At one time I had a problem with the challenge questions; don't remember
what it was now. Not being nearly so computer savvy as most of you I
wound up dealing with my CU in trying to solve it. Eventually they
suggested that I give the same answer for all the security questions
[which would all be wrong except in one case at the most]. Somehow that
worked.
James
.
.
Message: 2
Date: Wed, 04 Nov 2009 17:11:11 -0800
From: "David E. Ross"<nob...@nowhere.invalid>
To:support-seamonkey@lists.mozilla.org
Subject: Re: Stes that have Security Questions
Message-ID:<eoydndw5syisu2_xnz2dnuvz_rgdn...@mozilla.org>
Content-Type: text/plain; charset=ISO-8859-1
On 11/4/2009 12:29 PM, John D Jacoby wrote:
> *Hi,
> For example, my Credit Union has a security feature and asks me for
> the answer when I log on. After doing this one time with Internet
> Explorer it no longer asks for an answer and all I need to do is enter
> the Account number and a password. With SeaMonkey, it asks every time!
> Is there a setting that I need to make so that I no longer need to keep
> giving a Security Answer in SeaMonkey?
> Thanks for any help,
> John
> *
These are sometimes called "challenge questions". When you answer the
question correctly, the site sets a cookie in your profile. The next
time you try to login, the site fetches the cookie and bypasses the
question if the cookie contains the correct information. Sometimes, the
cookie will be for the domain of the outside service that created the
software used by the financial institutions. Thus, you might not only
have to accept cookies "normally" (permanently and not merely for the
current session), but also you might have to enable all cookies and not
merely those for the originating Web site.
I have found that some sites restrict bypassing the challenge question
by sniffing for what browser you are using. Only "approved" browsers
will bypass the question. Of course (unfortunately), they sniff for
"Firefox" and not for "Gecko". Thus, with SeaMonkey, you will always be
asked a challenge question. (Sniffing also means that the question will
be asked if you change browsers.)
I stopped trying to convince two banks, two credit unions, and a mutual
fund group that sniffing for "Firefox" is wrong. Instead, I setup a
special profile for accessing financial institutions. In this profile,
I always spoof for Firefox with the following UA string:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4)
Gecko/20091017 SeaMonkey/2.0 NOT Firefox/3.5.3
I also have set this profile to accept all cookies "normally". I never
use this profile unless I intend to logon to one of my financial
accounts. To get public information from any of the institutions'
sites, I use my normal profile.
A few sites assume everyone has broadband with a fixed IP address. This
is a very bad assumption. Approximately 10% of Internet users in the
U.S. still use dial-up with a new IP address each time they connect. On
top of that, you might get a new IP address when you reboot your
broadband modem. You might try viewing your cookies -- on the menu bar,
select [Tools> Cookie Manager> Manage Stored Cookies] -- and see if
you detect an IP address as the value of a cookie that has the domain of
your credit union's Web site. If so, the credit union has a real
problem that needs to be fixed.
By the way, a number of studies have concluded that challenge questions
and also security images provide no security. In place of the
questions, you need to have strong passwords that you don't write down
on a PostIt or save in an unencrypted file. In place of images, you
need (1) to check that the padlock icon appears in the lower-right
corner of your SeaMonkey browser window and (2) never access your
account from a link in an E-mail or newsgroup message.
-- David E. Ross
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
