Barclay doing away w/ the 2 screen login process

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
batpot
Posts: 1217
Joined: Thu Jul 11, 2013 8:48 pm

Barclay doing away w/ the 2 screen login process

Post by batpot »

Just got an email:
We're simplifying the log in process for Barclays Online Banking.
This month, we will be removing the log in step that asks you to verify your SafeKeys® image and phrase. Once these are removed, you'll simply enter your user name and password for account access. You don't need to make any updates or changes to your log in information. Please note, if we don't recognize the device you are logging in from, we will ask you to verify it by answering the challenge questions you selected when you set up your account.
This simplified log in process will be quicker and easier without sacrificing any account security.

We hope you'll enjoy this enhancement to your online banking experience.
I always assumed the 2 screen process was more secure, but didn't understand why it wasn't more widely used.

Maybe Vanguard will do away with it, too.
User avatar
abuss368
Posts: 23772
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Barclay doing away w/ the 2 screen login process

Post by abuss368 »

Thank you for the update.
John C. Bogle: “Simplicity is the master key to financial success."
dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: Barclay doing away w/ the 2 screen login process

Post by dolphinsaremammals »

I always assumed the two screen thing was more secure. Otherwise it doesn't seem to make much sense.
gkaplan
Posts: 7034
Joined: Sat Mar 03, 2007 8:34 pm
Location: Portland, Oregon

Re: Barclay doing away w/ the 2 screen login process

Post by gkaplan »

My Bank of America credit card log-in is doing away with the two-screen log-in, as well.
Gordon
Mudpuppy
Posts: 6666
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Barclay doing away w/ the 2 screen login process

Post by Mudpuppy »

The two-screen login is more security theater than actual security. The idea was that it let you detect a phishing attack because attackers "won't be able" to replicate the picture and caption. The problem is, it's really rather easy for attackers to replicate the picture and caption. All the attacker has to do is to set up the phishing website to act as a pass-through (e.g. man-in-the-middle) and just send your username on to the server, get your picture and caption back, and display it to you.

Since it really doesn't provide any security, and I'm sure it costs them a pretty penny, I'm not surprised they're moving away from it. Hopefully, they are moving towards other methods that actually provide security, like improving their encryption ciphers and offering two-factor authentication.
User avatar
abuss368
Posts: 23772
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Barclay doing away w/ the 2 screen login process

Post by abuss368 »

What is the point of the two screen sign on to begin with? Was the additional "security" a log on "picture" that the user selected?
John C. Bogle: “Simplicity is the master key to financial success."
nordlead
Posts: 739
Joined: Thu Sep 12, 2013 9:09 am

Re: Barclay doing away w/ the 2 screen login process

Post by nordlead »

abuss368 wrote:What is the point of the two screen sign on to begin with? Was the additional "security" a log on "picture" that the user selected?
Typically (but not always) the second login was a picture and maybe a quote.

The idea is that it prevents fishing, as when you enter your username it would display that and if you didn't see it you knew it wasn't the official website. But, as mudpuppy pointed out, it is easy to defeat. The fake website just requests the page for the username you entered and forwards the image and quote and now it is a useless tool.
User avatar
abuss368
Posts: 23772
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Barclay doing away w/ the 2 screen login process

Post by abuss368 »

nordlead wrote:
abuss368 wrote:What is the point of the two screen sign on to begin with? Was the additional "security" a log on "picture" that the user selected?
Typically (but not always) the second login was a picture and maybe a quote.

The idea is that it prevents fishing, as when you enter your username it would display that and if you didn't see it you knew it wasn't the official website. But, as mudpuppy pointed out, it is easy to defeat. The fake website just requests the page for the username you entered and forwards the image and quote and now it is a useless tool.
Hi nordlead,

Now I understand better.

Thank you!
John C. Bogle: “Simplicity is the master key to financial success."
BackOfTheNet
Posts: 248
Joined: Mon Nov 30, 2009 9:24 pm

Re: Barclay doing away w/ the 2 screen login process

Post by BackOfTheNet »

Barclays "two screen" is actually worse than one. Try this.

1.)
juniper.com
Type your username and hit login. Notice you get a screen with your security image and phrase.

2.)
juniper.com
Type a fake username and hit login. Notice you are immediately asked for a password (no security image and no phrase)

With this difference, a hacker can differentiate between a valid and invalid username. I worked on a web application about 10 years ago that defended against this attack by presenting a fake image and a fake phrase.
agent13x
Posts: 90
Joined: Sat Mar 22, 2014 1:35 pm
Location: Nebraska

Re: Barclay doing away w/ the 2 screen login process

Post by agent13x »

There are a pieces to website login security.

1) The website authenticates *you*. This is your login and password.

2) The purpose of the second page with a picture or phrase, is *you* authenticating that you are on the right website.

The previous comment was right, in that this extra step can be dealt with easily by a dedicated attacker. Companies would be better off implementing a two factor authentication scheme instead.

But really, in my opinion as an information security engineer, the user of a website should be much more concerned with how their information is handled by the company in the background, not necessarily how the login process works. All of the big hacks you see on the news are from hackers dumping entire databases of information, not hackers targeting a couple of users' login info.
Post Reply