False Prophets

I almost submitted this to the excellent Crypto-Gram newsletter, but I think it’s not actually all that evil. It’s still pretty depressing for what I considered a security-competent online bank, though.

The First Internet Bank of Indiana has announced that they will be enabling a new feature next week: First IB Security+.

You have to answer additional questions about yourself to gain access to your account. But the questions, or at least the answers, will be selected by the user, from what I can tell - which means probably not hard for a determined adversary to acquire the answers, especially given that they must already have your online banking password. But sometimes they won’t be asked the questions: if your account is configured to allow store a cookie on a particular computer, and the cookie is present, the questions will be skipped.

They’re increasing the security of my online banking experience using _cookies_? Which, if your computer was hacked - one of the most likely ways to get ahold of your password - the hacker could have already copied (along with the question answers, probably)? They can’t be IP-based cookies, not with modern web proxy farms used by a number of ISPs and dynamic IPs still in use.

I think that what they’re trying to accomplish is an anti-phishing technique: if you don’t expect to be asked questions, but you are, then there must be a man-in-the-middle attack in progress or something
similar. So it’s an extension of making sure that you’re looking at an SSL-protected web page and that the certificate really is the one you think it is. There really must be a better way to do this - in fact, I think upcoming web browsers (both IE and Firefox) are supposed to have related features.

At least they’re not making anything worse. You still need the password, of course. So I think this is mostly a benign version of what Bruce Schneier calls “security theater”, neither harmful nor especially helpful.