Security through obscurity   Leave a comment

I can’t see it anywhere.

On Monday (the 21st) I had a haircut (decision: look like a warm tramp vs. be cold and fooling nobody?), went to the gym, and signed up for the Co-Op’s online banking.

You do this by calling up some guy, and telling him five bits of secret information that lets you log in.

I thought that, if you suspected anyone might know any login information, you had to change it immediately? When did they cancel that?

Secret’s stretching it, though; if I had a Bio page it could quite possibly contain three of them. The fourth was pulled off the top of my head, and the final one is a four-digit PIN. Really, is that the best they can manage? Something with 10,000 combinations (and probably fewer when they’ve disallowed numbers that look like birthdays, obvious patterns and so on)? It can’t even be hashed; it asks you for individual digits when you log in (I doubt anyone watching a keylogger will be long fooled by a four-digit number). Bravo, chaps.

You could argue that you might not use the literal information they asked for, which would be true – if they told you what they’d ask for in advance. Put on the spot, and having to explain it (and the spellings) over the telephone, you’re going to go with the first thing that pops into your head. One hopes that is the truth.

So it’s all pretty appalling, really. Information that can probably be got from Google, or at worst a little social engineering, and a four-digit PIN. What was wrong with usernames and passwords? And as for the sign-up process, well, I can come up with better ways than that.
Although possibly the only worse way would be “write the info on the back of a postcard and mail it to them”, so I’m not proud.

But never mind, they sent me one of those card reader things for me to type numbers into to confirm stuff! We are saved!

Except, as the instructions are at pains to point out, it doesn’t need to be the card associated with my account. Just one from the same bank. And cards come with current accounts, the lowliest of which you can pretty much get just by asking. So their super security feature relies on an object that’s freely available to anyone. Hurrah!

I suspect I won’t stay with the Co-Op for very long; I’m only with them for the £200 you get for paying in your wages for four months. First decent offer after that and I’m offski.

In the meantime, if you would like to access my current account, you will need:
1 co-op current account with debit card.
1 bottle Southern Comfort
1 bottle Amaretto
1 litre pineapple juice
1 litre orange juice
Juice of several limes
Tin of fruit cocktail
The will to spend time with me drunk

Mix everything except the card and willpower together in a big jug. Pour it into me until I spill any details you ask. Note them down, continue pouring until I am comatose/dead (and if I might have any say in the matter, death would probably be preferable to the hangover). Access my current account with the noted details, using your card in the reader as necessary (you could borrow my card easily enough at this point, too). Cry that there’s probably not enough money in there to cover the booze, because I saw this coming and left the New Kitchen Fund elsewhere.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s