Someone is being a fool and not understanding some of the basics of computer security. That person is either (a) the head of security at ING Direct or (b) it is me.
Now, your default stance should certainly be “I’ll take option (b).” Let’s face it; the former managed to become to achieve a primo position of responsibility in charge of $20 billion, whereas the latter has a long history of being foolish.
Let me see if I can persuade you otherwise.
About ING
ING Direct is a bank subsidiary that offers only online and phone access to your bank account. Money can be transferred into and out of the account only from a single linked bank account. They pay a reasonably high rate of interest and have lower fees compared to most banks, presumably because their real-estate and transaction costs are so low.
Web security is an important issue for such an organisation, and for its customers.
Why do I trust a web-site like ING Direct’s with my money?
I am reasonably concerned about web-security. I am prepared to use ING Direct because the downside of having my account password compromised is relatively low.
I believe that if someone was to successfully get my password, all they could do would be:
- see my balance, which would be an invasion of privacy, but not a benefit to the hacker.
- change my password, which would inconvenience me until I managed to prove I was who I said I was and have it reset. Again, not a benefit to the hacker.
- transfer money to or from my linked account. This might cost me in transaction fees, overdraft fees and lost interest, but would not benefit a hacker.
- attempt to change the linked account, and then transfer money to it. This is protected by ensuring that the linked bank account has the same account name as the ING Direct account (or at least the same surname and first initial). It also requires a form to be filled in and signed, with all of the inherent security protection that an unwitnessed signature on a self-printed form can offer.
Given that there is little incentive to a hacker to crack my account, beyond simple denial of service, I see it as a relatively low-risk to manage my money through their web-site.
False Security?
So, while the stakes here are low, it offends my sensibilities me when I see artificial security practices in place that inconvenience me, but only provide a facade of additional security. I believe ING Direct gives a false sense of security in two such places: their anti-sniffing keypad entry for their pin, and their random deposit confirmation.
Anti-Sniffing Keypad
If you visit the ING Direct Online Banking client, you will notice that rather than typing in your password Access Code, you must enter it by clicking on numbers on a randomly laid-out keypad on the screen.
This technique is (presumably) to foil naive keyboard sniffing software from being able to successfully read your password.
Your user id Client Number is typed in though.
The downside of this system is it makes it slower to enter and less accessible.
Does it successfully protect the password though? Not really! Because the password strength itself is worthless. It is limited to a four-digit number.
Four-digit PIN numbers might be sufficient to protect a credit card, which requires you to physically have access to the card – especially if it can be captured if you enter the wrong PIN number too many times – but for a web site with no other factor of authentication, where 10000 guessing attempts could be made in a few minutes, it is nigh on worthless.
(I actually attempted to change my Access Code to something more secure. The keypad will let you propose a six-digit PIN number, but will reject it when you hit Submit.)
Having anti-sniffer protection on a four-digit number is like putting an awfully big padlock on a paper bag.
Random Deposit Confirmation
Recently, I changed the linked account associated with my ING Direct account. ING Direct use an interesting authentication technique that I first saw used by Google AdSense.
When I opened a Google account, it was very easy to make a mistake in typing in the account number. A wrong account number would lead to all sorts of issues. Google solved this by depositing a random number of cents over two transactions into the account that I proposed to link with their account. They then asked me to test that it worked by confirming the number of cents. For the costs of a few cents and a couple of transactions, Google were able to circumvent major hassles later.
So, when ING Direct used a similar system, I was more than happy to comply. After all, if I typed in my account details wrong and the banks involved failed to notice that the account names mismatched, I could feasibly transfer a large amount of money into someone else’s account, and I might never see it again.
I initiated the processed, and watched my new bank account aver the next few days. No money appeared. The time period ran out. I scratched my head. Did I enter the account number wrongly? I had taken great care not to.
No! It turns out they deposited the money in the old linked account; the one I was about to close.
What does that prove? They knew I had access to my old account; I had been using it for years.
I still can’t work out why they might think this is a good idea.
Clearly, somebody is being a fool about computer security. I hope you agree it isn’t me.
Comment by ferryman on June 24, 2008
For a list of all the ways technology has failed to improve the quality of life, please press three.
Comment by James on June 25, 2008
Part of the reason I switched over to Rabobank’s Raboplus account was the security token system they have. I didn’t particularly trust the system that ING had.
I have this strange sense of dejavu that i wrote this blog comment before.
Comment by Alastair on July 8, 2008
Julian, just a minor correction on the security of 4-digit PINs. These things are generally fine in most cases if the web site has a) a temporary or permanent lock-out after a small number of incorrect attempts, and b) a low-friction method of getting a locked-out account unlocked. I believe your average physical ATM will implement both of these (for some value of “low” friction…)
Also I believe it was PayPal that invented (or first popularised) the random deposit bank account verification method.
Comment by Bork Blatt on July 23, 2008
I really like the term Bruce Schneier coined to describe superficially impressive but ultimately worthless security measures: security theatre.
Comment by Tom Allen on August 5, 2008
I actually emailed ING a few years ago about this exact topic, and with the same kind of “this is just plain stupid” analysis that you’ve provided. In fact – I just found the email – copy+pasta for you…
—
Dear Sir/Madam,
I have an ING account, and frequently use the online banking system for my transactions. One feature I find immensly frustrating is the “security” system on the login page. (In case you are not familiar with it, there is a text box for the account number, and then a shuffled grid of buttons for the pin code.) The page claims that shuffling the buttons is intended to improve security, but in practice I believe it is impractical and flawed. Typically a user will type in their account number, which is then left in full view. Since the grid of buttons is shuffled, it then takes far longer to actually enter the pin code, and because this must be done with the mouse, it is even slower still. Personally, I find I can easily see exactly what pin my partner enters, and then to access her account would simply be a matter of finding out the account number. As mentioned earlier, the account number remains in full view for the entire time the user spends clicking their pin code, so in all likelihood, an onlooker could have copied this too. (Additionally, because the account number field is a standard text box, many web browsers will cache this value, so a subsequent user at a public computer could trivially find this information.)
I propose that the current system be scrapped entirely, and the pin code replaced with a proper alpha-numeric password, entered in a standard manner via the keyboard. It is far easier to hide keystrokes from an onlooker, than slow mouse movements when trying to find the correct shuffled button. At the very least, please allow the pin number to be entered like a password, using the keyboard.
Please could this information be forwarded to the appropriate member of your web development team, and if possible, I would appreciate a response regarding this suggestion.
Yours sincerely,
Tom Allen
—
Their response:
Hi Tom
Thank you for your feedback regarding our ING DIRECT website.
We will certainly pass your suggestion onto our Internet Manager for considerations in the future.
*snip*
—
Basically, they couldn’t give a shit. Why do they even bother to invite criticism if they’re not actually prepared to accept it.
Comment by Hates ING Security ... OK, just Hates ING on September 22, 2008
I have had an ING account for several years (i.e. too long.) It is completely worthless to me since their stupid security measures prevent me from having access to it. At some point, I either forgot my PIN or failed to enter it properly on the shifting keypad and got locked out. For an online bank, I would think resetting my PIN would be a simple matter of verifying my identity and selecting a new PIN.
Unfortunately, this is not the case. The stupid, worthless assholes actually require that I call their customer (dis)service number and then have them mail (via U.S. Postal Service) me a new PIN in a post card form factor designed to look like junk mail (i.e. it is nondescript and does not identify itself as being from ING.) Somehow, this is supposed to protect the integrity of my account.
However, the CSR told me that, while I was waiting to receive my new PIN, if I answered one of my security questions on the telephone (thereby further compromising my security by providing her with my “proof” of identity), she would be able to provide me with balance information, make transfers for me, and so forth. So, their security is rather inconsistent: if I identify myself on the telephone, it takes 1 less piece of information to gain access to my account than if I were to use the web, where, upon lockout, there is no amount of information that can be used to prove my identity.
I agree with the original poster that these useless pieces of shit have no clue as to what constitutes security or identity in an online world. When I eventually do get access to my account (it’s been years since I have been able to successfully sign on), rest assured I will transfer my money out and close the account. Their gross incompetence makes me regret ever falling prey to the $25 new account enticement. It has cost we WAY more than that in terms of my personal time and frustration in dealing with the pinheads at ING.
Hopefully, they will soon become one of the failed financial institutions of the current mortgage/liquidity crisis and will be nothing more than a footnote by 2009.
Comment by Julian on January 17, 2009
Bonus tip: As of Jan 2009, the Australian ING Direct site doesn’t work with Google Chrome (or recent versions of Safari, apparently).