{"id":560,"date":"2008-06-24T13:36:35","date_gmt":"2008-06-24T03:36:35","guid":{"rendered":"http:\/\/www.somethinkodd.com\/oddthinking\/?p=560"},"modified":"2008-06-24T13:36:35","modified_gmt":"2008-06-24T03:36:35","slug":"web-security-and-ing-direct","status":"publish","type":"post","link":"https:\/\/www.somethinkodd.com\/oddthinking\/2008\/06\/24\/web-security-and-ing-direct\/","title":{"rendered":"Web Security and ING Direct"},"content":{"rendered":"

Someone is being a fool and not understanding some of the basics of computer security. That person is either (a) the head of security at ING Direct<\/a> or (b) it is me.<\/p>\n

Now, your default stance should certainly be “I’ll take option (b).” Let’s face it; the former managed to become to achieve a primo position of responsibility in charge of $20 billion, whereas the latter has a long history of being foolish.<\/p>\n

Let me see if I can persuade you otherwise.<\/p>\n

About ING<\/h4>\n

ING Direct is a bank subsidiary that offers only<\/em> online and phone access to your bank account. Money can be transferred into and out of the account only from a single linked bank account. They pay a reasonably high rate of interest and have lower fees compared to most banks, presumably because their real-estate and transaction costs are so low.<\/p>\n

Web security is an important issue for such an organisation, and for its customers.<\/p>\n

Why do I trust a web-site like ING Direct’s with my money?<\/h4>\n

I am reasonably concerned about web-security. I am prepared to use ING Direct because the downside of having my account password compromised is relatively low.<\/p>\n

I believe that if someone was to successfully get my password, all they could do would be:<\/p>\n

    \n
  1. see my balance, which would be an invasion of privacy, but not a benefit to the hacker.<\/li>\n
  2. change my password, which would inconvenience me until I managed to prove I was who I said I was and have it reset. Again, not a benefit to the hacker.<\/li>\n
  3. transfer money to or from my linked account. This might cost me in transaction fees, overdraft fees and lost interest, but would not benefit a hacker.<\/li>\n
  4. attempt to change the linked account, and then transfer money to it. This is protected by ensuring that the linked bank account has the same account name as the ING Direct account (or at least the same surname and first initial). It also requires a form to be filled in and signed, with all of the inherent security protection that an unwitnessed signature on a self-printed form can offer.<\/li>\n<\/ol>\n

    Given that there is little incentive to a hacker to crack my account, beyond simple denial of service, I see it as a relatively low-risk to manage my money through their web-site.<\/p>\n

    False Security?<\/h4>\n

    So, while the stakes here are low, it offends my sensibilities me when I see artificial security practices in place that inconvenience me, but only provide a facade of additional security. I believe ING Direct gives a false sense of security in two such places: their anti-sniffing keypad entry for their pin, and their random deposit confirmation.<\/p>\n

    Anti-Sniffing Keypad<\/h4>\n

    If you visit the ING Direct Online Banking client<\/a>, you will notice that rather than typing in your password<\/strike> Access Code, you must enter it by clicking on numbers on a randomly laid-out keypad on the screen.<\/p>\n

    This technique is (presumably) to foil naive keyboard sniffing software from being able to successfully read your password.<\/p>\n

    Your user id<\/strike> Client Number is typed in though.<\/p>\n

    The downside of this system is it makes it slower to enter and less accessible.<\/p>\n

    Does it successfully protect the password though? Not really! Because the password strength itself is worthless. It is limited to a four-digit number. <\/p>\n

    Four-digit PIN numbers might be sufficient to protect a credit card, which requires you to physically have access to the card – especially if it can be captured if you enter the wrong PIN number too many times – but for a web site with no other factor of authentication, where 10000 guessing attempts could be made in a few minutes, it is nigh on worthless.<\/p>\n

    (I actually attempted to change my Access Code to something more secure. The keypad will let you propose a six-digit PIN number, but will reject it when you hit Submit.)<\/p>\n

    Having anti-sniffer protection on a four-digit number is like putting an awfully big padlock on a paper bag.<\/p>\n

    Random Deposit Confirmation<\/h4>\n

    Recently, I changed the linked account associated with my ING Direct account. ING Direct use an interesting authentication technique that I first saw used by Google AdSense.<\/p>\n

    When I opened a Google account, it was very easy to make a mistake in typing in the account number. A wrong account number would lead to all sorts of issues. Google solved this by depositing a random number of cents over two transactions into the account that I proposed to link with their account. They then asked me to test that it worked by confirming the number of cents. For the costs of a few cents and a couple of transactions, Google were able to circumvent major hassles later.<\/p>\n

    I recently unreliably heard that two men were arrested for hacking such a system; they automatically opened hundreds of accounts and simply skimmed the money randomly deposited until it added up to enough be worthwhile.<\/div>\n

    So, when ING Direct used a similar system, I was more than happy to comply. After all, if I typed in my account details wrong and<\/em> the banks involved failed to notice that the account names mismatched, I could feasibly transfer a large amount of money into someone else’s account, and I might never see it again.<\/p>\n

    I initiated the processed, and watched my new bank account aver the next few days. No money appeared. The time period ran out. I scratched my head. Did I enter the account number wrongly? I had taken great care not to.<\/p>\n

    No! It turns out they deposited the money in the old<\/em> linked account; the one I was about to close.<\/p>\n

    What does that prove? They knew I had access to my old account; I had been using it for years.<\/p>\n

    I still can’t work out why they might think this is a good idea.<\/p>\n

    Clearly, somebody is being a fool about computer security. I hope you agree it isn’t me.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Someone is being a fool and not understanding some of the basics of computer security. That person is either (a) the head of security at ING Direct<\/a> or (b) it is me.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"","footnotes":""},"categories":[25,47],"tags":[287,90,95],"class_list":["post-560","post","type-post","status-publish","format-standard","hentry","category-insufficiently-advanced-technology","category-review","tag-banking","tag-security","tag-web"],"_links":{"self":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/comments?post=560"}],"version-history":[{"count":0,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/560\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/media?parent=560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/categories?post=560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/tags?post=560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}