Tuesday, May 08, 2012

All in the name of security

I'll start with yet another underwear bomb - expect security check-in desks to feature strip searches soon.

The second is my credit card. I have a User Name (not my real name), I have a Passcode and I have a Password which I can use to check my balance. However using my card online I now have a separate verification procedure which requires yet another Password. If I want to check how that's been used or change the details rather than logging on to my card site and checking I have to log in to a different part of my card provider's site with yet another log in name.

So two log in names with two passwords (and on passcode) for the same damn card. Add in all my other login and passwords and its no surprise that a) people use the same codes for everything and b) they only get changed post compromise.

The doubly dumb thing is that if I had a bank account with this company I'd have a random number generator to use with my card and PIN. Why not use that for the credit cards too? Use my card details for the login, add in my DOB and then the random number. Even if its being sniffed the number will change every time; the only way it can be compromised is if someone steals my card; knows my PIN and DOB and has a number generator. The only thing I need to remember then is my PIN and DOB.

Tie this into an OpenID system with some company selling generators and cards that allow you to login in to various sites (blogger, facebook etc.) using the card number and number shown and again all that needs to be remembered is a PIN.

One PIN for the card; one PIN for logging in. If you can't remember two four digit numbers than you've more problems than security.