For years now I’ve been… less than impressed with the ANZ bank’s concept of how a secure banking website should work. Finally they’ve taken steps to harden their site. They’ve introduced “secret questions”, like “who was your best friend in high school”, “what’s your partner’s nickname” and “what’s your nickname for your youngest child”. At last, my money is now safe from thieves who will never guess that my my partner’s nickname is Cathy, my best friend in High School was Robert, and my youngest’s nickname is Marky. Oh, darn! I accidentally disclosed the answers to those secret questions! It’s as if that information would be widely available to any thief who took the time to look me up on Facebook (don’t bother, I’m not on Facebook).
Because in providing answers to these questions the security on my account was going up, not down, I couldn’t possibly be allowed to opt-out, with dire warnings about being liable for losses if someone found out the answers. To these most basic of questions.
Most other banks have implemented two-factor authentication. Even G-mail has two-factor authentication. But not the ANZ, they’ve stepped things up a notch. They’ve eschewed two-factor, and gone for “You’ll never guess the name of my pet, which I post on Facebook all day long”.
So I took my standard defensive action: attack surface reduction and target-value minimisation. To reduce the attack surface, for each answer I mashed the keyboard – so thieves, remember my first Primary School was in the suburb of pwofkmvosffslkdflsifcmmsmclsefscdsfpsdfpefsdflsd, or something. To minimise the value of the target, I swept all the funds out of the account. What’s wrong the the technique of establishing identity by the production and examination of 100 points of identifying documents? Why do I need to have a favourite colour?
Cathy worked for the ANZ until recently, and the day she received her final paypacket she shut the account. Hated their account with a passion, but the ANZ is incapable of paying their employees through anything other than an ANZ account. Because, you know, banking is hard.
Atwood: Yeah, I was going through my blog…
Spolsky: It seems like half of all sites would be broken.
Anyway, here’s the base configuration for my browsers these days:
Australian consumers can now use their Visa cards to pay for small value transactions of $35 or less without entering a PIN or signing a receipt, Visa announced today.
This requires the retailer to actively persue this strategy, but the payment network no longer demands identification for these “low value” transactions. They claim that security isn’t compromised by this. Their logic goes like this:
$35 isn’t much.
If someone steals your card, they can only obtain $35 worth of goods and services per transaction until the card is shut down.
Your card issuer will eventually notice all of these transactions and phone you to make sure everything is okay.
The retailer wears the risk of these unauthorised transactions
So what’s to stop your teenager borrowing your card to go buy snacks at McDonalds (one of the early adoptors of this security-flexibility) whenever they’re hungry? The card company’s logic goes like this:
$35 isn’t much.
If someone borrows your card without your knowledge, they can only obtain $35 worth of goods and services per transaction.
The retailer wears the risk of these unauthorised transactions
So why would a retailer run the risk of a month’s worth of Coles supermarket purchases (another early adopter) – which could easily exceed $1000 with one or two purchases a day – being fraudently run up? Because when you compain to your card issuer, they require a police report. The police, being a diligent lot, will follow up these $35 thefts, go to the stores, look at the video footage, realise they don’t know what you look like, come around to your house and compare the picture against you and decide it’s not you. Then they’ll think “How did this person who isn’t the cardholder get hold of the card and the cardholder didn’t notice until they got the bill?” and they’ll suspect an inside job, and ask you if you recognise the person in the video footage. If you want your teenager to have a crimal record with 30+ theft convictions you’ll scream “Sarah! Come here!” and that will be that; otherwise you might stay quiet.
Of course, it might not be your teenage daughter with the munchies; somebody at work might borrow the card from the wallet on your desk to buy lunch when they’ve run out of cash, or friends when you’re out “dining” at McDonalds.
Worse yet is the organised criminals who can easily prove their expenditure is not their own – it was in another state! Because there’s no motivation to Express Post your card to an interstate confederate for them to have a quick run around with it before Express Posting it back. In short order it can become quite a bill too – at Apple Stores it’s up to $150 without a signature being needed. These expenditures can be book-ended by legit local purchases, leading the card holder to say “well, I never authorized that, I’ve still got the card, so you figure it out”. The costs of these thefts, which all the video footage in the world isn’t going to connect to the cardholder, and with some precautions the confederate either, goes onto the general costs of running the retail operation, pushing up prices.
Retailers always had the option of skipping the need to sign for a transaction – be it on their own heads. So presumably they think that the video footage will reduce the level of experienced loss.
Now, presumably this fraud will cost less than the expenditure saved – assuming a check-out chick costs $25/hour to employ it implies at least 1.4 person-hours are saved per fraud, and assuming a saving of four seconds per transaction, they’re expecting no more than 1 fraud in 1280 transactions. But I ask: isn’t it better to pay $35 to Aussie Battlers… working Aussie families… our most valuable assets rather than hand over, say $30, to criminals through lax security?
With contactless payments finally with us, there’s even more reason to fear unauthorized transactions, per this video of a guy stealing the identifying information off a smart card:
It appears that in addition to annual fees, international conversion fees, interest charges and so forth, the price of a credit card is the same as freedom: eternal vigilance.
All of this is lovely and academic, but the activity by retailers and card issuers has the effect of turning every card in my wallet into many unchallenged $35 purchases. This acts as a motivator to steal my cards from me. If my wallet is stolen, I can immediately cancel the cards, so no risk there. So to get at the lovely $35 goodness, the thief needs to stop me doing that – clonking the victim on the head is a good way of preventing reporting. I like my head. I don’t mind spending 4 seconds a transaction to prevent a increase in people getting brained.
The worst part is there’s no way to opt out of this reduced security; I can’t say to Visa: “No, for my card, only pay money when a PIN is supplied.” It’s forced on everyone. I remember when these PIN things came out, and I was repeatedly assured that they were more secure than a signature, and I could assure them that it wasn’t – the damn PIN is encoded on the mag strip of the card (precisely copied in seconds!), and any fool can see you keying your PIN in. Now another layer of security has been whittled away, leaving… video investigation.
See the protocol on the front? On the page, net to the big verisign logo:
We guarantee that every transaction you make on our website will be safe. Our secure server software (SSL) is the best software available today for secure commerce transactions. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read as the information travels over the Internet. When an order is received, SSL is again used to unscramble the message, check that it came from the correct sender, and verify that it has
Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.
Don’t open Word files, not even in the Word viewer.
Dictionary based searching works – if you aren’t going through something that monitors that sort of thing. Ophcrack will break into a Windows system, by running through very large dictionaries, some of which are available only by purchase.
Perhaps to read the advice on Choosing a Pretty Good Password. Myself, most of my passwords are highly insecure. But that’s only because they’re on systems I don’t give a tinker’s cuss about. The ones I do are pretty tight.
Does anyone out there use multiple, changing, strong passwords? If so, how do you keep them straight? If not, why are you toying with your security like that?