Friday, February 6, 2009

NBK: Sticky-note Security

The National Bank of Kuwait has just introduced a new measurement of so called security to its online banking portal: Watani Online.

Previously, you would just put in your card number, Watani Online password and click login, but it seems like some security fanatics thought they should introduce extra steps to insure the security & safety of clients' account.

In my personal opinion, I think it's a bad move and will only introduce inconvenience to both clients and the help desk. Let's take a look at what has been done, and then I'll comment why it's a bad move.

(1) The first step was to select 5 questions out of many, and then provide answers for them.







(2) The second step was to choose a picture and a password phrase which will be displayed as part of the login process.







(3) Then you enter your account password and login (yes you still have to do that).


(4) These are the options available to you upon your creation of the Watani Online Security Key and how you can "manage" it.






So now that you've seen the steps and screens of the security measure, why is this not secure?
  • Answering those questions with true & relative answers will make them predictable and easy to guess.

  • Answering those questions with answers that are random and have nothing to do with them is good practice, unfortunately you'll most likely forget them by the time you want to login the next time (end of next month?)

  • Since you'll forget them, you'll write the answers and questions down on some paper, sticky-note, or in your mobile.
    So what good is this? It's no different than writing the account password on a sticky note.

  • After answering a random question correctly, you'll see the 2nd figure that says: If you recognize the picture, click proceed. (And it always shows the correct picture and password phrase!)
    Does this step make any sense to anyone?

  • After jumping two obstacles you come to the final one: Entering your account's password. AT LAST! (Assuming you still remember it after all these questions, pictures and password phrases).

  • One of the management features is to "register" your PC. I read a PDF which NBK has linked me to and it didn't provide any info on how this mechanism works, so I'm assuming it's a simple Cookie.
    Cookies anyone?
    Hotmail users used to be tricked into malicious websites and their accounts were stolen by hijacking their cookies. How is this any different? You could have an up to date antivirus, firewall, all windows & browser patches & updates, but none of those can prevent a well-hidden javascript to hijack your delicious cookie(s).
    If your computer is secure, register it.
    NBK has thrown the ball at the client's field and assumed that clients (point-and-click users) would be able to tell whether their computer was "secure" or not to use that feature, which most people would use because it skips the random question step!

  • The last option provided to "manage" the Security Key is that if you wish to change the questions, call their support line. This is both good and bad.
    Calling the support line would require knowing your pin code and card number, and since you forget a lot, you wrote this down on your sticky-note along with the 5 questions. I'm guessing that if you call, they'd ask you for your civil ID number. But can't they ask for that online, too? Why bother calling the support line? They already ask for parts of the civil ID when adding beneficiaries to transfer money to!
I have contacted NBK through the messaging feature they have in Watani Online and received a dull answer. Below is my message:
Hello,

I have just went through the WOL Security Key process and I believe that it's completely pointless. But before I continue, I'd like to note that I'm a computer engineer and have a healthy knowledge of security, so I'm not commenting just because I can!

The reason I think it's pointless is that, even though it provides great measurements against brute-force attacks it fails at social engineering attempts and even worse, it fails because people will forget whatever they filled, if they chose to write answers that aren't related to the questions to avoid social engineering hacking attempts!

If your advice to the latter is to write the answers down, then your new "secure" measurement has proved just as secure as a sticky note with my password on it, stuck at my monitor.

I hope you see this as a constructive comment and I hope you find an alternative method to improve the security of your portal, and our accounts.

Thank you

And this is the reply I received:
Dear Mr. XXX,

We appreciate your valuable feedback, and would like to clarify that we have chosen the "WOL Security Key" since it is a proven security solution that has been implemented to ensure a safer online banking experience and protect your personal information.

Thank you for using Watani Online, if you require further assistance please do contact us.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Kind regards,

XXX XXX

(yes, including the gibberish part!)

If I'm mistaken, please correct me. If you're like me, inconveniened with their measurement, contact them and complain.

This reminds me of the time I called them to allow Firefox to access their site (restricted to IE only) and said that I circumvented their browser check and it works fine with Firefox, only to be called a malicious hacker, introducing insecure software and not using the secure standard: IE 6. I didn't know whether to laugh or get upset.

12 comments:

Anonymous said...

Thanks for this detailed review. Whether it's good or bad, it will definitely create a large headache on clients and help desk. An extra step needed to be taken by all banks however after the increased fraud.

You point about questions: I have the absolute same concern. Right is too trivial, and fake will make me forget.

For the picture and phrase, I think its purpose is to fight malicious fake site, which try to capture same NBK look & feel with similar URL. Now lots of people might miss it, but the fake site will have difficulty knowing the picture and phrase for all or great number of cards. They have to do some work to get it. So if you happen to arrive at a fake site, and get a wrong picture of phrase, you can easily tell there is something wrong. They should explain this piece of information though further.

However, I think it's still easy for a fake site with little effort to fake a request with your submitted NBK card number, to get your photo and phrase from NBK, and then deliver it to you on their site. Is there a counter-measure here? I don't know.

Add a PC: Yeah, this made me curious also.

MBH said...

They already have my full name and civil ID, why not use those?

Any phishing site won't have them!

As I mentioned, they request me to enter parts of my civil ID to confirm my identity when adding beneficiaries.

Nemo said...

i didnt like it :S:S:S

I did that few days ago .. and today i wanted to check my account

question 1: whats ur fav country?
i forgot

question 2: whats ur fav movie?
i forgot

question 1 again: forgot ...


account locked .. call 801801
i didn't call (lazy)
i'll call when i need to :p

MBH said...

Nemo, LOL!
POINT PROVED!

I have to admit that I wrote them down because I didn't want to go through the inconvenience of having to call when I need to access my account (usually I'm in a hurry and it's urgent)

Anonymous said...

wait wait! I think I'm gonna cry here.

Nemo: First, how could you forget your favorite movie? Just curious :)

second, are they gonna ask these 5 questions everytime I login? I logged in just today and didn't get them. Is it because I added my PC, which I already have some doubts about!

Heck I really need the online for serious work :/ I cant tolerate any 1 day delays

Anonymous said...

MBH: Sorry, I just realized ur first comment is for me. I was blindly looking for Bashar: to know its for me :)

Civil ID: You have a point. General sites like Yahoo don't have this civil ID luxury. I think it's less convenient for some people though since they don't recall their civil ID, and may not have it. I'm guessing here they do remember the photo and phrase however :)

MBH said...

Bashar, If you added/registered your PC, you don't get a random question out of the five.

Seriously? You're not willing to memorize your civil ID, but willing to memorize 5 different questions & their answers (assuming non-relative answers)??? :/

Who cares about general sites? This is specific to MY BANK! They should utilize what info they have instead of flooding their database with more info.

I think they just got this as a ready-made package and deployed it as is.

Nosayba El-Sayed said...

All hail KFH :P

@NBK
This measure sounds very impractical. The questions can easily be answered by relatives and friends.

@Favorite Movies
I would normally have different answers when I'm asked what's my favorite movie too, since I have several ones; depends on one's mood really.

@Favorite Countries
Laa 3ad qaweyya :D

Nemo said...

favorite movie: madri i thought it was tropic thunder bs yemken i choose something else!

favorite country: i thought its kuwait bs 6ala3 wrong!! i still have no idea what country i would put instead!

are the answers case-sensitive??

once i call them to unlock my account i will write all the answers and save it in my email :p

MBH said...

Nemo, I do NOT recommend that you save it in your email AT ALL!

At anycase where your account is hacked, you will very much regret that!

The answers to the questions are NOT case sensitive.

Mahbob said...

The picture part I don't like it . because they are forcing me to choose from collection I don't like also all hackers knows what picture it can be so they can save all the picture and randomly bring one and because I'm the victim I don't remember what I don't like so I will accept it . so I think it is better to upload my own picture so I'm the only one who knows what picture otherwise it is sucks . you can see my review

http://dr-mahbob.com/blog/2009/02/03/wol-security-key-vs-yahoo-sign-in-seal/

MBH said...

Mahbob,
I think the variety of pictures that NBK has should contain at least one point of interest for every person out there.

I agree with you that selecting your own picture would make stick more in your memory, but also if you choose a cute kitten picture if you're a cat fan! Overloading the servers with uploaded images from users isn't needed.

Also, if you let users upload their own images, as a bank you'd need to manage/restrict types of images, resize them, and even worse: store them!

I'm glad that you compared it to Yahoo. It shows multiple ways of implementing such solutions.