All entries for Thursday 24 August 2006

August 24, 2006

Don't download this song

Listen to the song:-

Or watch the video:-

Online security & HSBC

Writing about web page

A couple of weeks ago there was a story in the Guardian and on the BBC news web site suggesting that HSBC's online banking system is unusually vulnerable to a certain type of attack from someone trying to steal account details.

According to researchers at Cardiff University, fraudsters using "keyloggers" – gadgets or software that capture keystrokes made on a particular computer – could potentially use the data to break into the individual account of an HSBC customer. The discovery specifically relates to HSBC because of the particular design of the security system it uses to protect customer accounts. [...] Anyone exploiting the flaw would be able to break into an HSBC account within nine attempts, [the researchers] say.

I am no kind of expert on online security, but this analysis puzzles me. The way that logging in to HSBC's online banking system works is that you enter an account number, your date of birth, and then three digits chosen at random from an eight six–to–ten digit security number. This makes me wonder two things:–

  1. The researchers say that HSBC are specifically vulnerable. What do other online banking providers do differently which prevents the use of key–logging tools? I can think of two things: (a) Make users click on the screen rather than type to enter certain information, because screen clicks are harder to capture and interpret than key presses. (b) Use a handheld gizmo to generate a magic number which is good only for the next few minutes, and then incorporate that magic number into the authentication process. That way whatever information you get from your keylogger is no good to you because it pertains only to this login, and is meaningless for future logins. But I'm pretty sure that there are other banks who don't do either of those two things, and, like HSBC, rely on keyboard–entered, persistent credentials. So why are HSBC unusually vulnerable?

  2. If I have a keylogger I can tell what keys you pressed while you were logging in. But HSBC ask the user to enter three randomly chosen digits from a longer secret number; eg. the login screen will say something like "Please enter the first, second and fourth digits from your secret number", and the digits you enter are randomly chosen every time. So when I look at the records from my keylogger I see that the first time I spied on you logging in, you typed (say) 7 then 4 then 1, and the next time, you enter 4 then 2 then 5, and so on. But how do I reassemble your whole secret number from this information? I don't know which digit is which, I don't know how many repeats there are in your number, I don't know how long your secret number is. I can't see how it's done, but if I don't have your whole secret number, I can't log in as you.

But the Cardiff researchers must be on to something, because HSBC have broadly conceded that this vulnerability does exist and have promsied to review their security model. So I'm forced to conclude that the only lesson I can learn from this is that I'm not smart enough to be a bank–account stealing hacker.

Traditional lectures are over. Again.

In the Times Higher on 11th Aug (p5) there's another piece about the use of audio, video, iPods and mobile phones in university teaching. If you're being charitable, it's an optimistic, excited piece; if you're not, it's a little bit hyperbolic.

"The days of traditional lectures are over," predicts Carl Senior, a lecturer in cognitive neuroscience at Aston University. [...] "Universities are essentially service providers, and we are defined by the consumer. Our consumers are going to want to watch vodcasts and listen to podcasts in their pyjamas. We believe that what we are doing in Aston is pretty unique and at the absolute cutting edge of modern teaching methods."

What they are doing, in fact, is creating short audio and video clips which can be sent to mobile phones, though the article is curiously contradictory about what the purpose of these clips is. It says "they will, for example, summarise lectures and offer a digest of the following week's reading material". That would be the same lectures whose days are over, then, would it?

I'm particularly tickled by this suggestion:–

Physics undergradates might, for example, receive a text explaining Ohm's law

I would love to see an explanation (as opposed to just a statement) of Ohm's law in 160 characters. Any physicists out there care to have a bash?

As I've said before, I'm not persuaded of this assertion that video or audio on portable devices or home computers is likely to displace lectures. I can believe that they might usefully augment traditional teaching, but if you were offered a course predicated on the exciting idea that there would be no lectures, just vodcasts for you to watch in your pyjamas, would you really regard it as an improvment? Is this actually what our consumers (bleurgh) want?

Elsewhere in the article, Gilly Salmon at Leicester university is more cautious about the effect that podcasting may have had on a course. She says:–

[The podcasting pilot] helped to raise the pass rate for an engineering module by between 2 and 3 per cent.

Enquiring scientific minds might wonder how this figure was measured. Professor Salmon wisely includes the phrase "helped to", implying presumably that the effect was actually somewhere between zero and 3 per cent. But was there a control group? What other factors might also have helped? Is this data based on repeated trials, or just a one–time change between last year and this year? What's the average change in the pass rate from one year to the next over the last few years?

I'm being a bit harsh on people whose enthusiasm and commitment to trying new things is something I admire. But I do wonder what the best way to evangelise new and interesting approaches to teaching is, and where on the continuum from caution to hyperbole one should aim for. The THES, of course, wants stories which are dramatic and full of bold assertions, so it wouldn't surprise me at all to learn that they've cherry–picked the best quotes from much longer, more measured observations that their subjects provided.

Search this blog


Blog archive


Most recent comments

  • I'm looking for two authors/books from the 1970s or early 80s. The first was set in England. All I r… by Leo on this entry
  • I'm looking for two authors/books from the 1970s or early 80s. The first was set in England. All I r… by Leo on this entry
  • I am trying to find a book about a grandfather who tells his grandson that if he imagines hard enoug… by hilary woolf on this entry
  • Hi Looking for a series of books in which the main character was a knight. The knight was either a f… by Ely McKenna on this entry
  • I'm trying to track down my favourite children's book from the early 1970s (pub. 1970 – 1973?) about… by Ally Holloway on this entry
Not signed in
Sign in

Powered by BlogBuilder