July 25, 2006


The fake sense of security

When logging in to my ICICI Direct a/c few days back, I was greeted with a "Change your password" screen. I logged out assuming I have come through some wrong option. Next login showed the same "Change password" message with text boxes for current password, new password and confirmation of new password. Reluctantly, I changed the password. There was a link to the New Password Policy. To put it mildly, I am in a state of shock after reading the policy. According to this policy, password needs to be changed every 14 days. Yes, after every fourteen freaking days! Apparently, National Stock Exchange (NSE), the "professionally managed" stock exchange is brain behind this scheme.

Now, the case of ICICI is peculiar one. They don't allow you to choose login name, though I distinctly remember putting down my preferred login ID. Generally, this login name is strong enough to serve as a password. eg. If the name is Tilottama Das-Punj (yeah, its hard to forget Konkana from YHTKH) and she got married on 30th August, 2001, then ICICI will allocate the login name TILDAP30. This login name is more secure than the password "jamesbond". Now you have to remember both - login name and password.

This was only about ICICI Direct - the stock trading platform. You need access to your bank and Demat account. Multiply the above trouble by 2 (I'm being conservative. The headache increases exponentially in these cases.) Oh.. I must add that in case of bank account, you get one more password which enable transactions (for money transfer, etc.)

ATM card is a must with bank account. (Who has the time to wait for an hour to withdraw own money? That too, with the teller behaving as if he is doing a big favour by giving you your money.) Obviously, you have to remember a 4-6 digit PIN or Personal Identification Number.

Couple of years back, ICICI had another unique personal ID and a password for phone banking. Thankfully, now they have got rid of it and using 16-digit credit/debit card number along with its PIN.

The baggage of internet account and PIN also comes with credit card. I think, the Maestro Card needs the user to enter PIN authorizing every single credit card transaction. On a side note, it is amusing to watch somebody enter the PIN number. The salesperson turns the card reader to the card owner, half of the store and all the people on cash counter watch that person enter the PIN, and the guy (mostly its the guy) is sweating hard as he has to hold the reader so that not many people can watch what he is entering, enter the correct PIN and enter it quickly.

My salary account is with earlier employer was with a different bank. My first taste of security implemented by a bureaucracy came there. First, just like ICICI, they reduced my login name to a 7-digit prime number which was tested for primality using deterministic algorithm. Then, I had to change my password every 3 months. My frequency of login was approximately thrice a month. Which translates into a new password for every 10 logins. Top of all this, I was not allowed to use any of last TEN passwords.

Another policy of blocking the account after 3 failures, in conjunction with above rules surely results into thousands of re-generated passwords everyday. So, to access your account real fast and 24x7, you have to wait for the password to come through snail mail. Pray to God that it doesn't get drowned in 26th July.

A brutal and calm analysis of these password-based security schemes will tell us that this nuisance just makes the security weaker. Thanks to dozens of login names and passwords, I am left with no choice but to write them down. Extremely fertile ground for attacks using social engineering. Needless to say, I don't write the passwords in plain text making it slightly less vulnerable. Hey, technology is supposed to make life simpler, right? Here I am facing a full blown nightmare.

To sum, such ill-thought policy annoy users to no end, weaken the security system and increase the cost of business for companies. Solution for this? Educating user is the smartest thing to do as they are weakest link in the chain.

Update on 11th Sept: My smartness backfired. I created two passwords and used alternatively. I did not write which one is the current. Three wrong attempts and my account has been locked. And Murphy's laws are back in action. Market is providing good buying opportunity with index down 3% as I cannot transact. Down down with such security measures and my stupidity!

Technorati Tags:

I agree, I have had my ICICIDirect account locked twice in just 2 months. I guess I may have to write my passwords down someplace, even though I hate doing that being a security professional.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?