Online Security vs. Online Convenience

A couple of weeks ago, I tried to login to my account with Quantum mutual fund.  I had to enter my login name and password and difficult captcha* code. After getting the code wrong twice(age does take a toll), I was taken to another screen where I had choose by which way I could receive a OTP (one-time password): by email or by mobile. Then it took me to another page where I had to enter the OTP received. When I managed to do that, I was finally able to access my account. I thought this was a one-time affair, but I had to do the same when I logged in after a couple of days. Thankfully, when I checked again while writing this, the authentication via OTP had been removed. Hopefully because of negative feedback.

A while back FundsIndia (with whom I have a dormant demat account) had a similar two-step authentication which has now been removed. If I remember correctly, one had to enter one's birthday in the second step.

The IT e-filing site also did the same thing a while back. Now the date of birth has to be entered in the same screen.

A look at online security and how it seems to be mutually exclusive to online convenience.  Security always seems to be at the cost of convenience and vice-versa.

First a quick note: yesterday I wrote about: Simple ways to protect our online privacyMy intention was to only point out that we should understand what information is being accessed when we use a site. I was not trying to be paranoid.

A while back, authentication meant an username and password. It then evolved to username, password and a captcha. A captcha prevents an attack from computers run by hackers.

Captcha stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" phew! The Turing test evolves from a proposal by Alan Turning - part of the team which cracked the German's enigma machine (the imitation game). Turing committed suicide after being forced to take Estrogen because of his homosexuality.  The British and US never told the rest of the world that the enigma code had been cracked. This enabled them to freely spy on commonwealth (ahem!) and protectorate countries.

Today, "two-step authentication" where the user has to input two pieces of unique information is being used by many sites.

Both the above security measures have significantly reduced online convenience. Are such measures necessary is the subject of endless debate and often depends on who is arguing and what they are arguing about (duh!).

If I ran an organization I will install additional security measures primarily for good PR even if is not necessary.

Take the case of mutual fund accounts or demat accounts. They work in a closed loop. Money flows from designated bank accounts to the fund or demat account. Dividends and redemptions can only be sent to the same bank account either by an ac/payee cheque or via online transfer.

I fail to understand (and I write from a point of abject ignorance) how a captcha will provide additional security to my mutual fund account. Hackers can buy or sell units only if they knew the login and password to the attached bank account.

The possibility of that happening is pretty rare if I have a decent antivirus/anti-malware installed. At the unitholder's level access to the AMC server would be severely restricted. So the hacker cannot gain access to it via an individual's account.  Please don't tell me that server security is that bad!

Of course, a hacker can change my password and deny access to my account which I will have to rest offline.

Having a captcha for a blog or forum makes perfect sense. It will minimize, if not eliminate, mechanized SPAM. Hard to eliminate 'direct' SPAM  though (see how loan providers misuse the FB comment option at freefincal).

I see no use for captcha's with amc accounts. Please correct me if I am wrong.

The goal should be to protect the password efficiently. Then  a captcha is not necessary.

A two-step authentication is a smart alternative to captcha (although they are often used together)

Here two pieces of information unique to an individual is used access an account.  It is a smart alternative and does not reduce online convenience, provided one step is offline.

Online two-step authentication

Here both the password and access code have to entered online in succession. This can be a pain if I need to login often. I need to find out if password managers can handle this.

There now apps which will enable online two-step authentication for any social media sites

Offline two-step authentication

Here the password is stored in a password manager that is installed as a browser 'add-on'. To access the password, an offline master password must be entered.  I prefer this as it is much more convenient and pretty much equally secure.

In this case, the site password can be incredibly tough (13 characters with upper case, $,#,& etc.) and need not be committed to memory. There are password generators which can do this for you.

The master password is never stored anywhere except in our "little grey cells". In our case, my wife set the master password so that she can access it even if I cannot it.

Earlier I used to maintain a book where all the site passwords were listed. I stopped updating it these days because AMCs irritate us every few months by asking us to change the password while ensuring it is not the "last 4 passwords used". Tiresome. Like I said, security and convenience can be mutual exclusive.

Offline protection

Antivirus + spyware protection is crucial in every computer.  Browser security software is also available, but somehow I have not taken to that.

Credit card protection

We take the credit card out with us only when we know we are going to use it. This reduces chance of theft and loss. The card comes with a pin, so we see no need for a card protection plan.

While purchasing online, we never save the card information on payment sites as a precaution. The CVV number provides an additional layer of protection. However, it is only a 3-digit number. So it is important to secure the card number.  Some cards need a password that must be entered on an on-line keyboard. This is a pain, but is more secure.

I hope I neither sound reckless nor paranoid. Yes, we need to be secure, but I see no need to go overboard. Offline or online, nothing is 100% secure. We have not been attacked so far, only because no one choose to, or we have been plain lucky with our choices.

Install Financial Freedom App! (Google Play Store)

Install Freefincal Retirement Planner App! (Google Play Store)

book-footer

Buy our New Book!

You Can Be Rich With Goal-based Investing A book by  P V Subramanyam (subramoney.com) & M Pattabiraman. Hard bound. Price: Rs. 399/- and Kindle Rs. 349/-. Read more about the book and pre-order now!
Practical advice + calculators for you to develop personalised investment solutions

Thank you for reading. You may also like

About Freefincal

Freefincal has open-source, comprehensive Excel spreadsheets, tools, analysis and unbiased, conflict of interest-free commentary on different aspects of personal finance and investing. If you find the content useful, please consider supporting us by (1) sharing our articles and (2) disabling ad-blockers for our site if you are using one. We do not accept sponsored posts, links or guest posts request from content writers and agencies.

Blog Comment Policy

Your thoughts are vital to the health of this blog and are the driving force behind the analysis and calculators that you see here. We welcome criticism and differing opinions. I will do my very best to respond to all comments asap. Please do not include hyperlinks or email ids in the comment body. Such comments will be moderated and I reserve the right to delete  the entire comment or remove the links before approving them.

13 thoughts on “Online Security vs. Online Convenience

  1. Pratheek John

    One other irritating thing i felt was different amc following different parameters for password. For e.g. Franklin would not allow me to use the same password i use for idfc. They all follow different minimum requirements like atleast one special character, one capital. I strongly believe this should be standardised. If an amc has trouble thinking about a stand, then simple use what google does. Dont complicate it.

    Reply
  2. Pratheek John

    One other irritating thing i felt was different amc following different parameters for password. For e.g. Franklin would not allow me to use the same password i use for idfc. They all follow different minimum requirements like atleast one special character, one capital. I strongly believe this should be standardised. If an amc has trouble thinking about a stand, then simple use what google does. Dont complicate it.

    Reply
  3. Raj

    This article seems to sound like written by someone other than Pattu. Sorry, but lot of assumptions and generalizations which I have not seen so far in any of his articles / responses in ASAN group.

    About the topic, CAPTCHA's/Two-step are very much required if we need to protect the passwords. Reason being, Brute force attack. There are computer programs which would use the dictionary words and Alphabet permutations and combinations and try to login. With CAPTCHA, it will be significantly difficult for a computer program to get the CAPTCHA code correctly, which denies the chance for Brute force. With Two step, a second field is introduced and a Computer program has to get both the fields correct at the same time to proceed. However, I would prefer something else than DOB to be the second field, since DOB is not that difficult to get for a third person.

    Reply
    1. freefincal

      I have seen kids perform brute-force password crack. I know how long it would take and how much longer it would take if a single additional character is included in the password. There is a good reason why most websites lock-down after 3 wrong attempts.
      Say someone has hacked into a mutual fund account using such a brute force method, it would be of no use unless they can access my bank account as well. That is simply not a random occurrence. It must be a planned and co-ordinated attack. I am no expert but I believe simple checks are in place for common random attacks. That is no assumption.

      Reply
      1. Raj

        Apologies first on the word 'assumption'. I have meant about the assumptions on the user behaviour and not about anything else (Credit cards at home etc).

        Completely agree with you on the impact if the login is compromised. However, I would prefer a CAPTCHA / Two step auth rather than convenience. (Paranoid.....)

        Reply
  4. Raj

    This article seems to sound like written by someone other than Pattu. Sorry, but lot of assumptions and generalizations which I have not seen so far in any of his articles / responses in ASAN group.

    About the topic, CAPTCHA's/Two-step are very much required if we need to protect the passwords. Reason being, Brute force attack. There are computer programs which would use the dictionary words and Alphabet permutations and combinations and try to login. With CAPTCHA, it will be significantly difficult for a computer program to get the CAPTCHA code correctly, which denies the chance for Brute force. With Two step, a second field is introduced and a Computer program has to get both the fields correct at the same time to proceed. However, I would prefer something else than DOB to be the second field, since DOB is not that difficult to get for a third person.

    Reply
    1. freefincal

      I have seen kids perform brute-force password crack. I know how long it would take and how much longer it would take if a single additional character is included in the password. There is a good reason why most websites lock-down after 3 wrong attempts.
      Say someone has hacked into a mutual fund account using such a brute force method, it would be of no use unless they can access my bank account as well. That is simply not a random occurrence. It must be a planned and co-ordinated attack. I am no expert but I believe simple checks are in place for common random attacks. That is no assumption.

      Reply
      1. Raj

        Apologies first on the word 'assumption'. I have meant about the assumptions on the user behaviour and not about anything else (Credit cards at home etc).

        Completely agree with you on the impact if the login is compromised. However, I would prefer a CAPTCHA / Two step auth rather than convenience. (Paranoid.....)

        Reply
  5. Raghavendra

    @pattu - Security and convenience cannot go hand in hand - especially when hackers are getting smarter by the day. My take would be that while security is more from a prevention standpoint, convenience is the user experience part. Let me give you an instance I experienced, much like yours with Quamtum AMC. I recently logged into my ICICI bank a/c to transfer some funds to a payee a/c that I had not transferred any funds to, in around 6 months. Looks like the portal recognised this, and asked me to input an OTP sent to my mobile number, in addition to the grid numbers at the back of my debit card. Now, it is inconvenient, but I don't complain since I know that it helps prevent untoward instances.

    All ICICI acc holders need to have their debit cards with them always, if they need to carry out any net banking transactions. Without the grid authentication, nothing works. If you look at HDFC, OTP is only for exceptional circumstances and there is no grid authentication. Yes Bank too is only OTP, and no 2FA.

    Lastly, look at creating an acc with HDFC AMC site. It asks you to scan some docs and upload to the site, including a cancelled chequered of the bank acc you wish to link to the folio. Now, if HDFC were to use cloud as opposed to traditional data centres and your data was compromised, would you feel safer? Convenient surely yes, since everything is a matter of clicks, but security? Same goes for Gmail, which recently had a new page for entering login password, after entering login ids..

    The two surely don't go together....

    Reply

Do let us know what you think about the article