Wednesday, September 4, 2013

Online Data Security for End Users

As an IT professional, some may find it amusing that I only started using my bank’s online services a few months back. Online banking allows you to monitor transactions, pay bills and make fund transfers, but a compromised account will also allow someone else to do that on your behalf. Since moving to the province, however, access to online services has become a necessity for me.

Online data security is a responsibility of both the website and the user

The cost required to secure a website is directly proportional to the value of the data to protect. It is safe to presume that hackers are always a step ahead of the IT department. Fortunately, there are technologies and best practices available for companies who want to keep up with security. To the end user, however, there are only two things to secure--username and password.

Passwords must be easy for the user to remember but hard for others to guess

You know it is easy to remember if you do not need to write them down. A website that makes it hard to create a password encourages people to write them.

I have a simple algorithm that allows me to create unique usernames and passwords for each website. This will secure my other accounts in case one website is hacked. Sounds easy, but there were sites that caught me off-guard and broke my algorithm, requiring me to write what I used to register until I have devised a new way of remembering them.

Here are some security rules I encountered along the way.

1.       All sites require passwords with a minimum of six characters and must be a combination of letters, numbers or symbols. This is a basic requirement.

2.       One site requires a secondary password with specific length and subject to the conditions listed above. I did not prepare for this and was not able to login because I cannot recall the secondary password.

3.       Some sites do not allow characters to be repeated and adjacent to each other. This makes sense.

4.       Other sites employ two-factor authentication by sending a unique code to your mobile phone. You need to enter the code before you can log in. This can be a hassle for prepaid SIMs since losing your phone will require that you also update all your accounts. Those with postpaid SIMs can just call to deactivate the stolen SIM then get a new one with the same number.

5.       Some banks require that you call support to validate your registration details or request for changes. This is what I hated most. It is both challenging and frustrating to call most banks. To date, there are still online accounts that I have not successfully registered because of this requirement. These banks should ensure that they are easily reachable before employing this security measure. I also wonder why there are no mobile toll-free numbers when banks are encouraging mobile banking.

6.       One site requires that the username include a number. This broke my username algorithm and I had to look at my notebook whenever I have to login because I often forget that the username has a number.

7.       Many websites allow you to specify security questions. However, I prefer that the user enter the security question instead of just the answer.

On a side note, never give personal details to someone who called you, even if they claim that they are from your bank. Call the bank if you need to update your records.

Securing your email account

I strongly suggest that one should have a separate email account exclusively for use with financial institutions. You should not use this email account to register on other sites, especially social media websites. Do not use this to subscribe to anything. Nobody should even know its existence. Someone who knows your email address only has your password to crack, but not knowing both makes it twice as hard.

Most websites allow you to change passwords using your email account. If I know your email password, I can change the password in all sites where you used this email address in order to gain access. That makes your email account the single point of failure in securing your online data. That means you should never save the password in your email app. Not even on your personal laptop. More importantly, never save it on your mobile phone or tablet.

This leads us to phishing. Never click on an email link that requires you to enter your account credentials. If you need to, open a separate tab and login to that website before you click on the email link. If the email link is valid, then you do not have to re-login. A phishing site will still ask you for your login details.

A note on passwords

While I acknowledge the banks’ requirement on secure passwords, I do not agree to how they made it harder for people to remember them. Someone who attempts to break your password by logging to your account has little chances of guessing a combination of letters, numbers and symbols. Even a short phrase is hard to guess. I believe that those are enough. I also do not agree to the use of a secondary password unless it comes from a different device, e.g., one-time password from your mobile phone.

Brute force using special applications can crack most passwords. It does not matter what combination of characters you use or how long your password is. This means that, in my opinion, banks should invest in the best data security protection to prevent physical access to the password file, but must avoid making it hard for the user to create login details that you force them to write it down. A compromised user password can make the most expensive data security appliance useless. Trying to make passwords more complex will only make it difficult to remember, but not harder to crack.


No comments:

Post a Comment