« New UK regulations re foreign students and workers | Main | The search of Damian Green MP's computer: he was given a list of which words were searched for »
April 15, 2009
Poor security trade-off from Alliance and Leicester bank: accounts so secure that customers can't access them
UPDATE: Following a discussion with Alliance and Leicester, it looks like this is an issue affecting Firefox but not Internet Explorer. Alliance & Leicester have also informed me that dates do not need to be entered in long format (despite what their staff initially stated)
I find security - in the broad sense - fascinating, and have noticed a striking issue with the web security of Alliance and Leicester (part of the huge Santander banking group). Clearly, online banking is a very useful service, but also carries certain risks: everything from high-tech problems like keyloggers, to much more mundane issues like people writing down their log-in details and sticking them to their computer. As Bruce Schneier argues
Security is a trade-off...There's no such thing as absolute security, and any gain in security always involves some sort of trade-off...It makes no sense to just look at security in terms of effectiveness. "Is this effective against the threat?" is the wrong question to ask. You need to ask: "Is it a good trade-off?"
Alliance and Leicester have tried to enhance the security of their online banking through an interesting technique: if a user tries logging in from what their system views as "a different computer" (they seem to be working on the basis of cookies, rather than IP address) they ask them to enter "Memorable details". These 'details' comprise of four pieces of information users gave the bank when signing up: mother's maiden name, that type of thing. This system might, in itself, be a sensible enough security trade-off.
However, the implementation is problematic. The bank's system needs a specific one of these four pieces of memorable information to be entered before the account can be accessed, and users are not told which one: they have to guess. After three incorrect attempts, online access to the account will be blocked. This means that, even if a user knows exactly how the system works (the website does not tell them) and does not make any typos, they stand a 1/4 chance of being locked out of their account on any given access attempt. There are also additional issues: for example, dates must be entered in a specific long format (e.g. '6 September 1994') rather than a standard UK format like dd/mm/yy. When enhancing security means that legitimate users will likely be locked out on more than 1/4 occasions, this is not a good trade-off.
The poor implementation also, in itself, raises additional security risks. For example, if a keylogger has been surreptitiously installed, this will give hackers access to additional personal data. Also, if users get used to entering multiple different pieces of their memorable information on any given access attempt, they may be more ready to do this if they are tricked into going to a phishing site. This is therefore a poor security trade-off for numerous reasons.
I have mentioned this issue to Alliance and Leicester on the phone, and will e-mail them a link to this post to make sure that things are clear to them and to give them the opportunity to comment. It will be interesting to see whether they act to fix this problem.
Posted by jon_mendel at April 15, 2009 01:30 PM
Trackback Pings
TrackBack URL for this entry:
http://www.watsonblogs.org/cgi-bin/mt/mt-tb.cgi/1665
