Do as we say, not as we do.
We often hear banks complaining loudly about the losses they suffer from payment card fraud. Campaigns like “Protect your PIN” and humorous commercials with a miniature armoured truck following a customer down the street must cost tens of millions of dollars.
But then consumers still receive calls like I did on Saturday afternoon. The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.”
I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am. However, if you call me, you get to go first. And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.
When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.
So I did just that, and asked about the call. The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.
Banks should know better. Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem. Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.
There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.
Perhaps the Bank’s security, fraud and marketing people need to have a chat.
30 years of failure
Ars Technica has a great article this morning entitled 30 years of failure: the username/password combination.
One of the things that they didn’t discuss is why we continue to use passwords for authentication even though they’re known to be a serious weakness. The first reason is that, as long as we don’t include the cost of a security breach, passwords are free. The second is that while better authentication technologies exist, nobody seems interested in allowing a single credential to be used across multiple systems on the Internet. I should be able to carry one authentication device and use it everywhere, but instead when we go that route we end up with a key-ring full of devices.
Perhaps it’s time for the open source community to step up to the plate?
Windows 7 BitLocker, a practical solution
I recently installed Windows 7 Ultimate (32 bit) on my brand new HP Mini 110 (it ships with XP). The Windows 7 distribution included all the drivers needed to get the system up and running, including the WiFi drivers, making it a very painless process. Once running, it automatically downloaded the vendor-specific video driver, resulting in a fully operational system. The only driver I had to manually install was for the touchpad. The Windows 7 driver worked fine, but I couldn’t use functions like vertical scrolling until I downloaded the software from Synaptics.
I’m a strong proponent of whole disk encryption, especially on portable computers. The small size and weight of the HP Mini 110 make it an easier target for thieves. However, by default Windows 7 creates two hard drive partitions, a hidden one for boot and recovery, and a second main partition for the operating system. My favourite open source encryption software, TrueCrypt, won’t do whole hard drive encryption on Windows 7…at least not yet. So I decided to give Microsoft’s BitLocker a try.
BitLocker is designed to work on PCs that include a Trusted Platform Module (TPM) chip on their motherboard. BitLocker essentially stores the hard drive encryption key on the TPM and the system can be configured so that users must authenticate to the TPM using a pin in order to boot their computer.
While that’s a nice plan, it doesn’t help those of us who have purchased a computer that doesn’t include a TPM, and I was somewhat disappointed to learn that the HP Mini 110 falls into that category. But searching the web I quickly learned that BitLocker can be used without a TPM chip by making a group policy change. (Detailed information can be found here.) Once the feature is enabled, the BitLocker key can be stored on a USB flash drive.
This scenario is not ideal because the key is not protected – anyone who gets their hands on the USB key can duplicate the key and use either it or the duplicate to boot the computer. However, it’s certainly better than the alternative, which is to not use hard drive encryption until third-party products catch up with Windows 7. If you protect your USB key like you protect your car keys, it does provide a practical defence against a thief accessing your data.
But if you’re like me, you probably keep your USB flash drive in your briefcase, making it vulnerable to theft along with your laptop. It’s like leaving your car keys sitting on top of the hood. I mentioned this challenge to a few colleagues, and one of them introduced me to a very cool product from Verbatim, the TUFF-’N'-TINY™ USB flash drive.
Image courtesy of Verbatim
In addition to having the smallest form factor I’ve seen in a USB flash drive, the Tuff-‘N’-Tiny is dust, water, and static discharge resistant. It also includes a short key ring lanyard, which I highly recommend you use.
BitLocker only requires the USB key during the initial boot sequence, after which it tells you to remove the key, so the Tuff-‘N’-Tiny soon hung on my keychain as the “ignition key” for my HP Mini.
The Tuff-‘N’-Tiny also includes Verbatim’s V-Safe encryption software. Unlike many USB devices that mount both a public (unencrypted) and secure (encrypted) partition, V-Safe switches the user between the unencrypted and encrypted partition on the same driver letter. At first this seemed a bit unusual, but I quickly realized that, in addition to requiring only one drive letter for the device, this scheme also prevents the user from accidentally saving sensitive files to the unencrypted partition. Once you’ve entered your passphrase, only the encrypted partition is available.
Getting back to BitLocker, I think we’ll all agree that it is best used with a TPM chip. However, while not perfect from a security perspective, it is possible to use Windows 7 BitLocker for pratical whole hard drive encryption without a TPM chip provided that you store the USB key separate from the computer. And so far, at least for me, attaching a small USB flash drive to my keychain appears to be the best option.
Keep in Touch
Kudos
Recent Comments