Wednesday 19 Jun 2013

Banks and security

PHPYou may have noticed that the last few years, some banks use on their website a "virtual keyboard" with digits to click your password composed of numbers. This device so annoying than useless, poses several security issues!

Banks generally have 15 years late in computer technology, it's not very reassuring for our money. From their payment system by credit card to their website, this is a development disaster. Their systems are full of obsolete securities and leave the door open to modern threats!


1° Why the virtual keyboard is useless?

Initially enter the password with the mouse was used to prevent malicious programs (sort of viruses called keyloggers) on your computer to store the password typed on the keyboard and transmit it. Obviously, a few days after the first virtual keyboard, programmers of these viruses had modified them to record also the mouse.

Yet, even now 15 years later, banks are all proud to install a virtual keyboard "for security". :-|


2° Why the virtual keyboard is a security breach?

A password with 6 digits allows 1 million possibilities, a computer can test it in less than a second.
A password with six various characters different near 2000 billion combinations, the same computer will work 625 centuries to test all.
I hope this point is clear enough! :D

The safest password in the world is the one very long and you will never enter. Of course a good password has at least 8-9 characters and uppercase letters, lowercase letters, numbers and special characters.
With the virtual keyboard, passwords to access banks contain only numbers! Any email account is more difficult to force.

And if that's not enough, the virtual keyboard shows your password to your office neighbours, and of course to keyloggers. It is often unusable for people with disabilities and boring for everyone.


Finally, there is a greater danger that we can not save the password: there are often sites of phishing that copy the site of a bank to get your password. We don't necessarily take care that the URL is not good, but if the IDs were stored in the browser, it would realize that this is not the right site and you would see immediately that you need to fill the fields unlike usual.


So what the banks should do?

As some good banks, like any website, come in the 21st century and use the opportunities available to them. First obviously allow passwords with letters + numbers and allow to save them in the browser.
It's been a long time that browsers allow to save passwords. This is not a negative point for safety, but a positive one. This allows a very complex password, you don't have to remember or note on a piece of paper, and we never have to type it, it's great!

And in case you're not on your own computer, type the password on the keyboard with characters letters + numbers + special characters will always be 2 million times safer than a virtual keyboard with 10 digits! (see box above)

In the following article, I will show you how to try to limit the damage by storing identifiers with another way...

café Did this article help you? 
Buy me a coffee!

Leave a comment (all comments are moderated, don't waste time with spam)

Azure Dev