Security without a smile
Posted on 8 Jul 2008 at 14:20
This month, Davey Winder isn't smiling about transactional security and gets his knickers in a twist over spam-address spoofing.
PC Pro recently published a group review of online banking services, and I was responsible for the part of that feature that looked at security. I spoke to Ken Munro, managing director at independent penetration testing company SecureTest, who told me: "If your bank wants answers to memorable questions, don't choose questions that could be easily answered through researching you on social-networking sites. You could even choose fake answers, so long as you can remember them!" Excellent advice, as you'd expect from someone with plenty of hands-on experience at the coalface of penetration testing, but I doubt that even Ken would have been prepared for the sheer naïvety displayed by one bank that has come to light courtesy of PC Pro reader Matthew Cunliffe.
Like so many of our readers (the clue is in the title of the magazine) Matthew is an IT professional: in fact, he has himself worked on bank accreditation for the 3DSecure system that's used by the "Verified by Visa" (VbV) and "MasterCard SecureCode" schemes that add an extra layer of security to online transactions. I'm actually something of a fan of this system, even though it does slow online buying down a little and introduces yet another password into the mix. What happens is that when you want to buy something using a credit card that's registered under the scheme, despite the fact that you've already input the correct data for card number, expiry, name shown and importantly the CCV (credit card verification) number that's used primarily for CNP (cardholder not present) transactions, you then have to complete another separate login replete with unique password. The idea is that while it's possible someone has stolen your credit card, or you could have been somehow coerced into revealing the required information, it's hugely unlikely in security-risk analysis terms that the same fraudster would also have access to whatever your password is for the 3DSecure system. Fail that part of the transaction and the whole thing goes pear-shaped.
That's why the email from Matthew was so alarming. Indeed, not only did I get one email from Matthew, but I got a copy of his entire email correspondence with Smile, part of the Co-operative Bank, concerning the small matter of how it was choosing to implement the introduction of a VbV system for his Smile credit card. "I was surprised when they told me they were going to register me for Verified by Visa, and that my password would be my 'memorable name' from my online account," Matthew told me, adding: "So not only is my VbV password rather insecure, it's also linked to my online account: guess one, get the other!"
In all his time working on 3DSecure from the banking side of the fence, Matthew has never seen it done in this way, and I have to admit that neither have I. All my credit cards that are registered under the scheme let me choose my own password, unique and created with the usual care to be as secure as possible. In fact, all the card providers I've experience with insist on it. Not so Smile, whose responses from customer care really do have to be read to be believed.
Matthew, not surprisingly, contacted them saying: "I have just received the email about Verified by Visa for my credit card. I am shocked that you think using my memorable name for VbV is secure! It is memorable and therefore easy for someone else to find out. Linking my VbV password to my online account only serves to make both more insecure. I have been asked to ring you and change my memorable name. This does not improve security if it remains linked to both my account and credit card. I wish to be able to choose my own VbV password and for it to be separate from my online account. Your current method is unacceptable and I refuse to accept any responsibility for any web transactions until you change this process. PC Pro has already given the Smile website a damning review on security. This only makes it worse."
Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site
From around the web
advertisement
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Facebook hacker jailed for 12 months
- The Pirate Bay returns after DDoS attack
- Hackers target Android as mobile malware soars
- Apple patches Leopard, despite ending support last year
- Apple patches multiple security issues
- Government promises "strict safeguards" for web snooping
- Pirate Bay: stop attacking ISPs over court ban
- Twitter casts doubt on leak of 55,000 logins
- FBI warns travellers to beware attacks via hotel Wi-Fi
- Bumper Microsoft patch revisits old flaw
advertisement
