A couple of weeks ago, I tried to login to my account with Quantum mutual fund. I had to enter my login name and password and difficult captcha* code. After getting the code wrong twice(age does take a toll), I was taken to another screen where I had choose by which way I could receive a OTP (one-time password): by email or by mobile. Then it took me to another page where I had to enter the OTP received. When I managed to do that, I was finally able to access my account. I thought this was a one-time affair, but I had to do the same when I logged in after a couple of days. Thankfully, when I checked again while writing this, the authentication via OTP had been removed. Hopefully because of negative feedback.
A while back FundsIndia (with whom I have a dormant demat account) had a similar two-step authentication which has now been removed. If I remember correctly, one had to enter one’s birthday in the second step.
The IT e-filing site also did the same thing a while back. Now the date of birth has to be entered in the same screen.
A look at online security and how it seems to be mutually exclusive to online convenience. Security always seems to be at the cost of convenience and vice-versa.
First a quick note: yesterday I wrote about: Simple ways to protect our online privacy. My intention was to only point out that we should understand what information is being accessed when we use a site. I was not trying to be paranoid.
A while back, authentication meant an username and password. It then evolved to username, password and a captcha. A captcha prevents an attack from computers run by hackers.
Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” phew! The Turing test evolves from a proposal by Alan Turning – part of the team which cracked the German’s enigma machine (the imitation game). Turing committed suicide after being forced to take Estrogen because of his homosexuality. The British and US never told the rest of the world that the enigma code had been cracked. This enabled them to freely spy on commonwealth (ahem!) and protectorate countries.
Today, “two-step authentication” where the user has to input two pieces of unique information is being used by many sites.
Both the above security measures have significantly reduced online convenience. Are such measures necessary is the subject of endless debate and often depends on who is arguing and what they are arguing about (duh!).
If I ran an organization I will install additional security measures primarily for good PR even if is not necessary.
Take the case of mutual fund accounts or demat accounts. They work in a closed loop. Money flows from designated bank accounts to the fund or demat account. Dividends and redemptions can only be sent to the same bank account either by an ac/payee cheque or via online transfer.
I fail to understand (and I write from a point of abject ignorance) how a captcha will provide additional security to my mutual fund account. Hackers can buy or sell units only if they knew the login and password to the attached bank account.
The possibility of that happening is pretty rare if I have a decent antivirus/anti-malware installed. At the unitholder’s level access to the AMC server would be severely restricted. So the hacker cannot gain access to it via an individual’s account. Please don’t tell me that server security is that bad!
Of course, a hacker can change my password and deny access to my account which I will have to rest offline.
Having a captcha for a blog or forum makes perfect sense. It will minimize, if not eliminate, mechanized SPAM. Hard to eliminate ‘direct’ SPAM though (see how loan providers misuse the FB comment option at freefincal).
I see no use for captcha’s with amc accounts. Please correct me if I am wrong.
The goal should be to protect the password efficiently. Then a captcha is not necessary.
A two-step authentication is a smart alternative to captcha (although they are often used together)
Here two pieces of information unique to an individual is used access an account. It is a smart alternative and does not reduce online convenience, provided one step is offline.
Online two-step authentication
Here both the password and access code have to entered online in succession. This can be a pain if I need to login often. I need to find out if password managers can handle this.
There now apps which will enable online two-step authentication for any social media sites
Offline two-step authentication
Here the password is stored in a password manager that is installed as a browser ‘add-on’. To access the password, an offline master password must be entered. I prefer this as it is much more convenient and pretty much equally secure.
In this case, the site password can be incredibly tough (13 characters with upper case, $,#,& etc.) and need not be committed to memory. There are password generators which can do this for you.
The master password is never stored anywhere except in our “little grey cells”. In our case, my wife set the master password so that she can access it even if I cannot it.
Earlier I used to maintain a book where all the site passwords were listed. I stopped updating it these days because AMCs irritate us every few months by asking us to change the password while ensuring it is not the “last 4 passwords used”. Tiresome. Like I said, security and convenience can be mutual exclusive.
Antivirus + spyware protection is crucial in every computer. Browser security software is also available, but somehow I have not taken to that.
Credit card protection
We take the credit card out with us only when we know we are going to use it. This reduces chance of theft and loss. The card comes with a pin, so we see no need for a card protection plan.
While purchasing online, we never save the card information on payment sites as a precaution. The CVV number provides an additional layer of protection. However, it is only a 3-digit number. So it is important to secure the card number. Some cards need a password that must be entered on an on-line keyboard. This is a pain, but is more secure.
I hope I neither sound reckless nor paranoid. Yes, we need to be secure, but I see no need to go overboard. Offline or online, nothing is 100% secure. We have not been attacked so far, only because no one choose to, or we have been plain lucky with our choices.