It’s Not Always Good to be Paranoid

With the banks and the general public getting serious about online security, it’s down to web programmers to keep access to an individual’s account strictly controlled. In general, it pays to be paranoid about security when it comes to finances and the Internet. Unfortunately, sometimes you wonder if the programmers ever actually used the system before deploying it to the poor customers. In all examples below, assume my password is “pasSw0rd” (you’d be surprised how many people this holds true for!).

I personally like HSBC’s system. You are issued with a 10-digit Internet Banking ID number (IBxxxxxxxxxx), which is used to perform the initial login. This ID number should be kept reasonably secure, but as you would expect, there’s more than just that to keep your bank account secure. From that screen, you are taken to a login screen, where you are prompted for some more information.

You are always prompted for your date of birth, plus a random choice of characters from your very secret password. I think this password is anywhere between 5 and 10 characters long, case sensitive. That’s a reasonable approach. Even if your machine is infected with a virus which captures keyboard input and sends it to someone (a “keylogger”) who wishes to get to your account, they only have part of your passcode. In the case above, I would enter my date of birth, followed by the characters “p”, “a”, and “S”. So a hacker using a keylogger could only get into my account if the system prompted for exactly the same set of characters (assuming they keylogger had some means of knowing which ones had been asked for – not very easy). A quick check of mathematics shows me that for my 8-character password, there’s 56 different sets of 3 characters. That’s before you get into the added small bit of security which means you are sometimes asked for your “last”, or “next to last” digits. This is useful, because you need to know the length of the password to know whether “last” refers to position 6 or 10.

Next we look at the Marks & Spencer Money website. Firstly, you need to sign-in to the website using a standard username and password combination. Then you’re presented with another login screen.

Again, we are being asked for a secret piece of information – in this case the name of your favourite city or country. I personally dislike these “what is your favourite [pet / country / teacher’s / place / singer’s] name ?” type questions, but hey-ho. Next we’re again asked for three random characters from my password. In this case, “0”, “p”, and “w”. The key difference here, though, is that they aren’t in order.

With the HSBC system, the random characters are arranged into order. With the M&S site, they aren’t. This makes recalling the requested digit much harder. Try it yourself: what’s the fourth character of my password? Fairly quickly (after counting through the letters), you end up with “S”. Now what’s the fifth? Or the sixth? That’s dead easy – the sixth is just two after the fourth: “0”. But getting the third character after working out the sixth is so much harder.

It’s not that it’s difficult to program (and that should be no excuse for bad interface design). It’s one of the first things you do when learning to program – sort a list of numbers. It is no less secure than the HSBC system either. Remember above that we assumed the hacker had a program which could determine what character position had been requested? Simply changing the order around doesn’t make things more secure, just less easy-to-use. Even if the order was important, there are only 336 ways to get three characters from eight – that’s not much of an improvement on the 56 above.

And now we move on to the mess that is the ING Direct internet banking website.

Everything starts normal enough, with the requirement to enter your personal customer number (which isn’t really secure as the website allows you to save it for future use), along with your surname (again, not desperately secure). This takes you through to the following screen:

Again, like the M&S website, we struggle with having to remember our PIN in a random order. This is supplemented (as ever), by a reasonably secure piece of information (although such things are usually easy to guess – family birthdays and anniversaries are a good start). The real problem arises when you discover that you can’t enter the requested information via the keyboard – everything much be done through mouse-clicks on the keypad to the right. You may have noticed already that the keypad isn’t like either the one on your keyboard, or the one on your phone. All the numbers are randomly arranged and this arrangement changes every time you use it. As with most people who use computers as part of their day-job, I’m much more focused on using the keyboard than using the mouse – it’s far faster. So when we’re presented with a system which deliberately forces us off our natural method of input, we get annoyed. Added to this, the fact that you need to hunt around for every digit and things quickly become very frustrating.

My guess is they do this to avoid the very small number of cases where keyloggers are in place, but if you’re working with money on-line you should really have computer defences in place to stop such things from catching you. So yes, the ING Direct website is more secure because of this technology, but it’s far less useable. It’s not always good to be paranoid about security.