« Intitial thoughts on Vista Security | Main | Should jaded people be allowed to teach? »

Problems with composing security "best practices"

My local bank has been frustrating me with its current security “improvements”. I have not chosen my bank on the basis of its technological savvy, and if I didn’t have such inertia with this bank I would probably look for another bank.

Clearly, this bank has been chasing the security improvements made by the big boys. Unfortunately, blindly applying these changes particularly when starting from some rather weak security underpinning does not make for an attractive result. You get the worst of both worlds. A system with weak security plus intrusive security features that annoy the end user.

On the face of it, each security improvement sounds quite reasonable, but in total it just doesn’t work. I’ve seen all these errors on other sites, but my bank seems to have more than its fair share. First is the issue of password safety. The bank site implements a three strikes and you’re out policy. If you miss the password three times, your account is disabled and you must call a person during normal business hours. The security goal is admirable. You want to protect vulnerable accounts from a brute force attack. However, with the proliferation of passwords and different requirements on passwords at different sites (alpha-numeric only, must have a non-alpha-numeric character, at most 8 characters, at least 12) you either must write down your passwords or probably miss a few times as you enter the variants of your password families. If you can call a human 24×7 to reset as you can with most credit card companies this wouldn’t be so back, but for me it is invariably Sunday night as I’m trying to get the accounting done that I lock myself out. An alternative to defeat the brute force attackers is a timed backoff. After one failure pause 1 second, after two failuers pause 5 seconds, etc. Somewhat annoying to the legitimate user, but fatal to the brute force attacker.

Of course, we all lose our passwords, and my bank has the recover your password option that emails a password to your previously registered email account. That is all pretty standard. As long as you reset your password immediately, your exposure is pretty low. However, most sites will reset your password and send you a new randomly generated password. This way your password can be stored in a form that can never be retrieved in plaintext by bank employees (e.g. in a cryptohash), but my bank actually sends your previous password. Not only is my password being sent through insecure email, but presumably some bank employees can retrieve my password at will. If you tend to use families of passwords this not only exposes your bank account security, but it also exposes all other accounts that have passwords in the same family.

Recently, the bank has added a ninety day lockout. If you don’t use the bank web interface for ninety days, the interface is disabled. Again, sounds like a great idea. Closing unneeded holes can only improve security. But how is the account reactivated? You call the bank and give them the secret 4 digit number that was given to you on account creation. This magic number has a close correaltion to your social security number. It isn’t too infeasible for a random person to find an account number and 4 digits of the social security number (through dumpster diving or social engineering). Then the attacker enters the information in the web, picks a new password and away he goes.

Finally, the bank web interface has added the pictures to avoid phishing links and the personal questions. I’m ok with the pictures. If I’m presented with a picture I’ll probably remember it is the one I selected (recognition vs recall), and If I’m not going to remember the picture it doesn’t deter me from getting to my account. I just don’t gain from the additional security. However, the personal questions are quite annoying. This is a growth from the “Mother’s madien name” question that we’ve had for years. Anyone who is somewhat paranoid will put in a fake name that only they recall. But in the last year, I’ve seen a number of web sites add more presonal questions. Generally, you get to pick one or two that are meaningful for you. However, my bank site had an unusually large number of personal questions. Some questions are factual and easy enough to recall, e.g. what city were you born. Others might have answers that are hard to spell, or variations that are hard to recall, e.g. what was your first car? Did I enter “Volkswagen” “Beetle” “Bug” or some combination? But the worst are the favorites. Who was your favorite teacher? What is your favorite movie, book, sports team? My favorite 2 years ago when I registered for the site may have changed or been forgotten. This is a classic issue of security vs usability. Either the user tries to play along and answer legitimately, or he might write down the answers and post them on sticky notes on his desk, or he just answers the same word for all questions. If the security is too annoying the user will seek ways to avoid it.

Hmm… As I’m writing all of this down, I think it might be time to reconsider my bank selection inertia or no inertia.


TrackBack URL for this entry:

Comments (2)

Dan Hogan:

The problem is that audit trails, security cameras, a vault and armored cars used to be sufficient for bank security. There were a limited number of employees who could embezzle, so if you found money disappearing, you could audit your records and find out where it was. If someone was forging a depositor’s checks, it was typically a relative or acquaintance who stole the depositor’s checkbook, and would continue to forge checks in the same town till they were caught.

Now it’s like the story about Denny’s restaurants that were built with no locks on the doors because they were supposed to be open 24/7. Then one year management decided to give every employee a day off on Christmas. Guess what: It’s a lot more costly and troublesome to put locks onto doors and doorframes that weren’t designed to accommodate them.

At the end of the story, the locks on Denny’s are as good as those on any other restaurant. Most banks aren’t to that point yet.

One bank in town told me they couldn’t activate my bankcard unless I gave the teller the PIN I wanted to use. At another bank, I tried to buy a laptop online but it was above the maximum purchase limit on the card. After mailing a written request to have the limit raised for long enough to buy the laptop, the bank told me that their software wouldn’t allow them to raise it.

At yet another bank I called to have my password reset and their security question was: “What year and month did you open the account?” After that I had to go to the branch to do it in person. They offered to help me configure my online banking account using the new password, but warned me that I might want to do it at home, because I would only be allowed to login from a total of three different computers, and if I used the one in the branch office, that would count as one of the three. When I called the number they gave me to complain, it had been disconnected.

To go back to the Denny’s analogy, it’s like the pointy haired bosses at the banks decided that a proverbial locksmith’s estimate was too high, and they’d be better off having a second grader to build lots of booby traps. What their security lacks in effectiveness, it makes up for in annoyance.

It’s not just individual banks. The whole system needs to be revamped. For example, the three digit security codes are nice, but the fact that they are ingeniously printed on the back of the card, means that my waitress can still use my card to buy a new wardrobe after I pay for dinner.

We need a system that: 1. Requires only a single account number and password for transactions, but requires them for every transaction. 2. Provides you with phishing filters during all sessions. 3. Always transmits your password with strong encryption, and only stores it’s hash on the bank’s central computer system. 4. Checks passwords for strength, and never allows week passwords. 5. Uses timed backoffs. 6. Is subject to regular audits.

If those things were in place, most if not all of the annoying security “improvements” could be eliminated.

Dr. H:

Yes, definitely security is still in the retrofit mode for banking. Internal finance IT folks get it. But the customer facing security is definitely a patch based, short term, and follow what the competitors do.

Post a comment


This page contains a single entry from the blog posted on April 2, 2007 10:32 AM.

The previous post in this blog was Intitial thoughts on Vista Security.

The next post in this blog is Should jaded people be allowed to teach?.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34