Using SMS for password reset.

[Sylvia Else]

This is really a rant - venting to release some of the frustration.

I'm in the process of selling my house, and I need somewhere secure to
hold the proceeds. I decided I'd create a account with a bank I don't
otherwise bank with, and interact online with it using a live-DVD on a
system that has no storage. So no risk of key loggers or other hacks.
I'd remember the strong password, and not have it written down anywhere.

Except that the banks insist on having a password reset option,
validated using an SMS. This undermines my attempts at ensuring that the
account remains secure.

I've tried telling banks (and other entities, indeed) that I don't want
the ability to reset the password. No go, because such an option is not
implemented in their systems.

Telcos in Australia have some quite strict rules regarding transfer of
mobile phone numbers, but the rules still get broken, and frauds
committed thereby.

If someone perpetrated a fraud as a consequence of the SMS password
reset, I'd have a good case that it was a fraud against the bank, rather
than against me, and that it was therefore the bank's loss.

Still, I'd rather not have to deal with it.

I looked at having a SecurID® device as 2FA. But guess what? It can be
used to reset the password.

So I'm tearing my hair out. Why do banks have this huge blind-spot when
it comes to resetting passwords?

Sylvia.

[Dan Purgert]

On 2024-01-30, Sylvia Else wrote:
> This is really a rant - venting to release some of the frustration.
>
> I'm in the process of selling my house, and I need somewhere secure to
> hold the proceeds. I decided I'd create a account with a bank I don't
> otherwise bank with, and interact online with it using a live-DVD on a
> system that has no storage. So no risk of key loggers or other hacks.
> I'd remember the strong password, and not have it written down anywhere.

Until you don't remember it, then what?

Because let's face it, eventually we all forget the password.

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

[Sylvia Else]

On 30-Jan-24 9:39 pm, Dan Purgert wrote:
> On 2024-01-30, Sylvia Else wrote:
>> This is really a rant - venting to release some of the frustration.
>>
>> I'm in the process of selling my house, and I need somewhere secure to
>> hold the proceeds. I decided I'd create a account with a bank I don't
>> otherwise bank with, and interact online with it using a live-DVD on a
>> system that has no storage. So no risk of key loggers or other hacks.
>> I'd remember the strong password, and not have it written down anywhere.
>
> Until you don't remember it, then what?
>
> Because let's face it, eventually we all forget the password.
>

If I say I won't forget, you've no real reason to doubt me. There are
many things that I've remembered for decades.

In the event that I really did forget, then I'd have to show up at one
of the bank's offices with physical identity documents.

Sylvia.

[Spiros Bousbouras]

On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
Dan Purgert <d...@djph.net> wrote:
> On 2024-01-30, Sylvia Else wrote:
> > This is really a rant - venting to release some of the frustration.
> >
> > I'm in the process of selling my house, and I need somewhere secure to
> > hold the proceeds. I decided I'd create a account with a bank I don't
> > otherwise bank with, and interact online with it using a live-DVD on a
> > system that has no storage. So no risk of key loggers or other hacks.
> > I'd remember the strong password, and not have it written down anywhere.
>
> Until you don't remember it, then what?
>
> Because let's face it, eventually we all forget the password.

That's a very presumptuous thing to say. I have my own ways of storing and
retrieving passwords (which may include just my memory) and I'm confident
they are secure and reliable enough. So don't include me in your "we".

I share Sylvia's frustration and it's not just with banks. Pretty much any
online site with an option to create an account , will also have some kind
of password reminder , usually sent to your email. Very often I have wished
for sites to offer the option when creating an account to disable any
password reminders but I have yet to see a site which does this.

[D]

Just for the record, please add me to the "we". When it comes to password
reset, I've never had a bank that does not have go to their office in
person to setup accounts and change passwords.

[Rich]

Sylvia Else <syl...@email.invalid> wrote:
> This is really a rant - venting to release some of the frustration.
>
> I'm in the process of selling my house, and I need somewhere secure to
> hold the proceeds. I decided I'd create a account with a bank I don't
> otherwise bank with, and interact online with it using a live-DVD on a
> system that has no storage. So no risk of key loggers or other hacks.
> I'd remember the strong password, and not have it written down anywhere.
>
> Except that the banks insist on having a password reset option,
> validated using an SMS. This undermines my attempts at ensuring that the
> account remains secure.

True in a general security sense.

> I've tried telling banks (and other entities, indeed) that I don't want
> the ability to reset the password. No go, because such an option is not
> implemented in their systems.

Your request is the one odd one in a sea of others that all /rely/ on
the ability to reset passwords, and as banks are, well, /banks/ and not
security researchers, they simply will not understand why you want to
be "so different from everyone" -- and the result is a "can't do that"
answer (because, likely, they really can't do that).

> Telcos in Australia have some quite strict rules regarding transfer of
> mobile phone numbers, but the rules still get broken, and frauds
> committed thereby.

The US /supposedly/ has rules to prevent it as well, but an 'insider'
can always work around the rules, and so it happens here too.

> If someone perpetrated a fraud as a consequence of the SMS password
> reset, I'd have a good case that it was a fraud against the bank, rather
> than against me, and that it was therefore the bank's loss.
>
> Still, I'd rather not have to deal with it.

Agreed.

> I looked at having a SecurID® device as 2FA. But guess what? It can be
> used to reset the password.
>
> So I'm tearing my hair out. Why do banks have this huge blind-spot when
> it comes to resetting passwords?

Because banks are not "security researchers" and are instead simply
following the "best practices playbook" (which is also not written by
"security researchers" but may be written by "govt. regulators"). And
if the playbook says "provide abililty to reset password with 2FA
security" and a separate chapter lists "SMS" as a valid 2FA method,
then they are "protected" (which in this environment means protected
from a charge of negligence for not following "best practices"). But
they are not in the business of "protecting" you -- they are in the
business of "protecting" themselves from negligence charges. The
amount of "protection" you receive as a secondary result of them
protecting themselves is what you end up seeing as your protection.

[Julieta Shem]

Spiros Bousbouras <spi...@gmail.com> writes:

> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> Dan Purgert <d...@djph.net> wrote:
>> On 2024-01-30, Sylvia Else wrote:
>> > This is really a rant - venting to release some of the frustration.
>> >
>> > I'm in the process of selling my house, and I need somewhere secure to
>> > hold the proceeds. I decided I'd create a account with a bank I don't
>> > otherwise bank with, and interact online with it using a live-DVD on a
>> > system that has no storage. So no risk of key loggers or other hacks.
>> > I'd remember the strong password, and not have it written down anywhere.
>>
>> Until you don't remember it, then what?
>>
>> Because let's face it, eventually we all forget the password.
>
> That's a very presumptuous thing to say. I have my own ways of storing and
> retrieving passwords (which may include just my memory) and I'm confident
> they are secure and reliable enough. So don't include me in your "we".
>
> I share Sylvia's frustration and it's not just with banks.

I share Sylvia's frustration as well. It's not just with banks. Things
are become ever more centralized. Centralization designs products and
services to the average customer and business invest in shaping people
so that if fits their business model. Along with that new cultural
values appear. People seem a lot less interested in serving people. We
have to fit in with the system now. People who keep their individuality
are nuisance to the system.

I wonder what happens in the limiting case.

[newsm...@ausics.net]

Sylvia Else <syl...@email.invalid> wrote:
> This is really a rant - venting to release some of the frustration.
>
> I'm in the process of selling my house, and I need somewhere secure to
> hold the proceeds. I decided I'd create a account with a bank I don't
> otherwise bank with, and interact online with it using a live-DVD on a
> system that has no storage. So no risk of key loggers or other hacks.

Although probably a higher risk of running software that's missing
the latest security bug fixes, and therefore _might_ be vulnerable
to snooping on the encrypted data, or page content in web browsers
via Javascript. I suppose you could run updates each time after
booting though.

> Except that the banks insist on having a password reset option,
> validated using an SMS. This undermines my attempts at ensuring that the
> account remains secure.

Yes the SMS requirement annoys me too, although for different
reasons related to me not frequently using a mobile at all. But I
only have online banking enabled for accounts from which I want to
make payments for online purchases, where I transfer the required
amount into them before-hand. Otherwise money is kept in accounts
that don't have online banking and I don't have to provide a mobile
phone number for them, although I believe it is an option for
verification with phone banking.

> I've tried telling banks (and other entities, indeed) that I don't want
> the ability to reset the password. No go, because such an option is not
> implemented in their systems.
>
> Telcos in Australia have some quite strict rules regarding transfer of
> mobile phone numbers, but the rules still get broken, and frauds
> committed thereby.

I wonder if there's an equivalent to 127.0.0.1 for mobile phone
numbers, where you _know_ they can't call anyone with that number
(even yourself)? CBA requires the SMS code while setting up and
using their online banking funtions too though (rather annoying for
me because I keep my mobile phone in the car all the time).

> If someone perpetrated a fraud as a consequence of the SMS password
> reset, I'd have a good case that it was a fraud against the bank, rather
> than against me, and that it was therefore the bank's loss.
>
> Still, I'd rather not have to deal with it.

Yes I've had bank staff tell me about similar protections
when I say I don't want online banking, but it ignores the
immediate difficulty of finding that all your money's gone and
then having to wait penniless until the bank gets around to looking
into it (and hoping they're competent at doing so).

--
__ __
#_ < |\| |< _# | Note: I won't see posts made from Google Groups |

[Sylvia Else]

Just as an aside, when I created my online account for the bank, it told
me my user id, expressed as two four digit groups separated by a space.

But will it accept the user id in that format? No, of course not.

Sylvia.

[Rich]

This is far too common.

What it means is developer team 1, possibly at time 1, created the
"onboard a new user account" web pages, while developer team 2, likely
at different time 2, created the actual "log an existing user on" web
pages, and neither team talked or interacted with each other to learn
what the other team had done.

This is the same symptom that gives "password" fields that (if a
description is even privided) says "use any characters except $ and %
for your password" [1] yet when you actually try to use a password with
^ or # you mysteriously discover that # or ^ is also on the "you can't
use that" list, but not mentioned in the visible documentation. And
sometimes discover that the documented $ or % is actually acceptable.




[1] yes, a code smell for a developer that does not know what they are
doing

[Mike Spencer]

From the POV of finance (see "financialization of everything",
elsewhere) employees, customers, clients and also product, tangible or
otherwise, are externalities.

> I wonder what happens in the limiting case.

The ultimate promise of the computer, from the earliest days that its
development attracted corporate money, was, "Turn it on; money comes
out". Cryptocurrency is the closest we've come to this ideal but it's
not without problems. Morphing everything that everybody does into a
digital transaction, to the internal mechanisms of which no one [1] has
access, gradually expunging other routines for "what everybody does",
appears to be the leading candidate.

[1] Except for the digital priesthood within any given corporation.
Contemporary AI is offering some promise that systems for
extracting money from the biomass will soon be impenetrable
even to them.


--
Mike Spencer Nova Scotia, Canada

[Bob Eager]

On Tue, 30 Jan 2024 23:39:09 +0000, Rich wrote:

> Sylvia Else <syl...@email.invalid> wrote:
>> Just as an aside, when I created my online account for the bank, it
>> told me my user id, expressed as two four digit groups separated by a
>> space.
>>
>> But will it accept the user id in that format? No, of course not.
>
> This is far too common.
>
> What it means is developer team 1, possibly at time 1, created the
> "onboard a new user account" web pages, while developer team 2, likely
> at different time 2, created the actual "log an existing user on" web
> pages,
> and neither team talked or interacted with each other to learn what the
> other team had done.

I had a lot of trouble initially with the NHS app. It turned out that the
password I was using was too long. I think it stored the long version, but
truncated the one I typed in when logging in.




--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

[Julieta Shem]

Rich <ri...@example.invalid> writes:

> Sylvia Else <syl...@email.invalid> wrote:
>> Just as an aside, when I created my online account for the bank, it
>> told me my user id, expressed as two four digit groups separated by a
>> space.
>>
>> But will it accept the user id in that format? No, of course not.
>
> This is far too common.

[...]

Interesting that the richest industry is not actually able to hire a
competent professional.

[Scott Dorsey]

In article <87o7d2s...@yaxenu.org>, Julieta Shem <js...@yaxenu.org> wrote:
>
>Interesting that the richest industry is not actually able to hire a
>competent professional.

"Rich people did not get rich by spending money."
-- my uncle Paul
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[Julieta Shem]

klu...@panix.com (Scott Dorsey) writes:

> In article <87o7d2s...@yaxenu.org>, Julieta Shem <js...@yaxenu.org> wrote:
>>
>>Interesting that the richest industry is not actually able to hire a
>>competent professional.
>
> "Rich people did not get rich by spending money."
> -- my uncle Paul

I think it's more profound than that. I think (1) the craft is a lot
more difficult than the average professional is able to understand; (2)
not to mention the average entrepeneur who hired the professional; (3) a
rich industry that targets poor people doesn't care: they have numbers
that say that they won't make more money by having some respect.

[Sylvia Else]

On 31-Jan-24 10:39 am, Rich wrote:
> Sylvia Else <syl...@email.invalid> wrote:

> This is the same symptom that gives "password" fields that (if a
> description is even privided) says "use any characters except $ and %
> for your password" [1] yet when you actually try to use a password with
> ^ or # you mysteriously discover that # or ^ is also on the "you can't
> use that" list, but not mentioned in the visible documentation. And
> sometimes discover that the documented $ or % is actually acceptable.
>

I once came across a site that validated the password against a set of
permitted characters at the time of login (why on Earth would it do
that?), and the set of characters was different from the set used to
validate the password when setting it.

So, of course, I'd set a password, and then found it rejected at login
because it contained an unacceptable character.

Sylvia.

[D]

It's actually easily explained. There is no market or regulatory pressure.
As long as that does not exist they won't do it.

Also remember that banks are an extension of the government, and therefore
have a massive say in the rules that will govern them. So what they do is
to develop rules and laws that are expensive for newcomers to follow but
easy for them.

Newcomers who design their solutions from scratch will have higher
security. Therefore there is no law that demands this since it would be
very costly for legacy banks.

[Dan Purgert]

On 2024-01-30, Spiros Bousbouras wrote:
> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> Dan Purgert <d...@djph.net> wrote:
>> On 2024-01-30, Sylvia Else wrote:
>> > This is really a rant - venting to release some of the frustration.
>> >
>> > I'm in the process of selling my house, and I need somewhere secure to
>> > hold the proceeds. I decided I'd create a account with a bank I don't
>> > otherwise bank with, and interact online with it using a live-DVD on a
>> > system that has no storage. So no risk of key loggers or other hacks.
>> > I'd remember the strong password, and not have it written down anywhere.
>>
>> Until you don't remember it, then what?
>>
>> Because let's face it, eventually we all forget the password.
>
> That's a very presumptuous thing to say. I have my own ways of storing and
> retrieving passwords (which may include just my memory) and I'm confident
> they are secure and reliable enough. So don't include me in your "we".

So if I was to sit you down at any freshly installed PC of your choice,
you could log-in to *any* random service to which you have a
username/password combination *from memory* ?

Because if there is even a single service to which the truthful answer
(which, admittedly I will never know; because this is Usenet, and you
can vehemently deny it to your last post) is "well, actually, I'd
have to use [password-tool-of-choice] for that site"; then you are
solidly in the group of "people who have forgotten the password".

[Sylvia Else]

Just need to remember the one username and password for site where the
backup copy of the encrypted password database is stored, and the
passphrase to decrypt that database. Not that hard.

Sylvia.

[Spiros Bousbouras]

On Wed, 31 Jan 2024 11:10:34 -0000 (UTC)

Dan Purgert <d...@djph.net> wrote:
> On 2024-01-30, Spiros Bousbouras wrote:
> > On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> > Dan Purgert <d...@djph.net> wrote:
> >> On 2024-01-30, Sylvia Else wrote:
> >> > This is really a rant - venting to release some of the frustration.
> >> >
> >> > I'm in the process of selling my house, and I need somewhere secure to
> >> > hold the proceeds. I decided I'd create a account with a bank I don't
> >> > otherwise bank with, and interact online with it using a live-DVD on a
> >> > system that has no storage. So no risk of key loggers or other hacks.
> >> > I'd remember the strong password, and not have it written down anywhere.
> >>
> >> Until you don't remember it, then what?
> >>
> >> Because let's face it, eventually we all forget the password.
> >
> > That's a very presumptuous thing to say. I have my own ways of storing and
> > retrieving passwords (which may include just my memory) and I'm confident
> > they are secure and reliable enough. So don't include me in your "we".
>
> So if I was to sit you down at any freshly installed PC of your choice,
> you could log-in to *any* random service to which you have a
> username/password combination *from memory* ?

No. I will note in passing that even a yes answer would not necessarily
be unrealistic. It depends on how many online accounts one has. Someone
may only have an email online account and nothing more so would only
need to remember one password.

> Because if there is even a single service to which the truthful answer
> (which, admittedly I will never know; because this is Usenet, and you
> can vehemently deny it to your last post) is "well, actually, I'd
> have to use [password-tool-of-choice] for that site"; then you are
> solidly in the group of "people who have forgotten the password".

No , I am in the group of people who never memorised the password. I have
sites for which I have memorised a password and for those I don't worry
about forgetting it (unless I go senile but then I may forget many more
things so it becomes a more general problem). And I have sites for which
I made no effort to memorise the password and I have other ways of retrieving
it. And I also have sites for which I made a decision that I wasn't going to
use them again and eventually forgot the password. But I considered those
examples irrelevant to the discussion.

But my main point was that I do not want any help from the site in retrieving
forgotten or lost passwords because I often find that the method offered
reduces security and I resent the fact that sites do not offer the
possibility to turn off such methods.

In any case , I see now that I read in your post more than what you intended.
You said "then what?" and I interpreted that as suggesting that we all need
help from the website in retrieving passwords and that's what I found
especially presumptuous.

--
I am writing this mail to you with serious tears in my eyes and great
sorrow in my heart
An email offering me 30% of $7,200,200

[Julieta Shem]

That's a paragraph to the expert. I had to read on ``financialization
of everything'' and get a definition of externality. But, okay, I
understand the connection now. If customers and products are
externalities, then I think we are in agreement---businesses are not
really interested in what they're doing, which explains why so many of
them try various things until they finally ``succeeed''. It doesn't
really matter how they get there.

>> I wonder what happens in the limiting case.
>
> The ultimate promise of the computer, from the earliest days that its
> development attracted corporate money, was, "Turn it on; money comes
> out". Cryptocurrency is the closest we've come to this ideal but it's
> not without problems. Morphing everything that everybody does into a
> digital transaction, to the internal mechanisms of which no one [1] has
> access, gradually expunging other routines for "what everybody does",
> appears to be the leading candidate.

You might be quite right.

[Dan Purgert]

You might want to re-read what was written.

[Dan Purgert]

> [...]

> In any case , I see now that I read in your post more than what you
> intended. You said "then what?" and I interpreted that as suggesting
> that we all need help from the website in retrieving passwords and
> that's what I found especially presumptuous.

I actually figured you were taking issue with the second line; since
it's the more explicit/direct statement that "everyone forgets the
password".

For a bank or other "very public institution that is generally very easy
to access", I can completely agree that "look, if/when you forget your
web-access password, come to the nearest branch" is (probably) a better
solution than a "forgot password" link and answering a couple of
questions about my dog.

But then, what about services that aren't "very public institutions that
are generally very easy to access" (Netflix / Amazon / Google / CC
Company / etc.)?

What would a viable "general" solution be? Call them? Email? Too bad,
create a new account?

[Spiros Bousbouras]

On Thu, 1 Feb 2024 15:48:43 -0000 (UTC)
Dan Purgert <d...@djph.net> wrote:

> On 2024-01-31, Spiros Bousbouras wrote:
> > No , I am in the group of people who never memorised the password.
> > [...]
> > In any case , I see now that I read in your post more than what you
> > intended. You said "then what?" and I interpreted that as suggesting
> > that we all need help from the website in retrieving passwords and
> > that's what I found especially presumptuous.
>
> I actually figured you were taking issue with the second line; since
> it's the more explicit/direct statement that "everyone forgets the
> password".
>
> For a bank or other "very public institution that is generally very easy
> to access", I can completely agree that "look, if/when you forget your
> web-access password, come to the nearest branch" is (probably) a better
> solution than a "forgot password" link and answering a couple of
> questions about my dog.

Yes , as long as the reminder option is safe enough (like personally go to
a building with ID) , I have no problem with it.

> But then, what about services that aren't "very public institutions that
> are generally very easy to access" (Netflix / Amazon / Google / CC
> Company / etc.)?
>
> What would a viable "general" solution be? Call them? Email? Too bad,
> create a new account?

I have already indicated that in <L2PlxvxS...@bongo-ra.co> : "Very

often I have wished for sites to offer the option when creating an account to

disable any password reminders" .So when logged in , one would have access to
an account boolean setting which would be enable/disable password reminders.
If the user chooses "disable" and then forgets (or loses or whatever) their
password then that's it , they are locked out of their account forever and
ever. The site would offer appropriate warnings to that effect but ultimately
the user should have the option to disable reminders. If the user decides to
enable them , I don't have a view which would be the best method and I
haven't given it much thought because I would always choose to disable them.
(In a similar vein , I always choose for the site *not* to store credit card
information. How faithfully they implement this , I have no way of knowing)

--
Every theatre is an insane asylum, but an opera theatre is the
ward for the incurables.
Franz Schalk

[Bruce Horrocks]

On 30/01/2024 10:57, Sylvia Else wrote:
> On 30-Jan-24 9:39 pm, Dan Purgert wrote:
>> On 2024-01-30, Sylvia Else wrote:
>>> This is really a rant - venting to release some of the frustration.
>>>
>>> I'm in the process of selling my house, and I need somewhere secure to
>>> hold the proceeds. I decided I'd create a account with a bank I don't
>>> otherwise bank with, and interact online with it using a live-DVD on a
>>> system that has no storage. So no risk of key loggers or other hacks.
>>> I'd remember the strong password, and not have it written down anywhere.
>>
>> Until you don't remember it, then what?
>>
>> Because let's face it, eventually we all forget the password.
>>
>
> If I say I won't forget, you've no real reason to doubt me. There are
> many things that I've remembered for decades.

I don't doubt you, but your ability to remember a password that isn't
easily guessable and isn't re-used on multiple sites puts you in the top
0.1% of the population. Banks, however, have to deal with the remaining
99.9% as well.

> In the event that I really did forget, then I'd have to show up at one
> of the bank's offices with physical identity documents.

That's the last thing they want people doing. Imagine going into the
bank to find that there are 15 people ahead of you in the queue, all
waiting to go through a 5 minute process of showing documents to prove
their identity to get their password changed.

The banks don't want to pay their staff to change passwords, they want
to pay them to sell you a new savings account or to take out a loan.

FWIW my bank in the UK gives out a free card reader device, a bit like a
pocket calculator, for their 2FA system. To use it you insert your bank
card, enter your card pin, which it validates using the chip in the chip
& pin card and then displays an 8 digit number to enter into the website.

You use this to log in initially (so no password to remember) and then
to re-authenticate prior to carrying out any sensitive actions such as
making a payment or changing personal details.

--
Bruce Horrocks
Surrey, England

[Kerr-Mudd, John]

These are being deprecated by my bank; they much prefer to sms a
code to your phone.

--
Bah, and indeed Humbug.

[Ian]

Would that be the same bank that asks you for, e.g. the 3rd character of
your pin and the 5th character of your password? This seems to mean
that they must have plaintext of your pin and password on line. Doesn't
seem very secure...
--
*********** To reply by e-mail, make w single in address **************