Here’s let me Help you Hack



In a time when break ins  ( ) make each of us aware and concerned about our online security, on my end of the netpond I have spent the better part of a week pouring through a seventeen page document of passwords, personal history hints, first grade friends, dead first pets and favorite sex positions in order to change all of my online stored information.

I expect those trusted partners that I do business with are doing the same. Why does it not surprise me that my online bank of blog choice (not mentioning names of course) once again rises to the top of the COM MODE in an outstanding display of MISFEATURE?

I’ll spare the details because I realize in my state of bitter sarcasm I may well be the only one to enjoy the crufty commentary, but suffice to say that while going through on-line-form-inferno, I was asked to provide my username and password to my OTHER BANK in order to “verify” that I owned that account where I was having money transferred. I hesitated of course … why would a bank ask for another bank’s online username and password? But it was six o’clock in the morning and I had slept for about five hours so my bogosity meter may have been a bit sleep deprived and I provided my credentials despite my left brain’s objections.

And as all happy stories wrap up, the incident ended in a customer service phone call because the website wouldn’t accept my confidential information, that I had now thrice supplied. The “resolution” and I use that term in the Nevada hooker loosest sense of the word was to use the “alternate” method of bank verification whereby bank number one deposits spare change into bank number two’s account and I have to go fetch my tin can and string and pass the secret information back to bank number one.  High tech code cracking at its highest.

I asked the agent straight up … is there a problem with MY information that I entered or is this a bug in your online system. And she gave me an honest answer in her heavy accent that my cell phone connection was straining to decipher … “Az zis time our sysdem is not abowl to process doze requests.”

In other words .. it don’t work. And it wasn’t because the system was down for maintenance, though they could certainly use a reality tune-up, but the backend subroutine was broken.

“So why then is this option STILL available to for online users?” I asked her, “In a time when personal security concerns are at their highest, why ask for my personal account information to another bank and then come back and say your system is broke and you can not complete the transaction.”

To which she assured me that my concerns would be relayed to the appropriate department. But given their ability for handing off information I am quite certain it was dropped on the floor as soon as the call ended.

So what do we do when our trusted partners can’t be trusted? And how do we secure our personal data when anyone we do business with may leak, sell, steal, loose, rent or loan our account access information?

Clearly I don’t have the answers because I still use LinkedIn and Dropbox and there are a thousand articles out there in cyberspace for how to create good passwords and protect your personal data so I am certain that I have little to contribute to the wizard knowledgebase.

However its a good conversation to have if for no other reason it reminds us we are not alone.   So consider who you want to protect your confidential information from? Are you keeping your passwords out of the hands of your own resourceful teenagers? (Seriously, why bother, they already have it. They know you like the back of their boxers.) Or are you trying to keep your money in the last place you placed it? It use to be back in the early days of IT that we told the secretaries to STOP writing their password on a post it note and leaving it on the monitor. It made no sense to them at the time because they couldn’t see why anyone would want to sit at their computer and transcribe Professor Gedanken’s garden club seating notes.

Best we can do is learn from each of the headline hacks how to further refine our own confidential criteria. For instance — Don’t use the same password on different sites.

Why? Because if they break in to one account and you have used “REDNECK4EVER” as your password at pinterest as well as paypal then you have not only opened up all of your wallmart fashion dreams but also the $3.42 cents in your checking account is now in the hands of a Saratoga teenager who is 2 nanoseconds away from cracking your maxed out mastercard.

For another nuiance in security through obscurity, I also don’t give out my primary email address to the open market. Email accounts are one of the easiest ways people gain a foothold into your personal data. And most of the stores out there routinely SELL your email address to their affiliates, which can be anyone who has a bank account and a mission statement. Its easy to get another (or another half dozen) GMAIL accounts that you can use and even forward for ease of tracking.

Oh! And as I was going through my seventeen pages of non-encyrpted finger prints, I was shocked to see how many vendors would send me back my password in clear text .. when i selected HELP I’VE FORGOTTEN MY PASSWORD. A “GOOD” system will have your password encrypted so that even the head egghead in IT can not retrieve it for you. That’s why they send you “temporary” passwords for one time use. If a firm is sending me back my password in clear text, I’d think twice about giving them my credit card information.

I guess it all comes down to who you trust and how much it is worth to you. Do I want to save a buck by going with the lowest price in my dogpile hit? Or do I stick with Amazon and trust that they have at least vetted their third party vendors more than domains-R-us-instant-shopping-cart-fly-by-night did the day before they went live?

At the end of the day, its prudent to realize we are all sailing on the cyberspace titanic just waiting for an iceburg to crack our confidential cuspy.  Make it hard for them … or at least make it entertaining.

Leave a Reply