Monitored Alarm Systems

Why do our institutions â€" particularly banks â€" fail to grasp the most rudimentary basics of password security?

Here's a modest proposal: what if the government took it on board to promote a reasonable, sane grasp of risk, security, and probability? Or, if you're a "Big Society/Small Government" LibCon, how about a more modest mandate still: we could ask the state to leave off promoting statistical innumeracy and the inability to understand risk and reward.

Start with the lottery: in the US, its slogan is "Lotto: You've Got to Be In It to Win It". A more numerate slogan would be "Lotto: Your Chance of Finding the Winning Ticket in the Road is Approximately the Same as Your Chance of Buying it". The more we tell people that there is a meaning gap between the one-in-a-squillion chance of finding the winning ticket and the one-in-several-million chance of buying it, the more we encourage the statistical fallacy that events are inherently more likely if they're very splashy and interesting to consider.

Blocking bingo? T Wouldn ', what it means to lose all the money a wonderful lessons through a voluntary tax on innumeracy? Maybe, but if you get rid of the lottery could lead to a slight increase in sense of risk and safety, think about the society-wide saving money is not spent on the alarmist newspaper, the charlatan child protection schemes, MMR scare and how!

Once we get rid of the lottery, let 'S attack banks. It 's not bad enough that they collect huge bonuses from the state, destroying the economy, they also systematically disorder our ability to understand risk and security on the basis of all more farcical stream "respect" hoops and Bizarro World "Security" action!

For example, my own bank, the Co-op, recently updated its business banking site (the old one was "best viewed with Windows 2000!"), "modernising" it with a new two-factor authentication scheme in the form of a little numeric keypad gadget you carry around with you. When you want to see your balance, you key a Pin into the gadget, and it returns a 10-digit number, which you then have to key in the browser field, helpfully mask your keystrokes when you enter this huge one-time password.

Don't get me wrong: two-factor authentication makes perfect sense, and there's nothing wrong with using it to keep users' passwords out of the hands of keyloggers and other surveillance creeps. But a system that locks users out after three bad tries does not need to generate a 10-digit one-time password: the likelihood of guessing a modest four- or five-digit password in three tries is small enough that no appreciable benefit comes out of the other digits (but the hassle to the Co-op's many customers of these extra numbers, multiplied by every login attempt for years and years to come, is indeed appreciable).

As if to underscore the Co-op's security illiteracy, we have this business of masking the one-time Pin as you type it. The whole point of a one-time password is that it no it does not matter if it leaks, because it only works times . It 's why we call it "one-off contact." Asking customers to key in the meaningless 10-digit code perfectly, every time, without visual feedback, ISN' T security. It 's sadism.

It gets worse: the Pin you use with the gadget is your basic four-digit Pin, but numbers can't be sequential. This has the effect of reducing the keyspace by an enormous factor â€" a bizarrely contrarian move from a bank that "improves" its security by turning this constrained four-digit number into a whopping 10-digit one. Does the Co-op love or loathe large keyspaces? Both, it seems.

It's not just the Co-op, of course â€" this is endemic to the whole industry. For example, Citibank UK requires you to input your password by chasing a tiny, on-screen, all-caps password with your mouse-pointer, in the name of preventing a keylogger from capturing your password as you type it. This has the neat triple-play effect of slicing the keyspace in half (and more) by eliminating special characters and lower-case letters; incentivising customers to use shorter, less secure passwords because of the hassle of inputting them; and leaving it vulnerable to all screen-recorders, which just make movies, what keys you mouse.

It wasn't easy â€" the branch staff couldn't believe that I had won an exception to this weird policy â€" but in the end, they opened the account for me. Now, like a mouse that's found an experimental lever that only sometimes gives up a pellet, I find myself repeatedly pressing it, hoping to hit on the magical combination that will get my bank to behave as though security was something that a reasonable, sane person could understand, as opposed to a magic property that arises spontaneously in the presence of sufficient obfuscation and bureaucracy.

The irony, of course, is that all banks will tell you that they 'Re just put you through hell pointless security, because the FSA or any other body, put them to him. Regulators strenuously denies this, saying that they only have to specify the principles - "you will know your client" - not a particular practice.

Which brings me back to my modest proposal: let's empower our regulators to fine banks that create nonsensical, incoherent security practices involving idolatrous worship of easy-to-forge utility bills and headed paper, in the name of preserving our national capacity to think critically about security.

Even if it doesn't kill the power of the tabloids to sell with screaming headlines about paedos, terrorists and vaccinations, it would, at least, be incredibly satisfying to keep your money in an institution that appears to have the most rudimentary grasp of what security is and where it comes from.