James Galvin

It’s time to raise the bar in internet security, and this needs to start with the likes of Paypal. Since I began using the internet in 1996, it has been the same old story - plenty of advice about strong passwords and good security policies, but attitudes have still not changed. Good advice will get us nowhere - this was proven many times over, when the ILOVEYOU worm was followed up by Sircam and a thousand other bizarre email attachments that people insisted on opening.

Today I created a Paypal account for “casual” online sellers (there’s a pun in there somewhere but it is beyond my ability, unfortunately). Paypal requires a minimum of 8 characters in your password, and if you try to use “password” it replies: “Password contains a forbidden word”. This is a start, at least. So then instead, I use ‘qwertyui’. It is not difficult for a hacker to work off a list of the most common 8- or 9-letter passwords. How many Irish people do you think use ‘liverpool’ as their password? It might be safer to take the responsibility out of the user’s hands altogether, and force them to learn a random password, but that would most likely lead to sticky notes on the monitor.

A safer solution is to get people used to long pass phrases (15+ characters), with numbers, special characters, and letters in upper and lower case. If you make it difficult enough, then maybe they won’t be inclined to use the same password with every mickey mouse unencrypted database they sign up to, which can only be a good thing. I really don’t think Paypal are going to lose customers just by making it slightly harder to log in. Look at Bank of Ireland’s Banking 365, as an example: to log in, you need a seemingly random 6 digit user ID that nobody knows AND a 6 digit pin that nobody knows AND the answer to a security question that most people could find out. This is a major contrast to Paypal’s login: an email address that everyone knows, and potentially a weak password that most people could guess. And still you get groups of phishing victims who try to sue 365 Online for inadequate security.

Remember, this is not just some web forum or Wordpress blog you’re signing up to, it is more or less an online bank. You are leaving significant sums of money and your credit card details, flimsily protected by 8 letters. If I went through all the eBay sellers who were selling Liverpool merchandise, and attempted to log in to their Paypal using their email address and the password ‘liverpool’, how many accounts would I have access to?

As for the two security questions, here is a screenshot:

There is a serious oversight here. On one hand, Paypal give you two solid, difficult security questions that only you and your close family could answer (Last 4 characters of driver’s license and Last 4 digits of social security number), but then they undermine it with two questions so blindly obvious that you wonder why they bother with security questions at all? Which two security questions do you think the majority of the users are going to select? Definitely not the one that means they have to go rummaging for their driver’s license, and trying to remember their social security number.

I was never a fan of security questions anyway, simply because of the fact that anyone who knows me can find out the answer to just about any of them. I always lie, which kind of defeats the purpose. What about the people that don’t lie? How difficult would it be to log onto their Facebook and find out their dog’s name or city of birth? Why don’t Paypal just allow me to put in two secondary passwords, instead of answering dumb questions? Or why not allow me to define my own security questions, like some sites do? Better yet, why not get rid of security questions altogether - if you forget your password, you can phone up the support team, and they can ask you a bunch of security questions in the old fashioned way.

“But it doesn’t matter if they can answer my security questions, because they don’t have access to my email!” exclaims the Man in the Yellow Hat, giddily. I’m not the person to say how secure or insecure your email is, but from my days as a Linux sys admin, I did notice a couple of things:

• Do you send your password in plain text? If you’re not using SSL or TLS to connect POP3/IMAP server (most people are not), it could be painfully easy for someone on your network to get your password using a sniffer
• Is your DNS safe? I once emailed an Irish ISP and asked them to change the MX records for a decent sized domain - about 300 users actively using the email. They were very nice and friendly, and swiftly complied with my request, neglecting to ask for my credentials or a fax or phone call to verify the request. I was a new employee at the company and they had no way of knowing that I was authorised to make this change. I could have been anyone, and I could have configured my mail server to forward on all emails to the real mail server, so that the company would never even know they were being intercepted.

I’m sure there are hundreds of reasons not to trust in the security of your email account, but those are the two that taught me to take nothing for granted.

Any company that stores credit card information should be legally obliged to set a minimum security standard. I believe there are laws like this already in existence, does anyone have the details? I’m guessing they need to be either stepped up or actually enforced. It could be so easy to make a positive change in the general attitude, but as long as big sites like Paypal are happy with sub-par security policies, then we will always believe that typing more than 6 letters in a password is an unnecessary inconvenience.

This entry was posted on Saturday, August 25th, 2007 at 12:49 pm and is filed under Internet, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.