OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

This simpler sign-in will be introduced on our different sites before
the end of the year.

To help ensure you're on the real Bank of America website before you
sign in, check your browser address bar for:

www.bankofamerica.com
Green text/shading
Lock icon "


Of course that is the way it was originally, putting in the ID and
password on the first page. That was it for the first few years.

It was their idea to have a SiteKey in the first place, an image that
they chose that I would see on the screen that showed me I was actually
communicating with whom I thought I was, the bank**. Now they have 3
things, the list at the end above, but none of them are personalized for
me. Anyone with an account would get these same three things and could
duplicate them in a phony site (the existance of which, one which would
intercept my attempt to get to them, was a concern when they came up
with the SiteKey".

**Because no one else would know what they showed on my screen. Even if
there were a key-logger on my computer, it wouldn't read what came in,
iiuc, that is, the sitekey, the little sketch they showed me and maybe
1000th of their online customers. (That is, they had 1000 sketches,
and if I didn't get the one I expected, I should stop what I was doing
and not put in my password.)

Do you do online banking with other banks? Do they have something
like the SiteKey, a password or picture they send to you, instead of the
other way around, so that you know you're talking to them, in the same
way they want a password from you so they know they're talking to you?

On Monday, July 27, 2015 at 3:23:53 AM UTC-5, micky wrote:
OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey(R) -- the image you used to see
before entering your Passcode -- is no longer part of the way you sign in
to Online Banking.

This simpler sign-in will be introduced on our different sites before
the end of the year.

To help ensure you're on the real Bank of America website before you
sign in, check your browser address bar for:

www.bankofamerica.com
Green text/shading
Lock icon "


Of course that is the way it was originally, putting in the ID and
password on the first page. That was it for the first few years.

It was their idea to have a SiteKey in the first place, an image that
they chose that I would see on the screen that showed me I was actually
communicating with whom I thought I was, the bank**. Now they have 3
things, the list at the end above, but none of them are personalized for
me. Anyone with an account would get these same three things and could
duplicate them in a phony site (the existance of which, one which would
intercept my attempt to get to them, was a concern when they came up
with the SiteKey".

**Because no one else would know what they showed on my screen. Even if
there were a key-logger on my computer, it wouldn't read what came in,
iiuc, that is, the sitekey, the little sketch they showed me and maybe
1000th of their online customers. (That is, they had 1000 sketches,
and if I didn't get the one I expected, I should stop what I was doing
and not put in my password.)

Do you do online banking with other banks? Do they have something
like the SiteKey, a password or picture they send to you, instead of the
other way around, so that you know you're talking to them, in the same
way they want a password from you so they know they're talking to you?

I use Wells Fargo and their security is very good. I'm using a VPN that indicates I'm in The Netherlands right now because of the server I've chosen. If I want to log in to my online banking, I must turn off the VPN because the site security notices that access is being attempted from an unusual location. I was contacted by the bank's security division last year when access to my credit/debit card was attempted from Pakistan. They had me change my login name, password and PIN. I assumed my card number had been harvested when I bought fuel at a convenience store owned by a Paki. The convenience stores and grocery store are the only places in the area I've ever used my card. Oh yea, I logon with a user name and separate password. ^_^

[8~{} Uncle Bank Monster

On Mon, 27 Jul 2015 04:23:43 -0400, micky
wrote:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

In alt.home.repair, on Mon, 27 Jul 2015 05:48:44 -0400, Ed Pawlowski
wrote:

On Mon, 27 Jul 2015 04:23:43 -0400, micky
wrote:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

Yes, that idea occurred to me. It makes sense. Especially when
they've thought of something, to abandon it would leave them open to
lawsuits if they hadn't somehow improved things. But stilll......

On Mon, 27 Jul 2015 06:30:07 -0400, micky
wrote:

In alt.home.repair, on Mon, 27 Jul 2015 05:48:44 -0400, Ed Pawlowski
wrote:

On Mon, 27 Jul 2015 04:23:43 -0400, micky
wrote:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

Yes, that idea occurred to me. It makes sense. Especially when
they've thought of something, to abandon it would leave them open to
lawsuits if they hadn't somehow improved things. But stilll......

My Bank of America sign-in still uses dual sign-in with the picture.
Are you sure the above message came from the real bank?

In micky writes:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?
[snip[

There are numerous ways for the bank to "fingerprint], so to speak,
your computer (or smartphone) to verify that it's yours. Note that
this would be a problem if someone grabbed it, but that's another story.

The simplest, of course, id looking at the IP address. That's comparable
to checking the "area code" on your phone if you call them as opposed
to the complete phone number, but it's a start.

Then there are lots and lots more.

For an example of this, check out the followng website
brought to you by the great golk at the EFF (electronig
freedom foundation)

http://panopticlick.eff.org/

Note that all of this is pretyt much invisble to the user...




--
__________________________________________________ ___
Knowledge may be power, but communications is the key

[to foil spammers, my address has been double rot-13 encoded]

On 07/27/2015 07:27 AM, Pat wrote:

OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

Yes, that idea occurred to me. It makes sense. Especially when
they've thought of something, to abandon it would leave them open to
lawsuits if they hadn't somehow improved things. But stilll......

My Bank of America sign-in still uses dual sign-in with the picture.
Are you sure the above message came from the real bank?

When I signed in to my BofA account this morning, I had to answer one of
my "challenge questions" before I got to the SiteKey picture, but then I
too saw the notice that SiteKey was to be discontinued before the end of
the year.

Perce

On 07/27/2015 05:44 AM, danny burstein wrote:
The simplest, of course, id looking at the IP address. That's comparable
to checking the "area code" on your phone if you call them as opposed
to the complete phone number, but it's a start.

My home computer goes through a wireless network so the IP isn't a
constant. The weather and ads I get are often for the Utah area since
that's one location where IP's are drawn from the pool. A couple of
times I've gotten a blacklisted IP and had to verify that I wasn't a
spammer.

On 07/27/2015 02:23 AM, micky wrote:
Do you do online banking with other banks? Do they have something
like the SiteKey, a password or picture they send to you, instead of the
other way around, so that you know you're talking to them, in the same
way they want a password from you so they know they're talking to you?

I haven't hit a bank that does it but we deal with one sit that has
implemented two factor authentication. The first step is a conventional
username/password. Then they text a one time passcode to your mobile phone.

The two factors may be something the user knows (password), something a
user has (phone, thumbdrive, card), or some physical characteristic
(thumbprint, retinal scan).

The site key doesn't make it for the second factor. You know your
password and that it's supposed to be a picture of a platypus.

On Monday, July 27, 2015 at 4:23:53 AM UTC-4, micky wrote:
OT Bank relaxes security. Acceptable?


Given that no other website that I deal with has the procedure
that BA currently has, apparently it's acceptable to the industry
and their customers. IDK why BA would want to change it.
Presenting you with an image you chose and recognize would certainly
help eliminate the skunks that pretend to be the bank, have you
try to log in, etc. But I don't know any other site that does
that.

"micky" wrote in message ...



To be frank, all of that **** is totally fuskin' meaningless to me since I'm
not liable for unauthorized accesses to any of my accounts.

On Mon, 27 Jul 2015 11:44:29 +0000 (UTC), danny burstein
wrote:

http://panopticlick.eff.org/

I got two results. One with scripts allowed and one without scripts.

"Edmund J. Burke" wrote in message
...
"micky" wrote in message
...



To be frank, all of that **** is totally fuskin' meaningless to me since
I'm not liable for unauthorized accesses to any of my accounts.

Do you really want to go through the hassle of getting things back to normal
after an unauthorized access to your account?

Do you really want to be in limbo in the meantime?

In alt.home.repair, on Mon, 27 Jul 2015 08:12:26 -0700 (PDT), trader_4
wrote:

On Monday, July 27, 2015 at 4:23:53 AM UTC-4, micky wrote:
OT Bank relaxes security. Acceptable?


Given that no other website that I deal with has the procedure
that BA currently has, apparently it's acceptable to the industry
and their customers. IDK why BA would want to change it.
Presenting you with an image you chose and recognize would certainly

For the record, as if it matters, I didn't choose it. They just gave it
to me, I presume from a large collection of possible small black & white
images. But that part seems okay. There certainly wasn't a spoof site
giving out images at the time (so that when I came back I would insist
on getting the same spoof site, when the real BoA wasn't even using
images) when all a spoof site would want to do was collect ids and
passwords.

Everything else you have here is right on.

help eliminate the skunks that pretend to be the bank, have you
try to log in, etc. But I don't know any other site that does
that.

In alt.home.repair, on Mon, 27 Jul 2015 11:44:29 +0000 (UTC), danny
burstein wrote:

In micky writes:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?
[snip[

There are numerous ways for the bank to "fingerprint], so to speak,
your computer (or smartphone) to verify that it's yours. Note that

As I said, the purpose of the SiteKey was not for them to verify that it
is me.

It was for me to verify that it is them.

this would be a problem if someone grabbed it, but that's another story.

The simplest, of course, id looking at the IP address. That's comparable
to checking the "area code" on your phone if you call them as opposed
to the complete phone number, but it's a start.

Then there are lots and lots more.

For an example of this, check out the followng website
brought to you by the great golk at the EFF (electronig
freedom foundation)

http://panopticlick.eff.org/

Note that all of this is pretyt much invisble to the user...

In alt.home.repair, on Mon, 27 Jul 2015 07:55:19 -0400, "Percival P.
Cassidy" wrote:

On 07/27/2015 07:27 AM, Pat wrote:

OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

Yes, that idea occurred to me. It makes sense. Especially when
they've thought of something, to abandon it would leave them open to
lawsuits if they hadn't somehow improved things. But stilll......

My Bank of America sign-in still uses dual sign-in with the picture.
Are you sure the above message came from the real bank?

When I signed in to my BofA account this morning, I had to answer one of
my "challenge questions" before I got to the SiteKey picture, but then I
too saw the notice that SiteKey was to be discontinued before the end of
the year.

I didn't see the SiteKey, so I must be in an early batch of those who
lose it. OTOH, I havent' logged in for weeks, so it might not be so
early.

As to IP addresses, I understand that even if one has a fixed one, as
with a high speed connection, they still get reset every few weeks or
months. I forget why and I forget the exact words the tech I talked to
used. .

Perce

Per Edmund J. Burke:
To be frank, all of that **** is totally fuskin' meaningless to me since I'm
not liable for unauthorized accesses to any of my accounts.

The problem I would see is that once somebody drained my account, it
would be on me to get the financial institution to put money back into
the account. May sound simple on the face of it, but I would expect a
major PITA and much pain.

Speaking as a long-term developer of computer applications, I would not
even consider online banking or any other online financial transactions
except for those against my VISA credit card.

That is not to claim any particular expertise in online development or
security... but I know in my heart that there are thousands, if not tens
or hundreds of thousands, really, *really*, REALLY smart people all over
the world trying to figure out how to separate me from what little money
I have.

It also seems like the first line of "defense" of most large
corporations where online fraud is concerned is stonewalling it -
denying that anything happened.
--
Pete Cresswell

"(PeteCresswell)" wrote:

once somebody drained my account, it
would be on me to get the financial institution to put money back into
the account. May sound simple on the face of it, but I would expect a
major PITA and much pain.

How big a PITA it is probably depends on the bank.

Speaking as a long-term developer of computer applications, I would not
even consider online banking or any other online financial transactions
except for those against my VISA credit card.

However paranoia is causing you a bigger PITA.

I haven't been to a branch in over a year. I do everything online,
most of it from my phone. I'd hate to have to go back to the bad old
days.

That is not to claim any particular expertise in online development or
security... but I know in my heart that there are thousands, if not tens
or hundreds of thousands, really, *really*, REALLY smart people all over
the world trying to figure out how to separate me from what little money
I have.

I can't lose anything from unauthorized transfers or debits from any
of my accounts. It's likely the same for you.

It also seems like the first line of "defense" of most large
corporations where online fraud is concerned is stonewalling it -
denying that anything happened.

I hate to add to your paranoia but you don't need an online bank
account to be a victim. Wasn't it around 50 million card numbers that
Target lost? Shop at Target? You say you use Visa... 8-O

In alt.home.repair, on Mon, 27 Jul 2015 07:27:38 -0400, Pat
wrote:

On Mon, 27 Jul 2015 06:30:07 -0400, micky
wrote:

In alt.home.repair, on Mon, 27 Jul 2015 05:48:44 -0400, Ed Pawlowski
wrote:

On Mon, 27 Jul 2015 04:23:43 -0400, micky
wrote:


OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

I use a bank and three CC accounts and only my wife's BofA has the
site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as
secure as they can be and the new system is meant to be more, not
less, secure.

Yes, that idea occurred to me. It makes sense. Especially when
they've thought of something, to abandon it would leave them open to
lawsuits if they hadn't somehow improved things. But stilll......

My Bank of America sign-in still uses dual sign-in with the picture.
Are you sure the above message came from the real bank?

Well, no. That's exactly what concerns me.

Though if you read the OP, the message also said "This simpler sign-in
will be introduced on our different sites before the end of the year."

I guess I have to call them. Maybe I shoudl have changed my password
last night, or at least now. Okay. I just called them (and I didn't
have to wait on hold more than 5 seconds, though I did have to go
through their menu a little bit, and it asked the 3 digit code on the
back 3 times before I could find my code) and, assuming they didn't
intercept my phone call too, she said that Yes, they have gotten rid of
the siteey. She said, in different words, that it matters that the url
is at the root level, with no slash or anything "behind it" as if that
makes it harder to foist a phoney site on someone. Sometimes I
think the customer service people are taught to bluff, that is agree
that there is a problem even if they have no idea what I'm talking
about. OTOH she said that she herself had gotten other calls about
this very thing. No accent btw. Standard American English.

There was a short recording before she answered that said I had to let
them know if I went out of town. I told her my father told me to tell
anyone but friends that I was going out of town. She acknowledged the
problem! She said if I left the state, they might put my card on hold.
Or if I spent more money than usual, even if I stayed here.

Maybe I have heard something like that before. Anyone know?

In article ,
micky wrote:

OT Bank relaxes security. Acceptable?

Is there a good newsgroup for internet security (not involving viruses
or malware)?


Until then, this is what I got when I logged into my bank account just
now to check my balance:


"We're simplifying the way you sign in

You'll soon be able to sign in with one step by entering your Online ID
and Passcode on the same page. SiteKey® — the image you used to see
before entering your Passcode — is no longer part of the way you sign in
to Online Banking.

This simpler sign-in will be introduced on our different sites before
the end of the year.

To help ensure you're on the real Bank of America website before you
sign in, check your browser address bar for:

www.bankofamerica.com
Green text/shading
Lock icon "


Of course that is the way it was originally, putting in the ID and
password on the first page. That was it for the first few years.

It was their idea to have a SiteKey in the first place, an image that
they chose that I would see on the screen that showed me I was actually
communicating with whom I thought I was, the bank**. Now they have 3
things, the list at the end above, but none of them are personalized for
me. Anyone with an account would get these same three things and could
duplicate them in a phony site (the existance of which, one which would
intercept my attempt to get to them, was a concern when they came up
with the SiteKey".

**Because no one else would know what they showed on my screen. Even if
there were a key-logger on my computer, it wouldn't read what came in,
iiuc, that is, the sitekey, the little sketch they showed me and maybe
1000th of their online customers. (That is, they had 1000 sketches,
and if I didn't get the one I expected, I should stop what I was doing
and not put in my password.)

Do you do online banking with other banks? Do they have something
like the SiteKey, a password or picture they send to you, instead of the
other way around, so that you know you're talking to them, in the same
way they want a password from you so they know they're talking to you?

Ah, Blank of America...

I suspect they gave up on SiteKey because its was ans extra step AND it did not improve security. Several years ago an experiment (or an actual scam, IDR now) where subjects were served spoofed signOn pages which had the wrong SiteKey image and almost all of them logged in anyway.

SiteKey had another component. In addition to selecting an image from their catalog you also entered your own caption. If the experiment had showed the correct picture but wrong caption I bet virtually everyone would have ploughed ahead.

m

In alt.home.repair, on 28 Jul 2015 09:03:22 GMT, (Fake
ID) wrote:


Ah, Blank of America...

I suspect they gave up on SiteKey because its was ans extra step AND it did not improve security. Several years ago an experiment (or an actual scam, IDR now) where subjects were served spoofed signOn pages which had the wrong SiteKey image and almost all of them logged in anyway.

Yeah, I can imagine that happening, even with me. LIke, I intend to
by gas at the Gulf station on the corner and it's a Standard station
now, but I stop anyhow.

But if it was a worrthwhile precaution and the big problem is no one
uses it right, there should be some way to make people use it right.

SiteKey had another component. In addition to selecting an image from their catalog you also entered your own caption. If the experiment had showed the correct picture but wrong caption I bet virtually everyone would have ploughed ahead.

Sure, words are less important than pictures and take more time to
notice. We didnt' have words, and we didn't select our own image, and
already I'm starting to forget what it was. A clothes iron maybe.
If they showed me something else, I might think that was it.

m

On Tuesday, July 28, 2015 at 3:33:05 AM UTC-4, micky wrote:


There was a short recording before she answered that said I had to let
them know if I went out of town. I told her my father told me to tell
anyone but friends that I was going out of town. She acknowledged the
problem! She said if I left the state, they might put my card on hold.
Or if I spent more money than usual, even if I stayed here.

Maybe I have heard something like that before. Anyone know?

It depends on the CC issuer, their policies, algorithms,
and you. I've had a CC shut down only once in many years.
I have had them call me to alert me to what they thought was
unusual activity because I was using the card somewhere unusual.
If you rarely travel and suddenly go to Sudan, you're more
likely to have that occur than if you travel frequently on
business, go to a lot of the same or similar cities, etc.

Per J0HNS0N:
I hate to add to your paranoia but you don't need an online bank
account to be a victim. Wasn't it around 50 million card numbers that
Target lost? Shop at Target? You say you use Visa... 8-O

There is a legal firewall on the VISA card. $50 is the maximum amount
I can lose in the event of fraud or loss - and that is only if I delay
reporting a lost card for too long - otherwise it's zero.

And, if there is fraud, the card issuer is the one on the hook
until/unless I pay the VISA bill. I still have my money. That
contrasts with a debit card where somebody can clean out my account and
it's on me to get the money back. Ditto stock trading accounts and
whatever other online facilities are out there.

I would say there is a continuum from reasonable expectations to
paranoia - it's not a binary condition.
--
Pete Cresswell

"taxed and spent" wrote in message ...


"Edmund J. Burke" wrote in message
...
"micky" wrote in message
...



To be frank, all of that **** is totally fuskin' meaningless to me since
I'm not liable for unauthorized accesses to any of my accounts.

Do you really want to go through the hassle of getting things back to normal
after an unauthorized access to your account?

Do you really want to be in limbo in the meantime?

No, but I'm not gonna worry about it neither.

On 7/28/2015 3:33 AM, micky wrote:


There was a short recording before she answered that said I had to let
them know if I went out of town. I told her my father told me to tell
anyone but friends that I was going out of town. She acknowledged the
problem! She said if I left the state, they might put my card on hold.
Or if I spent more money than usual, even if I stayed here.

Maybe I have heard something like that before. Anyone know?




My credit card has a form on line where you can tell them where and when
you will be traveling. It really does help. I also tell them when I
will be out of the country.

I have a CC that I rarely use, but I often use it on vacation. One day
one first day of vacation we had breakfast, bought gas, went to a retail
store, three charges in about an hour. At the store, the clerk had to
call and they asked me a security question. No problem the rest of the
trip.

Another time I was on my way home from work and got a text from the CC
card company. They asked if I was buying something in France. Texted
back "no" and they stopped payment and sent me a new card.

In any case, you can be sure security is being increased, not decreased
when you sign in on line.

On 7/28/2015 7:34 AM, trader_4 wrote:


If you rarely travel and suddenly go to Sudan, you're more
likely to have that occur than if you travel frequently on
business, go to a lot of the same or similar cities, etc.



If you tell them you are going to Nigeria they will double your credit
limit and will even set up a meeting with local bankers and members of
royalty.

On Tue, 28 Jul 2015 09:16:17 -0400, "(PeteCresswell)"
wrote:

Per J0HNS0N:
I hate to add to your paranoia but you don't need an online bank
account to be a victim. Wasn't it around 50 million card numbers that
Target lost? Shop at Target? You say you use Visa... 8-O

There is a legal firewall on the VISA card. $50 is the maximum amount
I can lose in the event of fraud or loss - and that is only if I delay
reporting a lost card for too long - otherwise it's zero.
And, if there is fraud, the card issuer is the one on the hook
until/unless I pay the VISA bill. I still have my money.

Agreed. Further my cash back no-annual-fee AE card pays me around
$400/year just to use it.

BTW my CC allows online alerts. I get emails/texts when it's used out
of a certain area, over a certain limit, etc. Further even if you know
my online bank account user name and password you can't access it
unless you have my phone in your possession. (2 step verification.)

That contrasts with a debit card where somebody can clean out my account and
it's on me to get the money back.

I only use my debit card for ATM cash since it pays me nothing back.
But my bank gives me the same protection as my credit card. Likely
yours does too.

Ditto stock trading accounts and
whatever other online facilities are out there.

There is a $500K protection on stock accounts.

I would say there is a continuum from reasonable expectations to
paranoia - it's not a binary condition.

IMO you are in more danger giving your card to the waiter or stuffing
it in a gas machine than I am banking online. If you take reasonable
precautions you will lose nothing and your financial life will be much
easier.

In article ,
J0HNS0N wrote:


Ditto stock trading accounts and
whatever other online facilities are out there.

There is a $500K protection on stock accounts.
That is not for that. The $500K is in case the firm goes belly up and
is the rough equivalent of the FDIC.



--
"Statistics are like bikinis. What they reveal is suggestive,
but what they conceal is vital."
-- Aaron Levenstein

On Tue, 28 Jul 2015 13:00:21 -0400, Kurt Ullman
wrote:

In article ,
J0HNS0N wrote:


Ditto stock trading accounts and
whatever other online facilities are out there.

There is a $500K protection on stock accounts.
That is not for that. The $500K is in case the firm goes belly up and
is the rough equivalent of the FDIC.

"If you ever discover an error in a trade confirmation or brokerage
statement, you should immediately bring the error to the attention of
the brokerage firm in writing. Unless you complain in writing, your
eligibility for SIPC protection may be compromised."

http://www.sipc.org/for-investors/pr...-against-fraud

In alt.home.repair, on Tue, 28 Jul 2015 13:00:21 -0400, Kurt Ullman
wrote:

In article ,
J0HNS0N wrote:


Ditto stock trading accounts and
whatever other online facilities are out there.

There is a $500K protection on stock accounts.

That is not for that. The $500K is in case the firm goes belly up and
is the rough equivalent of the FDIC.

And also for theft by a broker or other employee, right?

Some member of the HOA one time thought it included stocks going down in
price and I couldn't talk him out of that.

He was a real pip.

Apparently there was a group home for mentally something** children in
the n'hood, only 10 townhouses away from me. They never caused any
problem, except once when I wasn't outside, one of the kids didn't want
to get on their bus, or didnt' want to get off. That lasted less than
5 minutes.

**childrhoold mental retardation or illness, I forget which.

These are 3 BR houses with a 450 ft2 room in the basement fwiw. And
there was a person in charge and only 4 or 5 kids.

Now the same company wanted to buy or rent a second house and someone
got wind of it and there was a meeting.

The pip's wife stood up to speak. She said, My brother had this
problem, and I spent years watching him suffer from it, and..... I
don't want to watch it anymore.

Silly me, halfway through I thought she loved her brother and had
learned compassion for such people from him. But she only learned to
avoid them, And so she didn't want them here. And they lived on the
next block, a parallel street, and would never see them anyhow.

IIRC I ended the meetng by saying something that should have embarrassed
anyone opposed to house, and the first house at least was there for
another year with no problem, until one day it was gone. Well, not the
house itself.

In article ,
J0HNS0N wrote:

On Tue, 28 Jul 2015 13:00:21 -0400, Kurt Ullman
wrote:

In article ,
J0HNS0N wrote:


Ditto stock trading accounts and
whatever other online facilities are out there.

There is a $500K protection on stock accounts.
That is not for that. The $500K is in case the firm goes belly up and
is the rough equivalent of the FDIC.

"If you ever discover an error in a trade confirmation or brokerage
statement, you should immediately bring the error to the attention of
the brokerage firm in writing. Unless you complain in writing, your
eligibility for SIPC protection may be compromised."

http://www.sipc.org/for-investors/pr...-against-fraud

Fraud on the part of the broker, not the kind of fraud where someone gets
the account and cleans it out.
--
"Statistics are like bikinis. What they reveal is suggestive,
but what they conceal is vital."
-- Aaron Levenstein

Kurt Ullman wrote:

Fraud on the part of the broker, not the kind of fraud where someone gets
the account and cleans it out.

Yes, we were talking about online fraud weren't we.

The two online brokers I deal with (ETrade and Vanguard) both say they
will cover ALL online fraud security losses. (Except those where the
client is negligent.) And they both keep broker account cash in their
respective FDIC insured banks.

Per J0HNS0N:
(Except those where the
client is negligent.)

Got to wonder if "negligent" includes the presupposition that if a third
party was able to get to the account the account holder is assumed to be
"negligent" because it is assumed that the only way the third party
could have gotten to the account was if the account holder was
"negligent" in keeping their ID/PW secret.
--
Pete Cresswell

In article ,
micky wrote:
In alt.home.repair, on 28 Jul 2015 09:03:22 GMT, (Fake
ID) wrote:


Ah, Blank of America...

I suspect they gave up on SiteKey because its was ans extra step AND
it did not improve security. Several years ago an experiment (or an
actual scam, IDR now) where subjects were served spoofed signOn pages
which had the wrong SiteKey image and almost all of them logged in
anyway.

Yeah, I can imagine that happening, even with me. LIke, I intend to
by gas at the Gulf station on the corner and it's a Standard station
now, but I stop anyhow.

But if it was a worrthwhile precaution and the big problem is no one
uses it right, there should be some way to make people use it right.

Maybe show you the wrong image then take $5 from your account if you sign in anyway. I can see the merits over insecure comms, but now the encryption scheme is supposed to verify that you're communicating with the correct party, although even that gets thwarted when the MITM can install their certificates in your browser (like an employer).

SiteKey had another component. In addition to selecting an image
from their catalog you also entered your own caption. If the
experiment had showed the correct picture but wrong caption I bet
virtually everyone would have ploughed ahead.

Sure, words are less important than pictures and take more time to
notice. We didnt' have words, and we didn't select our own image, and
already I'm starting to forget what it was. A clothes iron maybe.
If they showed me something else, I might think that was it.

Sounds like they tweaked the implementation over time.
I thought it a bit clever since the caption I create doesn't necessarily
have to be related to the image.

Going though old BofA paperwork a couple weeks ago I ran across a promo for their online banking...1980's vintage. Even had an order form for a dedicated terminal in case I didn't own a computer. In some ways I miss the simplicity of text based system.

m

On Tue, 28 Jul 2015 21:44:58 -0400, "(PeteCresswell)"
wrote:

Per J0HNS0N:
(Except those where the
client is negligent.)

Got to wonder if "negligent" includes the presupposition that if a third
party was able to get to the account the account holder is assumed to be
"negligent" because it is assumed that the only way the third party
could have gotten to the account was if the account holder was
"negligent" in keeping their ID/PW secret.

I guess that's what lawyers are for. IMO I am in much more danger of
losing money from bad investing than from online fraud. That said,
here is Vanguard's fine print. I agree there's lots of wiggle room.

"At a minimum, in order for this protection to apply, you must take
the following steps:
Review your accounts regularly.
Check your account frequently. Promptly and completely review all
information we send you.
Report any errors or discrepancies in your account and any suspected
unauthorized transactions or account changes to Vanguard immediately.
Protect your Vanguard.com user name, password, and other
account-related information.
Make sure your user name, password, and answers to your security
questions are unique and strong.
Never share your user name, password, or other account-related
information with anyone.
Never store your user name, password, or answers to security questions
in your browser.
Clear any temporarily stored copies of online information by closing
your browser after signing off. Do not leave your computer unattended
while logged on to Vanguard.com.
Protect your computer.
Make certain that any computer you use to access Vanguard.com has
up-to-date security and anti-spyware, antivirus, and firewall
software.
Do not reply to e-mail requests for personal or financial information.
Do not respond to, open an attachment in, or click on a link within an
e-mail if you suspect the message is fraudulent. Vanguard will not ask
for personal information such as your Social Security number, account
numbers, or passwords in an e-mail.
Cooperate with us and stay informed.
Cooperate fully with Vanguard in investigating and prosecuting any
unauthorized activity in your account, and follow our recommendations
about how to protect your account. We may require you to file a police
report, complete a notarized affidavit, or permit access to your
computer."

https://personal.vanguard.com/us/hel...dgeContent.jsp

On Tuesday, July 28, 2015 at 11:20:10 AM UTC-4, Ed Pawlowski wrote:


In any case, you can be sure security is being increased, not decreased
when you sign in on line.

Except in the case of what BA is doing, it clearly decreases
security. By presenting you with an image that you select and
know *before* you give them your password, you know that you're
actually engaging with the real BA website, not some hackers
that have duplicated BA to steal your logon credentials. If
you don't see the image, you know something is wrong. Without it,
hackers could and do present what looks like a real logon page.
So, you try to log on and now the hackers have your user name
and pwd.

On Wednesday, July 29, 2015 at 3:38:42 AM UTC-4, J0HNS0N wrote:
On Tue, 28 Jul 2015 21:44:58 -0400, "(PeteCresswell)"
wrote:

Per J0HNS0N:
(Except those where the
client is negligent.)

Got to wonder if "negligent" includes the presupposition that if a third
party was able to get to the account the account holder is assumed to be
"negligent" because it is assumed that the only way the third party
could have gotten to the account was if the account holder was
"negligent" in keeping their ID/PW secret.

I guess that's what lawyers are for. IMO I am in much more danger of
losing money from bad investing than from online fraud. That said,
here is Vanguard's fine print. I agree there's lots of wiggle room.

"At a minimum, in order for this protection to apply, you must take
the following steps:
Review your accounts regularly.
Check your account frequently. Promptly and completely review all
information we send you.
Report any errors or discrepancies in your account and any suspected
unauthorized transactions or account changes to Vanguard immediately.
Protect your Vanguard.com user name, password, and other
account-related information.
Make sure your user name, password, and answers to your security
questions are unique and strong.
Never share your user name, password, or other account-related
information with anyone.
Never store your user name, password, or answers to security questions
in your browser.
Clear any temporarily stored copies of online information by closing
your browser after signing off. Do not leave your computer unattended
while logged on to Vanguard.com.
Protect your computer.
Make certain that any computer you use to access Vanguard.com has
up-to-date security and anti-spyware, antivirus, and firewall
software.
Do not reply to e-mail requests for personal or financial information.
Do not respond to, open an attachment in, or click on a link within an
e-mail if you suspect the message is fraudulent. Vanguard will not ask
for personal information such as your Social Security number, account
numbers, or passwords in an e-mail.
Cooperate with us and stay informed.
Cooperate fully with Vanguard in investigating and prosecuting any
unauthorized activity in your account, and follow our recommendations
about how to protect your account. We may require you to file a police
report, complete a notarized affidavit, or permit access to your
computer."

https://personal.vanguard.com/us/hel...dgeContent.jsp

Kurt's point was that *SIPC* does not protect against online
fraud in a brokerage account. And he's correct:

From SIPC:

"Does SIPC protect me if my account is hacked and cash and/or securities are stolen?

SIPC's role and responsibilities are as defined under the Securities Investor Protection Act (SIPA). Under that law, SIPC only becomes involved when a SIPC member brokerage firm is eligible for liquidation under the Securities Investor Protection Act. If you discover that your account has been hacked or your securities or cash have been stolen, you should contact your brokerage firm, the SEC, FINRA, your state securities regulator, and/or law enforcement authorities."

So, there is no automatic $500K, universal, SIPC protection.
Apparently how a broker treats online fraud is typically up to
them and they set the rules.

In article ,
J0HNS0N wrote:

Kurt Ullman wrote:

Fraud on the part of the broker, not the kind of fraud where someone gets
the account and cleans it out.

Yes, we were talking about online fraud weren't we.

The two online brokers I deal with (ETrade and Vanguard) both say they
will cover ALL online fraud security losses. (Except those where the
client is negligent.) And they both keep broker account cash in their
respective FDIC insured banks.

That is different from suggesting the SIPC will. T
--
"Statistics are like bikinis. What they reveal is suggestive,
but what they conceal is vital."
-- Aaron Levenstein

"Make sure your user name, password, and answers to your security
questions are unique and...."

Usually lawyer talk makes a certain amount of sense once parsed - but
that one just doesn't make it.

To my (possibly overly-literal) mind it even implies that the user
somehow has access to the universe of Vanguard IDs and PWs so they can
check themselves....

I've got every dime I own in Vanguard funds and make a point of not
using their online access. OTOH, I probably do when I download their
version of Quicken at tax time.
--
Pete Cresswell

On 7/29/2015 4:12 AM, trader_4 wrote:
On Tuesday, July 28, 2015 at 11:20:10 AM UTC-4, Ed Pawlowski wrote:


In any case, you can be sure security is being increased, not decreased
when you sign in on line.

Except in the case of what BA is doing, it clearly decreases
security. By presenting you with an image that you select and
know *before* you give them your password, you know that you're
actually engaging with the real BA website, not some hackers
that have duplicated BA to steal your logon credentials. If
you don't see the image, you know something is wrong. Without it,
hackers could and do present what looks like a real logon page.
So, you try to log on and now the hackers have your user name
and pwd.


Considering the recent data breaches all over, do you really think BA
decided to shortcut and lessen security?

Perhaps they don't want to publicly give details,but I think they are
just doing new security in a different manner. There are probably
stronger methods employed that obsolete the site key. If the site key
was a great enhancement, they would all be doing it by now.