Information security (and much more)

A coulpe of days ago, I was talking with a friend of mine, and he said me “yes, I know… I’d like to use an online bank service, but I don’t trust them… I could lose all my money!”. Then I asked him: “ok, but you know how does a web-based bank account work?”. The reply was something like “No, I don’t care, I don’t trust them”.

If you think about it, it’s a nonsense: if you lose an opportunity because you have decided that it does not interest you, all right, but it’s fool throw away chances just because you don’t want to know they exist! (and this is a rule that can be applied not only in investing your money…). Any choice should be based on full awareness of pro and cons, not on lazyness.

Back to this post’s topic, the information security aspect is essential. For what I’ve seen, the average security level is very high, and is quite unlikely someone can break into your account… if you don’t give him access codes. But what would happen if someone could enter in the bank systems and change data? Well, in this case it wouldn’t matter much if you have an internet bank account or a traditional one, since every account data is stored on computerized system. But this kind of violation is quite hard and cannot guarantee the thief not to be identified. It may be much easyer a traditional bank robbery…

So we can sleep easy? Well, not completely. We are the weak point. Black-hat hackers discovered that the easyest way to enter a computer system is to ask the legitimate user for his access codes. As you may have understood, we’re talking about so-called “Phishing“: someone pretend to be an authoritative part, who seems to have right to know information he is asking. The most common case is to send a forged e-email that ask to give personal data, passwords and access codes (often claiming that are some problem on the account, or that there was an unauthorized access, to scare and upset who recive the mail, so he may click on some link before thinking). If you click on some link in the mail, you’d be sent to a fake page, which imitates the “real” website. But data you type ends up in malicious hands. Usually “phishers“, when they manage to capture personal data and bank access codes, they make several small charges, since they more likely could pass unnoticed and can more easily made in favour of some pre-paid card (possessed by dummy owner, or by some other identity-theft victim).

If you want to prevent all this, you need to remember a few things.

  1. Forging an e-mail “Sent by” field is extremely easy: this depends from the internet mail protocol itself, which was created when internet was very small and apparently nobody thought someone could be interested in faking e-mail sender, and therefore the field is stored in simple plain-text. Therefore, rule n°1: don’t assume a message comes from your bank, simply because it says it comes from your bank.
  2. Moreover, it’s also easy to make link point to a destination different from what it seems. Rule n° 2: never click on links you may find in e-mails. If you absolutely need to follow a link, re-type it (don’t just copy&paste) in the browser address bar, so you will be sure you will be sent to the address you’ve typed, and you’ll be able to notice if something in the address seems wrong.
  3. A good IT system administrator (and, usually, banks do have one) does not need to know your password, for any reason. Usually web bank account user guides clearly specify what codes are requested, and when. Rule n°3: if you’re asked about your password/personal data for reason that were not expected, do not disclose them. This applies also to phone calls, in particular when you didn’t made the call.

To minimize consequences of phishing, most banks use a triple-key system. It’s quite simple, but effective: the user, in addition to username and password, has a third key, that is used to confirm transactions. Therefore, if you’re a phishing victim, the thief can stole you only username and password, since he can easily forge a fake web front-end of the bank, but only that (he can’t show you your real account), but you don’t disclose the third key. This way a thief may “see” your account, but he can’t do anything else.

There are some variations on the three-key system. For example a third password can be requested at login (but in a different page, with a few information on the user, so you may notice if something’s wrong).

Clearly, the presence of these security measures must not let forget safety rules that we’ve seen before. Remember password and usernames are something very similar to your house keys or your car keys, so protect them and don’t give them to anyone ask you to.

Banche e Risparmio []