Whine and Dime #0005


Continuing last week's theme of security theatre, a UK bank asked me this week to set a PIN for online banking. One of the rules they have for the PIN format is "no pairs of repeating numbers", amongst a few others. The result of this policy is not that PINs are any more secure, but rather that the search space of possible PINs has been reduced, making it marginally easier for a hacker to guess a PIN.

This misguided security strategy then gets even worse. When logging in to online banking, instead of asking for the PIN as a 4-digit number, they ask for a random 3 digits out of the four. And if that wasn't enough, to make the user experience even more diabolical, they then ask for a random 3 digits for the login password as well.

As a diligent online banking user with a complex, site-specific password managed via 1Password, I am now forced to look up my password on each login and determine the nth, kth and jth letters to type in. This approach is no more secure than simply entering my full password because any attacker with my password can also just work out the nth, kth and jth letters.

These strategies end up having the opposite effect of what was intended. Because this login process is such a UX nightmare, it encourages users to have simpler passwords from which they can easily remember the nth characters, or worse, forces them to write their password down.

This is the same misguided thinking that has organisations come up with increasingly baroque password policies. Forcing a difficult to remember password onto people encourages them to use some kind of generative approach like including the date, or worse, to write the password down or store it in a file on their computer somewhere. Both outcomes end up reducing security rather than improving it.

The best approach for any service beyond specifying a minimum password length (and not a maximum!) is to proactively try to crack every customer's password offline. If a customer password is ever cracked, the system automatically resets the password, informs the customer that their password was not secure, and forces them to choose a new one. This approach will weed out passwords of the "password1234" and "p455w05d" variety, and over time, create a very robust set of passwords reinforced against common dictionary attacks. It also allows people to select cryptographically complex passwords that are easy to remember, but also high in entropy, such as three or four word phrases separated by spaces.

Bonus whine: porting mobile phone numbers here in the UK is also slow and error prone. In Australia, the ports happen straight away, give or take an hour. That will probably be the first time an Australian telco gets a rap from me for service.

Industry News

Here are some thoughts on what law firms can do with the blockchain. The cross-over between the Law and programming is an interesting one. Computer programming languages are about telling computer hardware what to do, and the Law is (loosely) about telling people what to do, or at the very least, facilitating judgements about behavior when it does not meet community expectations. Can blockchain technologies, (particularly 'smart contracts') have an impact on the way laws work? For example, if you can algorithmically specify the terms of an agreement and encode it into the blockchain in advance, then will we end up with a situation where programmers replace lawyers?

Apple Pay Will Soon Work at Starbucks, KFC and Chili’s (Video). Unlike Australia where contactless/NFC terminals are almost ubiquitous, rollout in the UK and US is somewhat slower. Putting them in big name chain venues like Starbucks will have an increasingly large impact on uptake.

Interledger is Ripple's new spin for integrating traditional (private) and emerging (distributed, blockchain) ledgers. It's a bid to offer Ripple's enterprise customers a solution that they argue maintains customer privacy, allowing users to keep aggregate transaction data off the public blockchain by using a connector to move funds between private versions of the Ripple network. Early days, but it sounds interesting.

SWIFT is looking to deliver a 57% price reduction by the end of 2015http://www.swift.com/about_swift/shownews?param_dcr=news.data/en/swift_com/2015/PR_sibos_pricing.xml. This is unlikely to be because of any actual disruption to the international payments business by cryptocurrencies, but it could well be because of a fear of what is coming next. Curiously, the big costs to the end-customer from international payments are not because of the wholesale costs of making a SWIFT payment, but rather because of all of the kick-back and uplift fees that banks pay each other on top of the underlying SWIFT payment.

"Big banks are far too complicated.", says Anne Boden of Starling Bank. Yep.

The US's $40 trillion (with a 't') ACH payments system is 40 years old an starting to creak under the weight of payments innovation. HBR asks why the way Americans pay for things is so woefully out of date. Perhaps the author of the article (Jordan Lampe, Director of Policy at Dwolla) has a solution to the problem?

And finally, if this week's whine has you worried about security, then JCB is about to pilot palm vein payments in Japan. What could possibly go wrong? There's got to be a pun in there somewhere about 'armed bandits'.

Blog Posts

Worth Following

Nerding Out