Blogs

RedMonk

Skip to content

Online Banking Security is still a Pain and Friend Data Breaches

Horror scenario: Plaxo using Scoble’s address book to harvest data from Facebook. Simon Phipps in Twitter

Before we get to that, allow me to pad a brief idea with some lard:

Whatever Happened to a Good Old Username and Password?

My first job was working on online banking, at what became and then was FundsXpress (check out all the fun we used to have there!). I was lucky, in hind-sight to have been force drowned into the world of security paranoia, chiefly due to our colleague Sam Hartman (who’d been self- and then MIT-trained on the topic), and then all of his quick converts to security paranoia, including myself.

I mean, it took me years to be “OK” with telling my wife my passwords for things, like bill pay, credit cards, and even email. Those were passwords for God’s sake! Not even root knew more than a weird goobly-gooked hash of them, and this lady suddenly wants my plain-text passwords!

Thus, it’s with some “don’t tell me what their intentions are” uppityness that I constantly complain about the ever growing tediousness of online banking security schemes. Why I have to look at a picture of finely crafted beer stein every time or occasionally answer the question “What was the first name of your brother’s best friend’s third grade teachers’ 2nd husband?” to log in to my online banking is absurd to me.

Multiple times a month, I’m locked out of my own account. Now, with my one of my new financial institutions, I have to wait for a piece of US mail to reset my password. WTF, on that? The ‘net’s gone back to paper and pencil.

Sure, I realize all of this sort of keeps up with the low hanging fruit of stupidity when it comes to people stealing my money. But it’s getting more different each year for me to steal my own money, if you know what I mean. While in Spain, on vacation I had some ING folks basically tell me I was screwed because (a.) I couldn’t call them on my cellphone (no Verizon in Spain, bro’!), and, (b.) they had to snail mail me a new password.

What is that all about? Here they are with their crazy security questions and beer steins, and they consider caller ID a security factor? And the US mail? Wow.

My point in my constant online banking security ranting is that they’re just doing annoying things instead of effective things. Whatever happened to just a good password? I can come up with dozens of them, but instead I’m left trying to pick a security question who’s answer I’ll barley be able to remember.

I Hate You

Case in point: “what’s your favorite author?” What, you mean, right now, last year, when I was a kid, or just what I think I’d answer if confronted with this question? I have no idea who my favorite author is. I could list of Hemingway, HST, and about a dozen other people, but to call one of them “my favorite” is sort of insulting: they’re all good. But, between that and the no-op that is “Who was your roommate in collage” (Answer: “I didn’t have one?”), I have to choose the damn book one.

If you typed it on a keyboard, it’s public

Long ago, we had this rule about email: there is no private email. All it takes is someone clicking “Forward” or CC’ing someone to make it public. Hell, they could cut-n-paste it and post it to USEnet!

Thankfully, most of the stupid stuff I did to learn my lessons of online data protection were done back in BBSes whose hard drives are, no doubt, long gone to the fingers of some tragic youths’ recycling-torn fingers now. Now, along with sort of loose personal morals when it comes to privacy, I put a whole lot of crap online and don’t mind the consequences too much – damn the Spam filters, and put that email in plain text everywhere!

My assumption is never that something I make as “private” will stay that way. I have a certain trust that Google won’t betray my email, but I’m pretty sure most every other entity holding my data out there would sell me out in a heart-beat. Just look in your mail box at the pile of junk mail you get everyday for proof of that. I often consider just hammering up my recycling box in place of my mail box, cause that’s where all of it goes anyhow.

Online, No One Can Tell You’re Brutus, Not Even Yourself

Thus, it was with some interest that I scanned Simon’s Tweat above. That’s a shrewd little observation there. For all the beer steins and corny questions that are now foisted on me to simply pay my water bill, it’s going to be my friends who betray me next and most frequently. Never mind those backup tapes left in the back of some schlub’s Taurus. 2008 is going to be the year where my online buddies end up breaching what little data protection I have.

I can imagine that burglars would love the data in dopplr, right? Just splice that up with Travis Country, public tax records, and you’ve got yourself a cat-burglers Christmas list. Better get an alarm system, I guess.

Hell, I’m as bad as the next guy. I’m sure I’ve already breached someone’s info both knowingly and unknowingly. More importantly, I love all this stuff: dopplr, Facebook, Twitter, all that. The point is, the problem here isn’t the people hacking into your info, it’s the people who have access to your info doing stupid things: giving Plaxo your social-graph who sells access to that to Tide-hawkers, or whatever boring spam scenario you can think of.

The Roach Motel Windmill

I personally believe that the list of 20 or so Social Network Aggregators on Mashable are all companies that would cease to exist if the industry got off it’s behind and worked towards actual interoperability between social networking sites. Dare Obasanjo

What’s really annoying here, is that I’d love something that would synch up all my social networking sites, address books, and gunk. My online life is full of struggles to just get simple import/export functionality to work despite the roach-motel antics of online services. Most online services could give a crap about exporting and interop. As Dare points out, the locking you in is how URL-based companies build up their value, however mystical or in the future those pay-offs may be for the company. Seems like there’s good trade in individuals getting paid off early in now-a-days’ .com’s, which is maybe what it’s always been anyhow, right?

Everyone’s always like, “if you don’t like it, don’t use it!” Yeah, right. That’s sort of like, “if you don’t like annoying people, just don’t leave the house.” That whole “don’t turn on the TV” spit-back is just a polite way of saying, “get over it, freak.”

And sure, there’s about one or two darling identity schemes a year, now, to address this problem. I’m typically a big fan of all of them. But they never really replace good old email addresses and screen-scraping to synch up roach-motels.

The funny thing about the Scoble/Facebook mix-up, and the two sides of the argument, is that if it was just all on “the web” instead of the walled-web of Facebook, it’d be that old Wild Web mentality: “well, those 5,000 people put it up on a web page. What were they expecting?” But throw in a corporate entity or two, and suddenly it’s corporate espionage! Golly!

From the whole Scoble/Facebook mix-up, it sounds like it’s not only the roach-motels who don’t want that – those poor souls gotta have something locked-up to get cash on the books – but my friends and contacts wouldn’t be so keen on the idea either. You bet. Who wants to be told how great Tide is after reading about the recent gaggle of profile picture updates? Not me.

The new motto is “do no evil (see our definition of ‘evil,’ including important exclusions, on page 328 of your Customer Statement of Rights sent to you in a separate mailing.)” I mean, come on, everyone reads the fine-print right? Now go buy some Tide and contribute your part of the long-tail to the margins for our fat-head.

Oops! Gotta go update everyone on the crazy antics of my cat. brb. (Kisses!)

Technorati Tags: , , , , ,

Categories: Community, Identity, Open Source.

Comment Feed

6 Responses

  1. The whole Scoble-FB brouhaha has really got me in the mood to get off my ass and get moving with the Universe Combobulator!

  2. It's hard to argue that some sync'ing of the identity world would be great, but I struggle to comprehend these statements around your online banking. I log into no less than half a dozen online financial sites every week and rarely (once every 2 years – maybe) experience this kind of pain. What are we doing differently?

    >> Multiple times a month, I’m locked out of my own account.

  3. Lunt: I was throwing in all the other logins I have, like for my phone, car insurance, etc. Also credit cards. The problem becomes when I type in a password wrong and then have to come up with a new password. Then I'm remembering all these different passwords, and as I try each one, I end up locking myself out of my account again. I've gotten better at it, but it's still tedious.



Some HTML is OK

or, reply to this post via trackback.

Continuing the Discussion

  1. [...] or otherwise abused – its perhaps surprising that incidents such as Goo-do-no-evil-gle and the Scoble Facebook hack have taken so long to materialise. While none of these examples are particularly relevant to the [...]

  2. [...] Online Banking Security is still a Pain and Friend Data Breaches – Cote’s take is interesting coming as it does from someone who has direct experience of dealing with banking security. [...]

  3. [...] As the TechMeme junkies have chewed over to no end thanks to you know who, once All the Data in the World is in one place – the World Wide Computer – it’s easier to steal that data and do nasty things. [...]