Online Security vs. Online Convenience

Published: August 9, 2015 at 11:53 am

Last Updated on

A couple of weeks ago, I tried to login to my account with Quantum mutual fund.  I had to enter my login name and password and difficult captcha* code. After getting the code wrong twice(age does take a toll), I was taken to another screen where I had choose by which way I could receive a OTP (one-time password): by email or by mobile. Then it took me to another page where I had to enter the OTP received. When I managed to do that, I was finally able to access my account. I thought this was a one-time affair, but I had to do the same when I logged in after a couple of days. Thankfully, when I checked again while writing this, the authentication via OTP had been removed. Hopefully because of negative feedback.

A while back FundsIndia (with whom I have a dormant demat account) had a similar two-step authentication which has now been removed. If I remember correctly, one had to enter one’s birthday in the second step.

The IT e-filing site also did the same thing a while back. Now the date of birth has to be entered in the same screen.

A look at online security and how it seems to be mutually exclusive to online convenience.  Security always seems to be at the cost of convenience and vice-versa.

First a quick note: yesterday I wrote about: Simple ways to protect our online privacyMy intention was to only point out that we should understand what information is being accessed when we use a site. I was not trying to be paranoid.

A while back, authentication meant an username and password. It then evolved to username, password and a captcha. A captcha prevents an attack from computers run by hackers.

Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” phew! The Turing test evolves from a proposal by Alan Turning – part of the team which cracked the German’s enigma machine (the imitation game). Turing committed suicide after being forced to take Estrogen because of his homosexuality.  The British and US never told the rest of the world that the enigma code had been cracked. This enabled them to freely spy on commonwealth (ahem!) and protectorate countries.

Today, “two-step authentication” where the user has to input two pieces of unique information is being used by many sites.

Both the above security measures have significantly reduced online convenience. Are such measures necessary is the subject of endless debate and often depends on who is arguing and what they are arguing about (duh!).

If I ran an organization I will install additional security measures primarily for good PR even if is not necessary.

Take the case of mutual fund accounts or demat accounts. They work in a closed loop. Money flows from designated bank accounts to the fund or demat account. Dividends and redemptions can only be sent to the same bank account either by an ac/payee cheque or via online transfer.

I fail to understand (and I write from a point of abject ignorance) how a captcha will provide additional security to my mutual fund account. Hackers can buy or sell units only if they knew the login and password to the attached bank account.

The possibility of that happening is pretty rare if I have a decent antivirus/anti-malware installed. At the unitholder’s level access to the AMC server would be severely restricted. So the hacker cannot gain access to it via an individual’s account.  Please don’t tell me that server security is that bad!

Of course, a hacker can change my password and deny access to my account which I will have to rest offline.

Having a captcha for a blog or forum makes perfect sense. It will minimize, if not eliminate, mechanized SPAM. Hard to eliminate ‘direct’ SPAM  though (see how loan providers misuse the FB comment option at freefincal).

I see no use for captcha’s with amc accounts. Please correct me if I am wrong.

The goal should be to protect the password efficiently. Then  a captcha is not necessary.

A two-step authentication is a smart alternative to captcha (although they are often used together)

Here two pieces of information unique to an individual is used access an account.  It is a smart alternative and does not reduce online convenience, provided one step is offline.

Online two-step authentication

Here both the password and access code have to entered online in succession. This can be a pain if I need to login often. I need to find out if password managers can handle this.

There now apps which will enable online two-step authentication for any social media sites

Offline two-step authentication

Here the password is stored in a password manager that is installed as a browser ‘add-on’. To access the password, an offline master password must be entered.  I prefer this as it is much more convenient and pretty much equally secure.

In this case, the site password can be incredibly tough (13 characters with upper case, $,#,& etc.) and need not be committed to memory. There are password generators which can do this for you.

The master password is never stored anywhere except in our “little grey cells”. In our case, my wife set the master password so that she can access it even if I cannot it.

Earlier I used to maintain a book where all the site passwords were listed. I stopped updating it these days because AMCs irritate us every few months by asking us to change the password while ensuring it is not the “last 4 passwords used”. Tiresome. Like I said, security and convenience can be mutual exclusive.

Offline protection

Antivirus + spyware protection is crucial in every computer.  Browser security software is also available, but somehow I have not taken to that.

Credit card protection

We take the credit card out with us only when we know we are going to use it. This reduces chance of theft and loss. The card comes with a pin, so we see no need for a card protection plan.

While purchasing online, we never save the card information on payment sites as a precaution. The CVV number provides an additional layer of protection. However, it is only a 3-digit number. So it is important to secure the card number.  Some cards need a password that must be entered on an on-line keyboard. This is a pain, but is more secure.

I hope I neither sound reckless nor paranoid. Yes, we need to be secure, but I see no need to go overboard. Offline or online, nothing is 100% secure. We have not been attacked so far, only because no one choose to, or we have been plain lucky with our choices.

Do share if you found this useful
Share your thoughts on this topic at the  Reddit freefincal_user_forum

Reach your financial goals like a pro! Join our 1600+ Facebook Group on Portfolio Management! You can now reduce fear, doubt and uncertainty while investing for your financial goals! Sign up for our lectures on goal-based portfolio management and join our exclusive Facebook Community. The 1st lecture is free!
Want to check if the market is overvalued or undervalued? Use our market valuation tool (will work with any index!) or you buy the new Tactical Buy/Sell timing tool!
About the Author Pattabiraman editor freefincalM. Pattabiraman(PhD) is the founder, managing editor and primary author of freefincal. He is an associate professor at the Indian Institute of Technology, Madras. since Aug 2006. Connect with him via Twitter or Linkedin Pattabiraman has co-authored two print-books, You can be rich too with goal-based investing (CNBC TV18) and Gamechanger and seven other free e-books on various topics of money management. He is a patron and co-founder of “Fee-only India” an organisation to promote unbiased, commission-free investment advice. He conducts free money management sessions for corporates and associations on the basis of money management. Previous engagements include World Bank, RBI, BHEL, Asian Paints, Cognizant, Madras Atomic Power Station, Honeywell, Tamil Nadu Investors Association. For speaking engagements write to pattu [at] freefincal [dot] com
About freefincal & its content policy Freefincal is a News Media Organization dedicated to providing original analysis, reports, reviews and insights on developments in mutual funds, stocks, investing, retirement and personal finance. We do so without conflict of interest and bias. We operate in a non-profit manner. All revenue is used only for expenses and for the future growth of the site. Follow us on Google News Freefincal serves more than one million readers a year (2.5 million page views) with articles based only on factual information and detailed analysis by its authors. All statements made will be verified from credible and knowledgeable sources before publication. Freefincal does not publish any kind of paid articles, promotions or PR, satire or opinions without data. All opinions presented will only be inferences backed by verifiable, reproducible evidence/data. Contact information: letters {at} freefincal {dot} com (sponsored posts or paid collaborations will not be entertained)
Connect with us on social media
Our publications

You Can Be Rich Too with Goal-Based Investing

You can be rich too with goal based investingPublished by CNBC TV18, this book is meant to help you ask the right questions, seek the right answers and since it comes with nine online calculators, you can also create custom solutions for your lifestyle! Get it now. It is also available in Kindle format.
Gamechanger: Forget Startups, Join Corporate & Still Live the Rich Life You Want Gamechanger: Forget Start-ups, Join Corporate and Still Live the Rich Life you wantThis book is meant for young earners to get their basics right from day one! It will also help you travel to exotic places at low cost! Get it or gift it to a young earner

Your Ultimate Guide to Travel

Travel-Training-Kit-Cover-new This is a deep dive analysis into vacation planning, finding cheap flights, budget accommodation, what to do when travelling, how travelling slowly is better financially and psychologically with links to the web pages and hand-holding at every step. Get the pdf for Rs 199 (instant download)
Free android apps