To the Editor
I went to high school in Dawson Creek, and I mow the lawn (4.5 acres) at the family farm in the summer. And come to Dawson Creek at other times for whatever. Several items about personal security crossed my desk in the last while.
Companies and the government likes direct deposit. It is possible for both groups to avoid labour costs in making a deposit to your bank account. You have noticed that you don't get a rebate, if you use direct deposit? Look carefully at your terms and conditions with the bank. They might even be charging you for the option of accepting a deposit to your account in a manner which involves no cost to them. What happens if someone deposits "negative" money into your account? The transaction should fail, but apparently there are still situations where this "negative deposit" results in a withdrawal from your account. And the bank is a secure organization with your interests at heart? Maybe.
Find a 'geek' like myself, and connect to your bank to do online banking. Have the 'geek' show you what kind of encryption is being used. There are many recommendations going back a few years, that 128 bit encryption is no longer consider secure enough. I bet your connection is 128 bit encrypted.
A 4 digit PIN is brain dead. It only takes 10,000 tries to guess a PIN by brute force. But, people don't choose PINs at random, they need to remember them. Consequently, for most people it may only take 1000 guesses to get the PIN. Longer PINs (for example, 10 digit PINs) are needed. Don't use birthdays, anniversaries, James Bond or a bunch of other things in your PIN.
Oh, before PIN and Chip, your signature was the proof (by and large). You could dispute a signature. With PIN and Chip, the credit card company _assumes_ you did something wrong, and having a transaction cancelled is no longer automatic. It's in your terms and conditions.
Pin and Chip is broken. Back on September 13, 2012, TheRegister reported that researchers from Cambridge University had found a way to clone PIN and Chip cards. And the report suggests that criminals already are exploiting this, and have been for a while. Have you received a note from your credit card company that you will be receiving a new card lately? And what about the magnetic stripe that still exists on most credit cards? Was there a security problem with that, which lead to PIN and Chip? If so, why is that strip still there?
The Internet has had something called OpenID for a while. It has some problems. Mozilla (the people that make the Firefox browser) are introducing their idea 'persona'. It's probably not ready for prime time yet.
But, in my latest MasterCard statement, I see an advertisement for SecureKey Concierge, and how it will allow me to login to any Government of Canada website. All I need to get one of these, is register all my banking information. The banks being experts at security (have you received notice from your bank, that PIN and Chip is broken yet?) are probably going to have all the information in a single table, and in a few months we'll see an article in the news that a SQL injection attack resulted in ALL people registered at SecureKey Concierge having their passwords and banking information stolen.
The last thing I want, is some kind of connection between my bank(s), and the government. Direct deposit is nice, as long as they can guarantee that negative deposits won't happen. Have you seen a guarantee in your terms and conditions?
But, maybe I am just paranoid?
Asperger's Savant at Large
SPSS class of 1978