Improving Netelller security measures

JAque · #1 10-16-2006, 01:11 AM

A I understand it, German banks require a validation code in additon to userid and password. For ever transaction , there is a transaction code (provided by the bank) that needs to be cross checked against a validation list provided to the customer when the account was created ( a list of 300) Therefore, if a hacker were to get your user id and password, he will still need the list to enter the next validation code (this list could be kept on paper,USB stick , etc so it can't be stolen from your PC). A keylogger will get your userid and password but it will not have the next validation code for the next transaction.
For example, for a single transaction you need your userid, password , transaction number (provided by bank at the time of the transaction ) and the validation code (provided by the user at the time of the transaction). All this information has to match for a transaction to go though.

In the case of Neteller, we may need a validation code for depositing. withdrawing and peer to peer transfers.
Ofcourse , the transaction codes are random and the validation codes will not be used in sequence. At one point the the codes have to be recycled or you will need to request more from Neteller.

I am sure there are holes using this approach but it makes it really hard for keyloggers and hackers that get into your PC unless they get a hold of your validation list.

thoughts ??

JAque

ubercuber · #2 10-16-2006, 01:37 AM

That sounds pretty damn slick to me. Now how do I open a bank account in Germany? (kidding. sort of.)

RikaKazak · #3 10-16-2006, 02:36 AM

sounds like a good idea, I hope they do it.

AcesFull · #4 10-16-2006, 05:56 AM

Neteller should use the RSA SecurID Authentication system. I've seen this security system used in some of the financial accounting systems of the big entertainment companies.

I have absolutely nothing to do with this company or a financial interest in it. I've just seen it in action before at two companies that I've done work for (in a unrelated to security issues).

In addition to the normal username and password, the login user has a physical SecurID card that continuously generates special authentication codes (it changes about every 40 seconds or so). The user must also input that special continously changing code after the password. The SecurID card is the size of a credit card, but about four times thicker. It's a solid plastic with no openings and the IC's contained within are destroyed if it's tampered with any opening attempt.

Here's a cut & paste from their website:

RSA SecurID Authentication
Securing your Future with Two-Factor Authentication

Do you really know who's accessing your most sensitive networked information assets? Unfortunately, security built on static, reusable passwords has proven easy for hackers to beat. A recent recommendation by the Federal Deposit Insurance Corporation (FDIC) makes this very clear-two-factor authentication is recommended to minimize identity theft.

RSA SecurID® two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator)—providing a much more reliable level of user authentication than reusable passwords. Organizations looking to validate specific financial transactions via transaction signing can also leverage the recent addition to the RSA SecurID hardware authenticator family. The RSA SecurID solution is the world's leading two-factor user authentication system, relied on by over 20,000 of organizations worldwide to protect valuable network resources.

JAque · #5 10-16-2006, 07:49 AM

Yes, it sounds exactly as I described except the validation code is created by the card with memory chip instead of a fix list of codes.

thanks

Antti · #6 10-16-2006, 08:33 AM

Both of my banks use this system too, and I really love it. My lists are also both one use only, you cross over the codes you've spent and when you've used all of your codes, you have to get a new code list. Without access to the list, you can't make a transaction. [img]/images/graemlins/heart.gif[/img]

kslghost · #7 10-16-2006, 08:58 AM

I've heard of this RSA card thing, but I'm sure it's too expensive. [img]/images/graemlins/frown.gif[/img]

AA Suited · #8 10-16-2006, 09:32 AM

[ QUOTE ]
I've heard of this RSA card thing, but I'm sure it's too expensive. [img]/images/graemlins/frown.gif[/img]

[/ QUOTE ]

5yrs ago, it was $80 per card

dont know how much it is now.

CybrPunk · #9 10-16-2006, 09:50 AM

[ QUOTE ]
I've heard of this RSA card thing, but I'm sure it's too expensive. [img]/images/graemlins/frown.gif[/img]

[/ QUOTE ]

I used to support a hospital network and our outside clients used these devices to login to our network and retrieve patient info. They were excellent and rarely had any complications. We charged doctors $65 per device and even they refused to pay for more than one in many cases, even when their daily operations required more than one person had access to the records. There were some doctors I know of that changed their daily operations to avoid the one time $65 fee. These are the same doctors whose homes I would visit to setup software on their home PCs and had furniture, artwork and other trinkets worth more than my car.

The truth is that most people don't see this level of security as a benefit because it costs them something to establish that security level. I don't believe many people will be willing to pay $65 for a device to secure their money, especially when many of the recreational players only deposit small amounts of money at any one time.

George Rice · #10 10-16-2006, 11:29 AM

Is there a problem with Neteller Security?

Even if you had my account number, password and secure ID number, I would be notified if you tried to change my bank account info or email address. So you would need a few days to actually get any of my money, and hope I didn't read my email for that amount of time.

I sure don't need even more of a hassle cashing out without a good reason.

As anyone experienced any problems?