THIS TIME IT'S PERSONAL

Posted on 21 Jan 2005 at 17:14

 

Gallery

Matthew Holbrook's eyes, meanwhile, are focused firmly on his dustbins

These days, a few key pieces of information can get you anywhere. Your name, home address, email address, telephone numbers, date of birth and mother's maiden name should all be afforded the same level of protection as your credit card number and expiry date.

When I joined a new office recently I was asked to enter such information into a spreadsheet. Had I completed all the entries, people in the office would have been able to access some of the online services I use. I didn't fill in the spreadsheet fully.

Some of this information is publicly available. Until a few years ago, you couldn't opt out of the fully public electoral register. Now you can choose to prevent your details being transferred abroad and keyed into online databases, but the data is still available from the local town hall.

BIN THERE, DONE THAT
You also need to look at how you dispose of paper documents. People are paid to rummage through bins for names and addresses, and bonus payments are made for records that include a date of birth. Even if you put bundles of paper out for recycling, your details are at risk. It is best to tear off anything that mentions your name, address or other personal information. This is why shredders have become popular recently.

The best security systems use digital certificates. Unless the correct certificate is applied to the browser, no-one will be able to get to your account. That means your account can be compromised only from your own PC. For some reason digital certificates have fallen in popularity, perhaps because of the support costs of helping people use them.

The next best thing is to have login information that's unrelated to your own personal information. The Alliance and Leicester provides a 12-digit user number that has nothing to do with the account number. It also requires a five-digit PIN, rather than the traditional four-digit code. I have memorised them, but many users would have to write them down - and not always in the most secure place.

Another service that does not use an account number is Egg, the company that looks after my savings. Unfortunately the login procedure is not as secure as it could be. The system prompts for first name, surname, date of birth, postcode, mother's maiden name and password. With some research and a bit of carelessness on my part, a thief could blow my account wide open.

In the past few months a tick box has appeared on the login screen that allows the website to remember the first four of these. It does this by leaving a cookie on that PC. Future Egg sessions on that computer then ask for just the mother's maiden name and the password. This is good for usability but it is a little scary that my account can be accessed with such scant credentials. My mother's maiden name could probably be researched so it all comes down to the quality of my password, which is a good incentive to steer clear of anything obvious, such as 'password', 'secret' and 'matthew'.

I prefer systems that prompt only for specific parts of a password. My Alliance and Leicester account asks for only two characters from a password when I request any sort of money transfer, while my account at Barclay's Stockbrokers is protected by a digital certificate and a prompt for two password characters.

It is tempting to use the same username and password for all websites with which you register. The problem then is that if the security details for one account are compromised, the others are also affected. Microsoft's Passport is one solution - a centrally managed account that you can use with multiple services. Passport may have had a wide distribution in the form of Hotmail and Windows XP, but public mistrust of Microsoft has left it stuck on the starting line.