Loyalty fraud
Dec 6, 2012 | 12:34 pm
#16
Original Poster
Moderator: Lufthansa Miles & More, India based airlines, India, External Miles & Points Resources
Join Date: Dec 2002
Location: MUC
Programs: LH SEN
Posts: 52,637
Ok, my question was more aimed at loyalty programmes, but banking wise we are nicely covered in Germany: they have thrown every possible method at me so far:
- Transaction number (TAN) list: the bank asks you to enter number xx on the list of 200 or so
- mobile pin: the bank sends me a text message to verify the transaction
- TAN generator: press a button on a device and get the tan number, which probably a function of time (similar to RSA, but with a twist)
- the latest is a device in which you stick you debit card (that has a chip) hold it against the screen that shows a flickering barcode like gif, and it reads back parts of the transaction and the TAN
With the national ID incorporating chips in Europe, devices have appeared on the market where you can log in to multiple site using the national ID and a PIN. LH M&M has signed up with them, but I suppose that won't help a customer in Brasil...
- Transaction number (TAN) list: the bank asks you to enter number xx on the list of 200 or so
- mobile pin: the bank sends me a text message to verify the transaction
- TAN generator: press a button on a device and get the tan number, which probably a function of time (similar to RSA, but with a twist)
- the latest is a device in which you stick you debit card (that has a chip) hold it against the screen that shows a flickering barcode like gif, and it reads back parts of the transaction and the TAN
With the national ID incorporating chips in Europe, devices have appeared on the market where you can log in to multiple site using the national ID and a PIN. LH M&M has signed up with them, but I suppose that won't help a customer in Brasil...
Dec 6, 2012 | 12:40 pm
#17
Join Date: Oct 2012
Posts: 970
I use Roboform. If they crack that, I'd be in trouble. But thankfully, I visit most of my financial accounts on almost a daily basis, so would notice fraud fairly quickly. But it is good I don't have a slew of accounts. 2 Bank accounts, 4 brokerage accounts, 5 cc accounts - a manageable number. I have hundreds of non-financial accounts from over the years - quite astonishing to see how many I've had to sign up for. Clearly, no way of remembering all the passwords. I barely remember the ones I visit almost every day...
My safest account is Interactive Brokers. They have one of those one-time generated password fobs, plus require 2 additional passwords to login. I wouldn't mind that for every account, but then you'd need a separate fob for each institution. SImply not workable. And I remember a few months ago I saw a news report where one of the "one time super secure" fobs was hackable (if I recall correctly, apparently wasn't generating random numbers and with proper hacking tools, you could predict the "one time" password)
My safest account is Interactive Brokers. They have one of those one-time generated password fobs, plus require 2 additional passwords to login. I wouldn't mind that for every account, but then you'd need a separate fob for each institution. SImply not workable. And I remember a few months ago I saw a news report where one of the "one time super secure" fobs was hackable (if I recall correctly, apparently wasn't generating random numbers and with proper hacking tools, you could predict the "one time" password)
Dec 6, 2012 | 1:28 pm
#18
FlyerTalk Evangelist
Join Date: Aug 2001
Location: Finally back in Boston after escaping from New York
Posts: 13,684
Dec 6, 2012 | 3:22 pm
#19
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
Making the internet, online payment systems, banking, loyalty programs, etc more and more difficult for busy and older people to use DOESN'T work.
Not to single out anyone's suggestion, but the idea of having 3 passwords to log into an airline loyalty program is just...ridiculous.
To avoid your concerns about it being too complex for you, it could always be opt-in or user set. You can set your first level to be 'all-access' and never use the additional security. Someone else can set their first level to read-only and their second to all-access.
American Express has optional fraud alert levels. Set it to alert you at $50 or $5000 depending on what you think a large transaction is, or turn it off and don't use it. Other security can be optional in the same way.
Multi-level access is already implemented in existing systems. Think of a retail outlet where the clerk needs to get a "Manager Override" to do something non-routine. Most of their transactions don't require this, and yes, the last words we want to hear are "I need to call a manager" but it also stops the clerk from 'refunding' their pal the entire contents of the cash drawer.
Point is, there are better ways we could be doing things with regard to all online systems.
Dec 6, 2012 | 3:56 pm
#20
Join Date: Apr 2004
Programs: AA, UA, SQ, VA, QF, AF, BA
Posts: 2,885
I wish they would replace passwords with a question that you compose and designated answer. There are just so many possible formats for passwords these days. Some want 4 digits, some want 6 digits, some want alpha, some want alpha, numeric, upper and lower case.
There was one (can't remember which one) where you type in your own question and your own answer. Why can't they all do that?
There was one (can't remember which one) where you type in your own question and your own answer. Why can't they all do that?
Dec 6, 2012 | 7:32 pm
#22
Join Date: Oct 2009
Location: Land of the parrots and parrotheads
Programs: Several dozen
Posts: 4,820
Ding, ding ding! The lack of standardization of account security measures (as well as the credit/debit card readers (do I need to sign, not sign, press this, press that?)) is an absolute mess. In a word the financial system is a disaster waiting to happen - not adequately hardened at all, IMHPO. Not a month goes by that I don't spot something broken that should not be broken.
All systems should allow you to create your own question, IMHPO. We need to ISO the financial system because banks just ain't too big to derail.
All systems should allow you to create your own question, IMHPO. We need to ISO the financial system because banks just ain't too big to derail.
I wish they would replace passwords with a question that you compose and designated answer. There are just so many possible formats for passwords these days. Some want 4 digits, some want 6 digits, some want alpha, some want alpha, numeric, upper and lower case.
There was one (can't remember which one) where you type in your own question and your own answer. Why can't they all do that?
There was one (can't remember which one) where you type in your own question and your own answer. Why can't they all do that?
Dec 7, 2012 | 12:08 am
#23
In memoriam
Join Date: Jan 2006
Posts: 4,020
An interesting thread--and one, IMHO, which is pretty much completely mistaken. @:-)
The problem is not folks, young or old, who don't create, can't remember passwords.
Rather, the internet system is just plain not secure. Wasn't really designed to be secure and all the kludging in the world is not going to fix it.
Unfortunately, the financial world leapt onto the net to market and cut costs without looking forward. Now, there is no going back.
In other words, its not your fault. It is the financial institutions which have failed to make the system secure--okay, Microsoft ain't helping much.
Secure passwords and hints are nice (and may help a bit). They are not going to solve the problem--not even your personal security problem.
Wish I had a solution that looked likely to be put into practice.
The problem is not folks, young or old, who don't create, can't remember passwords.
Rather, the internet system is just plain not secure. Wasn't really designed to be secure and all the kludging in the world is not going to fix it.
Unfortunately, the financial world leapt onto the net to market and cut costs without looking forward. Now, there is no going back.
In other words, its not your fault. It is the financial institutions which have failed to make the system secure--okay, Microsoft ain't helping much.
Secure passwords and hints are nice (and may help a bit). They are not going to solve the problem--not even your personal security problem.
Wish I had a solution that looked likely to be put into practice.
Dec 7, 2012 | 5:07 am
#24
Join Date: Oct 2009
Programs: UA LT 1K/DL Plat/Hilton LT ♦/Hyatt Carbonado/Wyndham ♦/Marriott PE .
Posts: 5,736
These are all absolutely terrible suggestions. No offense, guys. I realize they are the standard suggestions, and you mean every good thing by offering them. But there is lots of evidence that more and tougher passwords don't work, more and tougher security questions don't work, and so on. Why is that? Pretty simple. The human brain.
Nobody over the age of 23 or so can remember multiple passwords. Having a different password for every account is guaranteed hours lost out of your week every month -- if not every week. "Where do you go to high school? Corey Feldman." Like you're going to remember THAT eight years (or even 8 montsh later). I remember once chewing out my broker. "It won't let me log in because it wants to know my favorite movie. Hello, I'm an adult? I don't have a favorite movie." Later, when I realized what it was, I felt pretty foolish. I could have googled myself on the internet and found out what it was. Everybody in the world could have answered that question...except me. [Don't get excited, bad guys. I gave up on jumping through hoops every time I wanted to make a trade and closed the account.]
The more passwords, the more questions...the more your account is available only to the evil doer while you can't get into it yourself. You can't store all this garbage in retrievable form in the human brain so there must be some kind of storage system, on your computer, scribbled on a piece of paper, or whatever. Each of these systems leaves you vulnerable to being attacked, while providing an increasingly higher difficulty in you being able to use the program. Meanwhile, because you must have the information at your fingertips, the information is 1) very easy for family members, housekeepers, and other people who have access to your home to steal, and 2) the bank, CC company, etc. will NOT protect you --instead, they will threaten to prosecute you for fraud for giving the password to someone else and presumably splitting the proceeds.
I know a victim very well who is still paying off what her daughter stole from her and she'll be paying off this debt for the rest of her life. On a credit card that would have had zero liability if some stranger in eastern Europe had stolen the money. Making these passwords etc. more difficult does not help older and vulnerable people. It hurts them. Because the company comes back and says, "Well, you must have given her the information because nobody would just figure out, 'where did you go to high school' 'corey feldman.'" And older people don't have enough time to left to go to court and hope justice is done...
I won't say I know all the answers. I will say that I know what DOESN'T work. Making the internet, online payment systems, banking, loyalty programs, etc more and more difficult for busy and older people to use DOESN'T work. That's why more and more people give up and give their passwords over to third party services. When you have someone else control your "wallet," you are responsible and you are out the money, miles, etc. any time you turn your password over to somebody else. I don't think there is any real legal debate about this. I could be wrong. But from what I've seen, all the business in question has to do is point out that you shared your password, and if your account is mis-used, it's YOUR problem. And if it's a family member who got the log in information, even if they stole it by snooping, because it was too much for you to remember so you had to record it SOMEWHERE...the company will CLAIM you shared it, and it will be a "he said, she said" situation.
Not to single out anyone's suggestion, but the idea of having 3 passwords to log into an airline loyalty program is just...ridiculous. Frustrating, time wasting, and, really, just not the way to treat older and busy customers who do have money to spend and shouldn't be forced to jump through endless hoops like trained seals.
Nobody over the age of 23 or so can remember multiple passwords. Having a different password for every account is guaranteed hours lost out of your week every month -- if not every week. "Where do you go to high school? Corey Feldman." Like you're going to remember THAT eight years (or even 8 montsh later). I remember once chewing out my broker. "It won't let me log in because it wants to know my favorite movie. Hello, I'm an adult? I don't have a favorite movie." Later, when I realized what it was, I felt pretty foolish. I could have googled myself on the internet and found out what it was. Everybody in the world could have answered that question...except me. [Don't get excited, bad guys. I gave up on jumping through hoops every time I wanted to make a trade and closed the account.]
The more passwords, the more questions...the more your account is available only to the evil doer while you can't get into it yourself. You can't store all this garbage in retrievable form in the human brain so there must be some kind of storage system, on your computer, scribbled on a piece of paper, or whatever. Each of these systems leaves you vulnerable to being attacked, while providing an increasingly higher difficulty in you being able to use the program. Meanwhile, because you must have the information at your fingertips, the information is 1) very easy for family members, housekeepers, and other people who have access to your home to steal, and 2) the bank, CC company, etc. will NOT protect you --instead, they will threaten to prosecute you for fraud for giving the password to someone else and presumably splitting the proceeds.
I know a victim very well who is still paying off what her daughter stole from her and she'll be paying off this debt for the rest of her life. On a credit card that would have had zero liability if some stranger in eastern Europe had stolen the money. Making these passwords etc. more difficult does not help older and vulnerable people. It hurts them. Because the company comes back and says, "Well, you must have given her the information because nobody would just figure out, 'where did you go to high school' 'corey feldman.'" And older people don't have enough time to left to go to court and hope justice is done...
I won't say I know all the answers. I will say that I know what DOESN'T work. Making the internet, online payment systems, banking, loyalty programs, etc more and more difficult for busy and older people to use DOESN'T work. That's why more and more people give up and give their passwords over to third party services. When you have someone else control your "wallet," you are responsible and you are out the money, miles, etc. any time you turn your password over to somebody else. I don't think there is any real legal debate about this. I could be wrong. But from what I've seen, all the business in question has to do is point out that you shared your password, and if your account is mis-used, it's YOUR problem. And if it's a family member who got the log in information, even if they stole it by snooping, because it was too much for you to remember so you had to record it SOMEWHERE...the company will CLAIM you shared it, and it will be a "he said, she said" situation.
Not to single out anyone's suggestion, but the idea of having 3 passwords to log into an airline loyalty program is just...ridiculous. Frustrating, time wasting, and, really, just not the way to treat older and busy customers who do have money to spend and shouldn't be forced to jump through endless hoops like trained seals.
Never, ever leave any passwords on your computer or PDA. It is just too easy to extract them if you lose control of your device.
Try this easy scheme instead:
Find a 10 letter word with no repeated letters e.g. "PATHFINDER". Then dream up a scheme for a word to be represented by each letter, such as P=pepper, A=amalgam, and so on. Now you have created your own password generator with possible combinations of 10 letters and 10 numbers (P=1, A=2, etc.).
For each account, create as complicated a password as you want and write down only the first letter of one of your ten secret words, which you have committed to memory, or the corresponding number from your 10-letter code. So "amalgampepper4587", your actual password, would be written as "aphfdn" in your password master key, which if compromised, would be useless to a hacker. You need to remember or develop another consistent way to remember which letters represent numbers and which represent words, such as passwords that begin with a vowel have a 4-digit number sequence at the end of the password. Anyway, there are numerous easy ways to develop a fool-proof system.
Good Luck!
Last edited by zombietooth; Dec 9, 2012 at 4:58 am
Dec 7, 2012 | 7:33 am
#26
Join Date: Oct 2009
Location: Land of the parrots and parrotheads
Programs: Several dozen
Posts: 4,820
Dec 10, 2012 | 2:08 am
#27
Original Poster
Moderator: Lufthansa Miles & More, India based airlines, India, External Miles & Points Resources
Join Date: Dec 2002
Location: MUC
Programs: LH SEN
Posts: 52,637
Try this easy scheme instead:
Find a 10 letter word with no repeated letters e.g. "PATHFINDER". Then dream up a scheme for a word to be represented by each letter, such as P=pepper, A=amalgam, and so on. Now you have created your own password generator with possible combinations of 10 letters and 10 numbers (P=1, A=2, etc.).
Find a 10 letter word with no repeated letters e.g. "PATHFINDER". Then dream up a scheme for a word to be represented by each letter, such as P=pepper, A=amalgam, and so on. Now you have created your own password generator with possible combinations of 10 letters and 10 numbers (P=1, A=2, etc.).
I still use a variation of my compuserve and STN database password I got in 1992, buggers forced me to remember a 9 digit complex code, and it stuck deep. Alternatively its the first letters of a sentence that is easy to remember like 'some months end on the 30th, some on the 31st' = smeot30sot31 and then add a two letter code for the application, like smeot30sot31.fb for facebook, smeot30sot31-tw for twitter, etc.
Dec 10, 2012 | 7:09 am
#29
Join Date: Oct 2009
Location: Land of the parrots and parrotheads
Programs: Several dozen
Posts: 4,820
Use variants on a theme - a star special character can also be "star" when special characters are not allowed. "****" = "4star" and etc., for example.
Where we really need to be financial securitywise is passphrases IMHPO.
Where we really need to be financial securitywise is passphrases IMHPO.