Press Esc to close
Saturday 23 August 2014
News updated at 6:46 PM IST
Weather
Max: 30°C
Min : 20°C
In Bangalore
Cloudy sky

As safe as ATMs

Oct 28, 2012, The New York times :

To make hacking more difficult, web sites should use multiple levels ofsecurity, says Randall Stross .

The two-step verification followed by bank ATMs is inconvenient, but more secure. NYTBank ATMs embody decades-old technology. A four-digit PIN? What a seemingly crude security system. Where are the uppercase and lowercase letters and the random punctuation that we are continually told are crucial to hacker-resistant passwords?

In fact, though, the four-digit numbers required to use cash machines are one element of an extremely strong security model that most of today’s websites fall well short of matching.


Think about it: An ATM requires the presentation of both a physical card and a correct PIN. Websites can and should follow this general principle of requiring two dissimilar things before access is granted.

After supplying the password, that second thing could be a code that arrives as a text message on one’s phone. A thief would find that stealing your password for a website was useless without also having your phone in hand.

The technical term for requiring something you know and something you have when trying to log into an online account is “two-factor authentication.” It’s also known as two-step verification.

If this system, using passwords and smartphones, were used on all limited-access websites, the passwords wouldn’t have to be long and complex. But many Web users have easy-to-guess passwords in just one-step verification, which is highly imprudent.

Nick Berry, president of DataGenetics, a consulting firm in Seattle, has analysed the large password databases that hackers who have broken into various websites have publicly released.

Among 30.3 million passwords he has found 3.4 million consisting of nothing but four digits. (It’s astounding that there are still websites that permit these. I always encounter password requirements that force me to choose ever longer, more complex strings of characters, numbers and punctuation marks.)

Some four-digit passwords are far more popular than others: “1234” alone accounts for almost 11 percent of these passwords; “1111,” an additional 6 percent. Repetitive patterns occupy many of the other spots among the 20 most frequent numbers. Lower on the list are numbers that are likely to be a year of birth or the four-digit rendering of the month and day of a birthday.

We can speculate that some of the four-digit passwords found in websites’ databases were first conceived as PINs for ATMs. They may also be serving as the users’ PINs for unlocking smartphones. Berry says he also saw a number of instances of what he calls “finger walking” on a keypad, in which the sequence comes from a geometric pattern, like “2580” – moving from top to bottom in the keypad’s center.

The bank customer who chooses the year of her birth as her cash-machine PIN isn’t putting her savings in great jeopardy. The thief who picks up a lost wallet with an ATM card in it would have to guess the PIN correctly in just the first few tries, or the system would shut down the account. Even if successful, the thief would be limited by the ceiling on daily ATM withdrawals. And, in cases of theft, the customer would be made whole by the bank for the loss.

When that short PIN is used as a password on the Web, however, without a second form of verification, it is just about the worst possible choice, almost as bad as choosing “password” as one’s password.

“Using an ATM PIN in the context of the online world is unwise,” says Marty Jost, a product marketing manager at Symantec, the computer security company. “Using an easy-to-remember PIN is even more unwise because it’s easy to guess.”

Jost says websites should use multiple layers of security so that “the password is not the only authentication mechanism.”

Users of Gmail and other Google services, for example, can elect to have a two-step verification system to protect their accounts. When the system is activated, the user fills in the boxes for user name and password, as usual, but then is sent to another page where a verification code must be typed in.

Users may choose to have this arrive as a text message, or they can obtain it by using an app on their smartphone. There’s a backup method, too, in case their smartphone is lost or stolen.

PayPal and Dropbox also offer their users the option of requiring two-step verification for added peace of mind. Many corporate networks have long used this security model, too.
Yes, it’s a bit cumbersome. Jeff Atwood, a software developer, author, and co-founder of the programming question-and-answer site Stack Overflow, acknowledged this when he urged readers of his blog in April to use Gmail’s two-step verification option.

But, he wrote, this process “is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your email becomes extremely secure.”
That feeling of security originates not with a long master password, which may fall into the hands of a bad actor, but with the elegantly simple two-step verification. The designers of ATMs were on to something.

Two-step verification for Gmail or other Web services can’t work for us, however, unless we set it up. And there’s no better time than the present to do so.
“Not tomorrow. Not next week,” Atwood wrote. Now.

Go to Top

Photo Gallery
Tourists stand in line outside Notre Dame Cathedral in Paris ...

Tourists stand in line outside Notre Dame Cathedral in Paris ...

A brave-heart woman takes on a group of attackers as they assault her husband in Meerut ...

A brave-heart woman takes on a group of attackers as they assault her husband in Meerut ...

Indian Men’s Hockey team accepting the “ ALS Ice Bucket Challenge” in New Delhi ...

Indian Men’s Hockey team accepting the “ ALS Ice Bucket Challenge” in New Delhi ...

Bengal Warriors and Telugu Titans in action during the Pro Kabaddi league match in Jaipur ...

Bengal Warriors and Telugu Titans in action during the Pro Kabaddi league match in Jaipur ...

Irom Sharmila who is on an indefinite fast  being re-arrested in Imphal ...

Irom Sharmila who is on an indefinite fast being re-arrested in Imphal ...

Bhojpuri actors Ravi Kishan, Madhu Sharma and Pawan Singh at a music launch in Patna ...

Bhojpuri actors Ravi Kishan, Madhu Sharma and Pawan Singh at a music launch in Patna ...

Sculptors giving final touches to the idols of Ganesh ahead of the Ganesh Chaturthi festival ,Agra .

Sculptors giving final touches to the idols of Ganesh ahead of the Ganesh Chaturthi festival ,Agra .

Singaporean Prime Minister Lee Hsien Loong with Chief Minister of Telangana K Chandrasekar Rao ...

Singaporean Prime Minister Lee Hsien Loong with Chief Minister of Telangana K Chandrasekar Rao ...

Women during the  inaugural ceremony of the Three-day North East Film Festival ...

Women during the inaugural ceremony of the Three-day North East Film Festival ...

Indian Men’s Hockey team Captain Sardar Singh ccepting the “ ALS Ice Bucket Challenge” ...

Indian Men’s Hockey team Captain Sardar Singh ccepting the “ ALS Ice Bucket Challenge” ...

Copyright 2014, The Printers (Mysore) Private Ltd., 75, M.G Road, Post Box 5331, Bangalore - 560001
Tel: +91 (80) 25880000 Fax No. +91 (80) 25880523