Archive for April, 2009

Can I change my passwords, please?

Thursday, April 16th, 2009

Get this: identity theft is not a joke. Bad people roam cyberspace regularly looking for opportunities to take away your identity and your money (in whichever order happens to be the easiest).  Still not convinced? Here is one example: False Security: ‘Scareware’ Spreads (Wall Street Journal, April 15, 2009). Ask anybody who has been a victim and they’ll tell you how much time, money, and mostly aggravation it costs when you get hit.

A couple of years ago I had to go through a very exhausting exercise with my accountants until they finally got the idea that they have to secure all sensitive communications with a password (and not include it in the message; not in any email message!). Just these days I’ve had a similar episode with a mortgage broker. First he sent me a credit report — which includes all the ‘goodies’ an identity thieve would look for — in an email message. When I pointed this out and asked him to not do this again he apologized and promised. Then, today, I get another sensitive document. This time he remembered: “the password is the last four digits of your Social.” I don’t consider this a good password (more on this later) but it is better than nothing. Then I scrolled down his message and found two occasions of previous forwards, each time with the statement: “PW xxxx”. There, just scroll one screen and you got it. Of course I got really furious, and shot back a message that I had not known I was capable of producing. Looks like some people haven’t quite gotten used to reality in today’s digital world. But this brings us exactly to the point of this piece.

We all got used to user names and passwords. We have them on our computers, voice mail boxes, email accounts, and various online accounts. We usually get to choose them — “some restrictions may apply” — and to change them. Sometimes we are forced to change a password every so often; standards are evolving towards restricting the ‘life span’ of a password to no more than 180 days, often only 90 days. And you won’t be able to reuse the same password for a long time. When someone got my friend Bob’s email password, it was a pain for a couple of hours, but then he managed to get his account back by getting his provider to change the password.

Except our life passwords.

“Can I have your date of birth for authentication?” asks the person on the other side of the line (it can be a bank, an insurance company, many other entities you get to call). I give her mine and add: “my DOB is not a very good authentication method”, “why?” she asks,  “because so many people know it”, “I know,” she says, “I only want to make sure who I am speaking to.” Sigh.

Or, they might ask you for your Social Security Number (occasionally, now, only for the last four digits — mine just traveled through several clear-text email messages); Mother’s Maiden Name; sometimes just your Zip Code. So many people post their DOB on Facebook and other social networks; anybody can find out your ZIP code by entering  your name into a search box on line.

What happens if someone knows your SSN/MMN/DOB/ZIP? They pretty much have access to all your personal information. They can call your bank, your retirement account broker, anybody, and ask them to change the address, to move the money, whatever they want. By the time you find out, it may be too late. And, you don’t have the option to change them, the way you can change your password.

And that  is why I say it’s time to move away from SSN etc. as the way to authenticate people. If you look at your Social Security card, you’ll find it written there that it is unlawful to use your SSN for identification purposes. How many people would have to be prosecuted if this was taken seriously? In a fast digital world these antiquated authentication methods are no longer adequate.

A combination of technology, policy, and education are called for. Technology can offer much more reliable alternatives; I will skip any technical details here. On the policy side, just like it is no longer legal to use your SSN as your driver’s license number, it should become completely illegal to use any of these measures as sufficient authentication. Authentication methods should be built on at least one piece of information that only you know (that’s the only true secret), your ‘life password’. Yes, it is technically possible. And people should learn that they should never ever share that ‘life password’ with anyone. Anyone. And, of course, if somehow that password gets compromised, we should be able to change it, unlike our SSN or DOB.

When we have such authentication in place, I won’t worry about my SSN traveling in clear text in an email message.

Will it stop all identity theft? Of course not. But it will make it a lot more difficult, and therefore much less likely to happen.

Nobody’s perfect

Wednesday, April 15th, 2009

I love the Mac. Much nicer and better than Windows. Mostly. But I beg to differ with the ‘religious zealots’ that will blindly endorse anything Mac to be better. Here are a few examples:

1. The Mac gives you only that little corner at the bottom right of the window to resize; miss it by a fraction, and you end up in another window. Even worse, if the window in question goes as far down as the dashboard, you’ll be struggling not to — and probably, inadvertantly will — open several programs down there. Windows got it right: grab any edge of the window and drag. Simple.

2.  Dialog and error boxes on the Mac pop up attached to the top of the generating window. In Windows, if you need to view something hidden by the pop-up box you can just drag it out of the way; not on the Mac, it is glued, nailed, and screwed to its ‘parent window’ for no obvious benefit.

3. Menus on the Mac are only available ‘up there’ top left. On Windows, every window of a program has its own menu bar, which saves traveling back and forth to the top left of the screen. (Someone showed a mouse and the wear pattern under it and asked what computer it was: the constant up-amd-to–the-left motion required to access menus on the Mac gave the answer!)

In other words, nobody’s perfect. In other other words, why can’t they get those minor things right?

24-hour clock, or not?

Wednesday, April 15th, 2009

The first thing I do when I get a new device with a clock is change the settings to 24-hour format (what some of you call “military time”). The discussion why I prefer this to the more common 12-hour format can be left for another time. So when I got my new iPod (160 Gb Classic), I was delighted to find out that I could have that choice; after all, it is not always available. Once I completed the settings and started playing music, I was surprised to find out that on the screen saver that kicks in after a few minutes, in addition to the ‘playing’ icon and the battery level, there, in large and clear digits stood a nice and clear digital clock — in 12-hour format. First reaction? I messed up. Back to settings, make sure it is indeed 24-hour format. Play some more music. Screen saver comes up. 12-hour clock. Duh!

GPS: Global Position, but no local time

Saturday, April 11th, 2009

My GPS — a TomTom Go920 — is one of the most advanced GPS devices I have seen, tried, and had. It’s very good at showing me how to get places, the interface is — mostly — pretty straightforward, and it can do a lot more (like play MP3 music, even broadcast it over FM to the radio; store and show pictures; much more).

But. The most ridiculous thing about it:  how come a GPS, who always knows where it is, cannot tell that the local time has changed to (or from) daylight saving? My old Palm does it automatically. Most other modern — and not so modern — devices do too. Not the GPS.

Why can’t they get it right?

Monday, April 6th, 2009

My dishwasher — a modern Bosch model — is a wonderful piece of machinery. Almost. The one thing that has been driving me nuts since we got it is the beeping when a cycle is finished. Because the display is inside the door, you can’t see when it completes a cycle, so the manufacturer included a ‘feature’: the washer beeps. OK. But it doesn’t seem to stop beeping until you attend it, like a crying baby. Finally, a friend told me there is a way to shut it up. It’s in the manual. Except that the manual says “Press and hold the right Cancel/Drain button”. Sounds simple, but there is NO ‘Cancel/Drain’ button; there is ‘Cancel/Reset’ button. You’d say “so what’s the big deal?” My answer is, the big deal is whenever the instructions on the page and the facts ‘in the field’ don’t match, a typical user — and in particular one who is not too comfortable with technology — gets flustered: “is the ‘mapping’ from, say, Cancel/Drain to Cancel/Reset the right choice?”; “will I cause any damage by doing this (which appears to be different from what the instructions say)?”. There is no end to the possible confusion and frustration from such an apparently insignificant mismatch. Yet I keep running into these ‘slight’ (or not so slight) mismatches all the time. Why?

A friend once told me of a situation in which the company he was working for had to present some preliminary information about a project to some Japanese clients. At some point during the presentation, the Japanese got up and left the room without saying a thing. It was difficult to get them back in, and when finally they yielded they explained what made them so upset. They discovered a typo in one of the slides. “If you guys can’t make sure that such simple stuff is done right, how can we trust you to get the complex stuff — the project — right?” Touche.