Saturday, May 07, 2011

Security or Stupidity

I do know the online world is not safe. Accounts do get hacked, information and money gets stolen. Day in day out the people try to make their system more secure and several layers of protection. In no way we are gonna have something fool proof and secure. Every system will have shortcomings and flaws. period.

I do not advocate that we should not embark on the journey of improvements and enhancements stating that however it will be broken, so why enhance it in the first place. Still, what irks me is the way how people do it.

It is given that any good security system should have more than one form of authentication, in terms of combinations or what ever it takes.

In terms of banking, it happens to be login pass word, transaction password, along with your card info.

Off late for any online computer based transactions, they have brought in the mobile factor, which i would say pure madness.

In ICICI, after giving your user ID and password, it would prompt for a OTP or one time password. A six digit number would have been messaged to your mobile number and you should use that to login.

What if i don't have a mobile?
What if there is no battery in my mobile?
What if, I am in a place where there is no service?
What if i hadn't paid my bills and all sort of my outgoing and incoming is blocked and I am trying the Internet banking to pay my bills?
Above all, do they know that messaging is no reliable form of communication. At least to the best of my knowledge there is no guarantee that if i send a message to some one, it will reach with out fail. There by there is no guarantee that I could access the services that i am entitled to!
once with SBI had a tough time, in transferring some money back to hometown and was irritated to board the bus to hand deliver the money. Even there the some problem, while transferring apart from transaction password, a 6 digit number will be sent to your mobile. which cant be typed from keyboard but clicked from the virtual key pad on screen. By the time the message comes the session would have gone expired as i was inactive. Those security consultants should be sued.


Ramesh said...

Yeah frustrating at times, but the risks are now so multiplying n the on line world that we have to learn to live with some pain. Same as in the real world - the security checks everywhere are becoming cumbersome and a real drag, and often seemingly senseless but we have no option but to learn to live with it.

Alas, its a big bad world.

zeno said...

Security checks- Ah you the frequent traveler :)
I am fine with the pain, if it is worth it and makes sense :)

RamMmm said...

It is the banker's way of taking revenge on you (not you, but generalaa sonnaen) for misusing the online facility. :-D RBI has mandated a two-phase authentication and also using a OTP for mobile based transactions and hence all this. I have to play with SecurID/Smartcard type devices with my bank account, but only if I need to do certain types of transactions. Online money transfer to a different account necessitates stronger verification. They could have given one more password and ask for x, y, z position characters of the password when you login. I thought that the option of sending the OTP to mobile/email or both is configurable. Check pannunga. But as you say, at times it feels overkill.

This is besides the point, but you can enable Message Delivery Receipt for your SMSes. They indicate when it has been delivered to the target phone. If they haven't been delivered, you'll get a failure notice. Doubt if that OTP engine would care about it though.

Happy Authentication. :-)

zeno said...

Why will I misuse saare ;)
If it is RBI that had mandated OTP, they have gone crazy. Also observed that OTP is random. i.e there were few transactions, which i was able to do without OTP!

I have felt CITI was way cooler!

I haven't checked the mail option :(
OTP taking care of delivery of reports. very funny.

chennaigirl said...

Thats why i leave all these silly issues to aathu ;)

chennaigirl said...

Thats why i leave all these silly issues to aathu ;)

zeno said...

@CG poor him!

TheZion said...

OTP is so far a eyewash...if i dont get sms i just refresh the page and re enter login and password and it works without OTP then...i clearly dont see the security in this so far