An opposite of security

At first glance, this article is funny.

But the deeper lesson is: that bank’s computer system is a disaster waiting to happen.

How many times have we heard about laptop stolen out of backseats, and hundreds or thousands of customers’ details vanishing with them? It’s bad enough when it’s our purchasing records or credit card details that fall out the back of the truck. It’s bad enough the best case is that the new owner of the disappeared laptop may not know the value of the data, and either erase it or ignore it.

But this bank’s system is like losing the laptop every minute of every day. Good practice in computer security has long said: don’t store passwords in plain text. No sensible secure system keeps passwords in a form where they can be read. It has long, long been possible to securely store passwords using a one-way cypher – a function which is very easy to run, but very hard to reverse. Only the obscured password is stored. The computer checks your password by applying the cypher, and comparing the encrypted texts: no two originals generate the same encryption, so only the correct password generates the stored cypher. And no other human ever sees the original password.

Some systems don’t need to truly secure password system. I run a website which doesn’t use encrypted passwords, but it’s not keeping anyone’s life savings. That other site doesn’t even ask for real names, much less for credit cards. That other site is fun but isn’t that important in the big picture. That other site doesn’t take care of anyone’s life saving.

Anyone remember offhand what banks do? They keep track of people’s life savings. And this bank, clearly, doesn’t always hire people with the best judgment or character, but these people know your password. That’s not security; that’s its opposite.

And low marks to the BBC for whistling right past this huge security hole.

Written Wednesday, August 27th, 2008. Back to the main page, or onward to similar pages. Trackback.