as security officers, instead of pooling these into one contact box. This leads to a quicker flow of knowledge and discussion of potential problems with the customer.
Maybe check with current British Standards regarding online banking security. Adhere and adjust to these standards accordingly. Conduct research comparing LloydsTSB's online banking from a front-end security perspective against other online facilities provided by other banks, building societies and credit card providers.
Raised some of these issues with LloydsTSB through the comment box online, over 6 months ago.
No contact from LloydsTSB, no change in the system regarding the points raised.
Produced this document at http://www.tinnedfruit.org/ltsb-security.html, and sent an email to the contact box on the website, with a copy of this document attached in plain text, inline, as well as the URL to this document.
During the month of September 2003, LloydsTSB has added two new messages when signing onto the internet banking service; one which advises users about password strength, and another which informs us that the 'last signed in' feature has been implemented. This is good progress, and hopefully there will be more improvements to come. LloydsTSB themselves regard this work as 'ongoing' in one of the messages mentioned above.
The author of this document agrees to update this document as visible changes to the end user of the LloydsTSB online banking system are made.
This document was first published on the 1st of August, 2003. The author Andrew Smith has been an account holder with LloydsTSB for over 10 years.