Monday, August 30, 2010

Is Your Password Easily Accessible?

Is it just me or do other people have problems with passwords? One of the side effects of the internet is that we now need a vast array of passwords to access the different sites from Amazon to PayPal and everything in between.

Now here’s the thing can you have one password for accessing all these different sites? Of course not, can’t you hear the security experts screaming in your ear but actually you really don’t want that many. I have a simple strategy that I don’t mind sharing with you, there is the very secure password for the bank and PayPal and then there is the floppy password for all those sites that really don’t matter. If you can break into my wine account (no credit card stored) and change my preferences then frankly I really don’t care.

However you know what I’m about to say, real life is not like this. All these different web sites have different password strategies, no less than 8 characters, must have a number, must have a non alpha/number character, must be numeric only, it goes on and on. Well just last week I met the ultimate condition, no consecutive numbers, even just 2, up or down. Now I think my brain is starting to hurt, what nutcase decided that? In any random sequence of numbers there are bound to be consecutive numbers in one direction or the other, for my mathematical friends what are the odds in a sequence of 8 digits that at least 2 digits are consecutive? So of course you end up having to write them down, somewhere that you can lay your hands on in a hurry.

In the old days we all used to carry around those little booklet things called diaries, but now relegated to the museum we have electronic diaries in the form of mobile phones. Do you remember the Palm Pilot? Oh I felt so up to date when I first got one of those but now it’s the iPhone (just wanted to drop that in, it’s only the iPhone 3, you can guess who’s upgraded to iPhone 4).

I wouldn’t want my phone to be stolen, it stores far too much personal data. Probably all the data should be encrypted which is of course only as good as the password. But very few people seem to have their phones in encrypted mode?

Anyway all this came to mind this week when reading about the iTunes and PayPal hack with lots of people complaining about having their PayPal accounts emptied. There is not absolute clarity on exactly what has happened but the stories seem to be consistent that the hack has happened through iTunes and that somehow the fraudsters have managed to get hold of a number of iTunes account details/passwords and have then gone around doing loads of downloads funded through iTunes against PayPal. Both PayPal and iTunes have denied their systems are broken, PayPal has specifically stated that they are unaware of any account breaches on their system. iTunes have been a little more cautious suggesting that if your password has been stolen you should change it right away. Others have suggested that maybe the iTunes users were subject to some Phishing scam that resulted in the loss of their account details including the password.

Now what ever happened to 2-Factor Authentication? Just a few years ago it was on everybody’s lips it was only a matter of time before we would all be carrying a smart card or token that acted to give us secure authentication into whatever sites we were registered. It’s all gone quiet and yet the problems with passwords have never been more rampant. Just think about it, one smart card or token, one password for access to the smart card and hey presto you can log in securely to any web site. But more to the point the hacker without access to your smart card and password is permanently locked out, no more Phishing!

Am I missing something here?

Patsy

Tuesday, August 3, 2010

Is making Payments on the Internet Safe and Secure?

I couldn't help but chuckle reading in the paper today about the unemployed lorry driver who sold the Ritz hotel in London for £250 million when it's worth two or three times that price. He was so successful that he even managed to get £1 million popped into his bank account before the fraud was discovered.

Remember the old saying that if it sounds too good to be true it probably isn't so good! You can't help wonder about the people who are duped by such offers, are they not perhaps just as dishonest as the fraudster in thinking they can make a quick buck to somebody's disadvantage.

So how does this work in the antiques trade? If I pop into a shop with an old plate from mother's collection and get offered £300 to hear later that it was worth £100,000 who is wrong? Is an antique dealer obliged to pay the potential market value for which of course he is on risk? He might have made a mistake or an expert further down the road might throw it out as a copy. How would you mark his reputation? Arguably you could say he is paying you what it is worth to him at that moment in time, is he obliged to tell you it might be worth £100K?

And what happens if you are an expert and see some artefact in a shop marked up for $50 that you know is worth $50,000, should you tell the shop keeper about his error? Perhaps I'll cause an uproar here but it seems to me that many antique collectors are out to discover just such an opportunity.


So down to basics, what happens if you get given a £1 coin that you subsequently discover is a counterfeit? We have been hearing this month that 1 in 36 £1 coins in circulation are counterfeit. Now I'm sure you all know that as soon as a coin accepted in good faith is found to be counterfeit, it is immediately rendered worthless. Attempting to pass it on is an offence.

I'm sure we all hand our counterfeit coins in to the bank so that they are taken out of circulation. I still remember as a youngster getting foreign coins in change and not being too excited about it when discovered. Not me of course but some of my friends developed an art for passing them on undetected to the next person.

Now I'm not setting out to cause any unnecessary guilt complexes but only want to raise some fundamental issues of today’s society and it's all about reputation and trust which are closely related. So in our previous scenarios do we trust antique dealers and what is their average reputation? Of course they are going to differ but how can I tell the reputation of a particular individual?

Now imagine the same antique dealer going to his bank for a loan, can the bank trust him (or her)? The basis of trust and reputation are really quite different, you could be very good at spotting a bargain making large profits but particularly bad at repaying loans. So the bank is only interested in your reputation in that one area and that's not straightforward because your reputation can change overnight, an unforeseen event perhaps (maybe somebody has defrauded you) and you can no longer pay your bills.

You may be wondering where all this is leading, well dear subscribers lets enter the wild, wild, West or to put it another way the internet. Here the system of reputation and trust is even more on trial. Last week a friend was telling me about her experiences on an on-line dating site, she met up with a great guy and they seemed to have so much in common and then out of the blue came the call for money. The details don't matter but this is really common and many innocent people are robbed of all their savings.

We all do it, yes, eBay can be great fun and you can get some bargains but this really is the haven for every fraudulent idea ever invented by man and there are new ones occurring every day. So how do you pay for your purchases? PayPal of course, in most cases at least but this doesn't stop you from getting involved in fraud whether the seller or the purchaser. The goods were never sent or never arrived give me my money back depending on which party is the fraudster. Disputes like this are legion and it's not too difficult to get your PayPal account frozen and it's often very difficult to get it released.

So the question I'd like to leave you with this month is when making payments on the internet who do you trust and what will your bank or PayPal do in the event of a dispute. Do we need a better way to pay?

Happy holidays,

Patsy.