Press Esc to close
Saturday 07 March 2015
News updated at 9:53 AM IST
Weather
Max: 31.7°C
Min : 16.9°C
In Bengaluru
clear sky

As safe as ATMs

Oct 28, 2012, The New York times :

To make hacking more difficult, web sites should use multiple levels ofsecurity, says Randall Stross .

The two-step verification followed by bank ATMs is inconvenient, but more secure. NYTBank ATMs embody decades-old technology. A four-digit PIN? What a seemingly crude security system. Where are the uppercase and lowercase letters and the random punctuation that we are continually told are crucial to hacker-resistant passwords?

In fact, though, the four-digit numbers required to use cash machines are one element of an extremely strong security model that most of today’s websites fall well short of matching.

Think about it: An ATM requires the presentation of both a physical card and a correct PIN. Websites can and should follow this general principle of requiring two dissimilar things before access is granted.

After supplying the password, that second thing could be a code that arrives as a text message on one’s phone. A thief would find that stealing your password for a website was useless without also having your phone in hand.

The technical term for requiring something you know and something you have when trying to log into an online account is “two-factor authentication.” It’s also known as two-step verification.

If this system, using passwords and smartphones, were used on all limited-access websites, the passwords wouldn’t have to be long and complex. But many Web users have easy-to-guess passwords in just one-step verification, which is highly imprudent.

Nick Berry, president of DataGenetics, a consulting firm in Seattle, has analysed the large password databases that hackers who have broken into various websites have publicly released.

Among 30.3 million passwords he has found 3.4 million consisting of nothing but four digits. (It’s astounding that there are still websites that permit these. I always encounter password requirements that force me to choose ever longer, more complex strings of characters, numbers and punctuation marks.)

Some four-digit passwords are far more popular than others: “1234” alone accounts for almost 11 percent of these passwords; “1111,” an additional 6 percent. Repetitive patterns occupy many of the other spots among the 20 most frequent numbers. Lower on the list are numbers that are likely to be a year of birth or the four-digit rendering of the month and day of a birthday.

We can speculate that some of the four-digit passwords found in websites’ databases were first conceived as PINs for ATMs. They may also be serving as the users’ PINs for unlocking smartphones. Berry says he also saw a number of instances of what he calls “finger walking” on a keypad, in which the sequence comes from a geometric pattern, like “2580” – moving from top to bottom in the keypad’s center.

The bank customer who chooses the year of her birth as her cash-machine PIN isn’t putting her savings in great jeopardy. The thief who picks up a lost wallet with an ATM card in it would have to guess the PIN correctly in just the first few tries, or the system would shut down the account. Even if successful, the thief would be limited by the ceiling on daily ATM withdrawals. And, in cases of theft, the customer would be made whole by the bank for the loss.

When that short PIN is used as a password on the Web, however, without a second form of verification, it is just about the worst possible choice, almost as bad as choosing “password” as one’s password.

“Using an ATM PIN in the context of the online world is unwise,” says Marty Jost, a product marketing manager at Symantec, the computer security company. “Using an easy-to-remember PIN is even more unwise because it’s easy to guess.”

Jost says websites should use multiple layers of security so that “the password is not the only authentication mechanism.”

Users of Gmail and other Google services, for example, can elect to have a two-step verification system to protect their accounts. When the system is activated, the user fills in the boxes for user name and password, as usual, but then is sent to another page where a verification code must be typed in.

Users may choose to have this arrive as a text message, or they can obtain it by using an app on their smartphone. There’s a backup method, too, in case their smartphone is lost or stolen.

PayPal and Dropbox also offer their users the option of requiring two-step verification for added peace of mind. Many corporate networks have long used this security model, too.
Yes, it’s a bit cumbersome. Jeff Atwood, a software developer, author, and co-founder of the programming question-and-answer site Stack Overflow, acknowledged this when he urged readers of his blog in April to use Gmail’s two-step verification option.

But, he wrote, this process “is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your email becomes extremely secure.”
That feeling of security originates not with a long master password, which may fall into the hands of a bad actor, but with the elegantly simple two-step verification. The designers of ATMs were on to something.

Two-step verification for Gmail or other Web services can’t work for us, however, unless we set it up. And there’s no better time than the present to do so.
“Not tomorrow. Not next week,” Atwood wrote. Now.


Go to Top

Photo Gallery
Trucks stranded on the Srinagar-Jammu National Highway at Qazigund on Friday. The highway...

Trucks stranded on the Srinagar-Jammu National Highway at Qazigund on Friday. The highway...

Students looking Aero models at 2nd National Seminar and Exhibition on UAV Technologies and Air...

Students looking Aero models at 2nd National Seminar and Exhibition on UAV Technologies and Air...

Fishermen from India stand behind bars in a cell, after being detained in Pakistani waters...

Fishermen from India stand behind bars in a cell, after being detained in Pakistani waters...

New CC TV camera polls installing in MG Road, Bengaluru...

New CC TV camera polls installing in MG Road, Bengaluru...

2nd National Seminar and Exhibition on UAV Technologies and Air Show organised by Rotary Club...

2nd National Seminar and Exhibition on UAV Technologies and Air Show organised by Rotary Club...

Indian Foreign Minister Sushma Swaraj shakes hand with Sri Lankan Deputy Foreign Minister Ajith...

Indian Foreign Minister Sushma Swaraj shakes hand with Sri Lankan Deputy Foreign Minister Ajith...

Ola Head of Operations (Mangaluru) Sadhanandhan N with Ola Sedan category car during the launch...

Ola Head of Operations (Mangaluru) Sadhanandhan N with Ola Sedan category car during the launch...

Border Security Force (BSF) personnel celebrate Holi festival in Amritsar, Punjab on Friday...

Border Security Force (BSF) personnel celebrate Holi festival in Amritsar, Punjab on Friday...

Indian Hindu women from Nandgaon village beat the shield of a man from Barsana during Lathmar...

Indian Hindu women from Nandgaon village beat the shield of a man from Barsana during Lathmar...

Trays filled with colored powder and flower petals lie on a floor to be used by widows...

Trays filled with colored powder and flower petals lie on a floor to be used by widows...

Copyright 2014, The Printers (Mysore) Private Ltd., 75, M.G Road, Post Box 5331, Bengaluru - 560001
Tel: +91 (80) 25880000 Fax No. +91 (80) 25880523