As an IT professional, some may find it amusing that I only started
using my bank’s online services a few months back. Online banking allows you to
monitor transactions, pay bills and make fund transfers, but a compromised
account will also allow someone else to do that on your behalf. Since moving to
the province, however, access to online services has become a necessity for me.
Online data security
is a responsibility of both the website and the user
The cost required to secure a website is directly proportional
to the value of the data to protect. It is safe to presume that hackers are
always a step ahead of the IT department. Fortunately, there are technologies and
best practices available for companies who want to keep up with security. To
the end user, however, there are only two things to secure--username and
password.
Passwords must be
easy for the user to remember but hard for others to guess
You know it is easy to remember if you do not need to write
them down. A website that makes it hard to create a password encourages people
to write them.
I have a simple algorithm that allows me to create unique
usernames and passwords for each website. This will secure my other accounts in
case one website is hacked. Sounds easy, but there were sites that caught me
off-guard and broke my algorithm, requiring me to write what I used to register
until I have devised a new way of remembering them.
Here are some security rules I encountered along the way.
1.
All sites require passwords with a minimum of
six characters and must be a combination of letters, numbers or symbols. This
is a basic requirement.
2.
One site requires a secondary password with
specific length and subject to the conditions listed above. I did not prepare
for this and was not able to login because I cannot recall the secondary
password.
3.
Some sites do not allow characters to be
repeated and adjacent to each other. This makes sense.
4.
Other sites employ two-factor authentication by
sending a unique code to your mobile phone. You need to enter the code before
you can log in. This can be a hassle for prepaid SIMs since losing your phone
will require that you also update all your accounts. Those with postpaid SIMs
can just call to deactivate the stolen SIM then get a new one with the same
number.
5.
Some banks require that you call support to
validate your registration details or request for changes. This is what I hated
most. It is both challenging and frustrating to call most banks. To date, there
are still online accounts that I have not successfully registered because of
this requirement. These banks should ensure that they are easily reachable
before employing this security measure. I also wonder why there are no mobile
toll-free numbers when banks are encouraging mobile banking.
6.
One site requires that the username include a
number. This broke my username algorithm and I had to look at my notebook
whenever I have to login because I often forget that the username has a number.
7.
Many websites allow you to specify security
questions. However, I prefer that the user enter the security question instead
of just the answer.
On a side note, never give personal details to someone who
called you, even if they claim that they are from your bank. Call the bank if
you need to update your records.
Securing your email
account
I strongly suggest that one should have a separate email
account exclusively for use with financial institutions. You should not use
this email account to register on other sites, especially social media
websites. Do not use this to subscribe to anything. Nobody should even know its
existence. Someone who knows your email address only has your password to crack,
but not knowing both makes it twice as hard.
Most websites allow you to change passwords using your email
account. If I know your email password, I can change the password in all sites
where you used this email address in order to gain access. That makes your
email account the single point of failure in securing your online data. That
means you should never save the password in your email app. Not even on your
personal laptop. More importantly, never save it on your mobile phone or
tablet.
This leads us to phishing. Never click on an email link that
requires you to enter your account credentials. If you need to, open a separate
tab and login to that website before you click on the email link. If the email
link is valid, then you do not have to re-login. A phishing site will still ask
you for your login details.
A note on passwords
While I acknowledge the banks’ requirement on secure
passwords, I do not agree to how they made it harder for people to remember
them. Someone who attempts to break your password by logging to your account
has little chances of guessing a combination of letters, numbers and symbols. Even
a short phrase is hard to guess. I believe that those are enough. I also do not
agree to the use of a secondary password unless it comes from a different
device, e.g., one-time password from your mobile phone.
Brute force using special applications can crack most
passwords. It does not matter what combination of characters you use or how
long your password is. This means that, in my opinion, banks should invest in
the best data security protection to prevent physical access to the password
file, but must avoid making it hard for the user to create login details that
you force them to write it down. A compromised user password can make the most
expensive data security appliance useless. Trying to make passwords more
complex will only make it difficult to remember, but not harder to crack.
/royc
No comments:
Post a Comment