Chris Holmes Online

When I was an undergraduate student at the University of Idaho, I took a 400/500 level network security class from Deb Frinke. Deb was a great instructor; I’d had her before for Object Oriented Design, so I knew what her style was like and I really enjoyed her lecture ability (even though listening to anyone lecture is absolutely the worst way for me to learn).

The network security class was interesting because it opened my eyes to the world of risk management. What I learned from Deb was that basically no computer is secure, even if it’s not hooked up to a network, because as long as it contains data that can be used to compromise a system somewhere else, or a person, then it’s never really “secure”. Sensitive data is a risk. And security is about risk management. It’s a balancing act between exposing sensitive data and intruding on the user experience. You can add layers of security to a system, but each one of those layers compromises the user experience. And users are, after all, the whole reason the “system” exists in the first place. Add too many layers and users will become fed up, even to the point of actively bypassing your security measures.

At the time I took Deb’s class, wireless technology was just getting started. We spent a healthy amount of time debating the merits and risk of wireless technology since it involved sending data over the air, which was much more susceptible to interception than a wire protocol. Now look at us here in 2007: Wireless is everywhere. It is a truly ubiquitous technology, risk be damned. But I think if you ask most users they’ll tell you: they love wireless. They love being able to take their technology with them wherever they go, and do all sorts of things, like buy books off Amazon.com while taking a carpool to work, or pay their bills online while waiting in line at Starbucks.

Because of Deb, I always think about her class whenever I engage in any computer related transactions that involve sensitive data. I’m particularly wary of web sites where the developers don’t seem to know what they’re doing about security; where the designers throw up roadblocks just because they want to give naive users the illusion of security. I tend to avoid making transactions from web sites that look like they were designed by novice webmasters, because if they don’t have command of HTML then they probably have less command over security principles and concepts.

Thus, it was with much shock and horror when my coworkers showed me the website that they use for online banking.

Now, I don’t want to knock a small, hometown bank. Hometown banks are important to a lot of people. The bank in question, Potlatch Federal Credit Union, actually has some pretty creative radio advertisements that focus strongly on the fact that they are a hometown bank. That said, the following image should worry a lot of people:

What do you see? I see a big frickin’ keyboard on the screen.

Let’s think about what makes a password secure. For starters, complexity helps make a password secure, because the more complex a password is the less chance you have of a hacker breaking it with a simple dictionary attack. Then we have length. The longer a password is (for instance, a passphrase ) the less likely a hacker is to be able to break it with a brute force attack.

But the single most important component of a secure password is the fact that nobody knows it but you.

However, if you were to login to Potlatch’s website, you don’t get to type your password. You have to use a mouse and click the keyboard on the screen – on the BIG FAT SCREEN WHERE ANYONE CAN SEE IT!

It’s possible that the developers of Potlatch’s website elected to put a copy of the keyboard on the screen to deter customers from doing online banking while at work, or in other public places, or on their Blackberry, or wherever it might actually be convenient. I mean, with a keyboard on the screen the only place you’ll be safe to do your online banking will be in the privacy of your own home, with the doors locked, and the curtains closed.

Of course, it’s not all bad (well, maybe). There is a three-step authentication process on Potlatch’s website.

The first step involves entering your username along with Image Verification. Image Verification is typically used to ensure a human is entering data, as opposed to web scripts. I’ve never seen it on a login page before simply because username + password is the accepted way of authenticating a user. Username + Image Verification doesn’t really authenticate anything, it just adds a layer to the illusion of security. At this point Potlatch’s website has your username and thinks you are human, but nothing has been authenticated yet.

The second step involves entering the answer to a secret phrase. Most websites use this method as a way of partially authenticating a user when they can’t remember their password, so a new password can be sent to them. But not Potlatch. They use it to … authenticate you. Apparently. In lieu of a password, they use your favorite cartoon character, or your favorite pet’s name, or something easy for people who know you to guess.

Then you reach step 3, where you get to enter your actual password on a big, incredibly visible keyboard displayed prominently on your screen, where anyone within 20 feet can see you clicking away sequentially at your password characters. Image verification is used again on this page because apparently between the time you entered your username at step 1, answered a silly question at step 2, and entered your password at step 3, you might have changed form from a human being into a malicious web script.

The whole process makes one feel like a parent on a long road trip with small children.

“Are we there yet?”

All of this brings me back to this point: Just because a lot of websites seem secure doesn’t mean that they all are. The people who developed Amazon.com are not the same people who developed the website for your hometown bank.

You don’t have to be paranoid to be happy on the web, or in a wireless world. But you do have to be mindful.