Security without a smile
Posted on 8 Jul 2008 at 14:20
This month, Davey Winder isn't smiling about transactional security and gets his knickers in a twist over spam-address spoofing.
PC Pro recently published a group review of online banking services, and I was responsible for the part of that feature that looked at security. I spoke to Ken Munro, managing director at independent penetration testing company SecureTest, who told me: "If your bank wants answers to memorable questions, don't choose questions that could be easily answered through researching you on social-networking sites. You could even choose fake answers, so long as you can remember them!" Excellent advice, as you'd expect from someone with plenty of hands-on experience at the coalface of penetration testing, but I doubt that even Ken would have been prepared for the sheer naïvety displayed by one bank that has come to light courtesy of PC Pro reader Matthew Cunliffe.
Like so many of our readers (the clue is in the title of the magazine) Matthew is an IT professional: in fact, he has himself worked on bank accreditation for the 3DSecure system that's used by the "Verified by Visa" (VbV) and "MasterCard SecureCode" schemes that add an extra layer of security to online transactions. I'm actually something of a fan of this system, even though it does slow online buying down a little and introduces yet another password into the mix. What happens is that when you want to buy something using a credit card that's registered under the scheme, despite the fact that you've already input the correct data for card number, expiry, name shown and importantly the CCV (credit card verification) number that's used primarily for CNP (cardholder not present) transactions, you then have to complete another separate login replete with unique password. The idea is that while it's possible someone has stolen your credit card, or you could have been somehow coerced into revealing the required information, it's hugely unlikely in security-risk analysis terms that the same fraudster would also have access to whatever your password is for the 3DSecure system. Fail that part of the transaction and the whole thing goes pear-shaped.
That's why the email from Matthew was so alarming. Indeed, not only did I get one email from Matthew, but I got a copy of his entire email correspondence with Smile, part of the Co-operative Bank, concerning the small matter of how it was choosing to implement the introduction of a VbV system for his Smile credit card. "I was surprised when they told me they were going to register me for Verified by Visa, and that my password would be my 'memorable name' from my online account," Matthew told me, adding: "So not only is my VbV password rather insecure, it's also linked to my online account: guess one, get the other!"
In all his time working on 3DSecure from the banking side of the fence, Matthew has never seen it done in this way, and I have to admit that neither have I. All my credit cards that are registered under the scheme let me choose my own password, unique and created with the usual care to be as secure as possible. In fact, all the card providers I've experience with insist on it. Not so Smile, whose responses from customer care really do have to be read to be believed.
Matthew, not surprisingly, contacted them saying: "I have just received the email about Verified by Visa for my credit card. I am shocked that you think using my memorable name for VbV is secure! It is memorable and therefore easy for someone else to find out. Linking my VbV password to my online account only serves to make both more insecure. I have been asked to ring you and change my memorable name. This does not improve security if it remains linked to both my account and credit card. I wish to be able to choose my own VbV password and for it to be separate from my online account. Your current method is unacceptable and I refuse to accept any responsibility for any web transactions until you change this process. PC Pro has already given the Smile website a damning review on security. This only makes it worse."
Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site
From around the web
advertisement
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Symantec: we didn't "bribe" hackers, police did
- Tesco Bank customers targeted by fake Twitter account
- VeriSign slammed for security breach cover-up
- MPs attack Government scare tactics on cybercrime
- Symantec tells customers to disable pcAnywhere
- O2 apologises as it plugs phone number leak
- Hacking contest focuses on patching rather than speed
- McAfee warns of flaw in own security software
- Israel suffers multiple hack attacks
- F-Secure: Android adverts pose security risk
advertisement
Printed from www.pcpro.co.uk