Politics, Technology, and Language

If thought corrupts language, language can also corrupt thought — George Orwell

How well do you and your bank know each other?

Posted by metaphorical on 2 January 2007

On-line banks have to require more than a user-name and password. With the new year, federal banking regulations now require “‘multi factor’ authentication systems,” according to an article in last week’s Boston Globe. One acceptable addition is our old friend, the low-tech cookie (which the Globe calls a “fingerprint”). When you log in from a different machine, the bank doesn’t see the cookie, and mail:

If someone tries to log in from a machine that isn’t fingerprinted, the bank will send a confirmation message to the customer’s e-mail address. A crook who’s stolen somebody’s user name and password probably won’t have access to the victim’s e-mail account, so he can’t reply to the message, and won’t be allowed to log in.

That’s okay until your identity is stolen in the form of your laptop stolen. If you have Gmail or some other web-based mail, the laptop is probably already logged into it in an already-open window. If you use something like Eudora, it probably already contains the password. All you have to do is open it and say “check mail.” This all assumes that your e-mail program doesn’t dump the bank’s message into the spam bin. We won’t even go into all the legitimate reasons to set your browser to reject cookies.

Software designers call this “overloading”—giving e-mail (and the browser) tasks that it was never designed for. Fortunately, some banks are using more sophisticated systems. Unfortunately, some of them might be a bit too sophisticated.

Passfaces Inc . of Washington, D.C., has signed up a number of Midwestern banks with a photo-based authentication system. During sign-up users are asked to memorize several photos of human faces. When logging in to do banking, some of these photos are displayed, along with other photos that the customer hasn’t seen before. The user logs in by clicking on the familiar faces, but a would-be scammer has no way of knowing which photos to click. Lennie Myers, vice president of sales at Passfaces, said the system is far more versatile than EMC’s SiteKey technology. “It can either augment or replace the password altogether,” Myers said.

Is this a good idea? Whenever I try to drive somewhere that I rarely go to, relying only on whether things “look familiar,” I get lost. And once you get lost somewhere, it “looks familiar.” Won’t this system suffer a similar problem?

The article mentions systems that goes the other way—besides making sure the bank recognizes you properly, these ensure that you recognize the bank properly:

SiteKey prevents this by letting the user select an image — say, that of a typewriter –which appears on his screen whenever he logs into the real Bank of America site. Phony websites are easy to spot because they don’t display the user’s chosen image.

Phishing sites are getting better and better at looking like real ones, so this seems like a genuinely good idea. Personally, I like Paypal a lot, but it’s nearly impossible for it to send me e-mail; if it does, it’s hard to take it seriously. A number of banks, including Bank of America, must be having this problem too. Spam and phishing are getting better each year. That’s a bad trend, and we’d better start countering it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: