Most security
controls are like drugs which cure potent diseases but bring along undesirable
side effects. These side effects affect
the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web
sites. Design of controls must focus on how controls can be misused to
eliminate or reduce these side effects. The best way, though difficult to
implement, is to tuck security in the background where it works silently and invisibly.
Would we all not like to pay using our credit card
online, without the filling in of a lengthy form?
Take the case
of the Reserve Bank of India (RBI) doing away with the cash retraction systems
in ATM’s as it found that there were large numbers of dubious claims on the non
receipt of cash. The security feature
helped customers in instances when ATM’s did not disburse cash quickly and was
left behind by customers who thought the ATM was not working.
Another example
is the locking of accounts after a fixed number of failed authentication attempts.
This feature protected users from a variety of automated password attacks, reducing
the risk of account compromise where the password strength was low. The same
feature can also be used to create a minor inconvenience, if the account is
deliberately locked by malicious individuals.
CAPTCHA is
another feature, which prevents automated attacks during enrollment on web sites,
but with the sophistication in machine reading the design of CAPTCHA phrases
are becoming complicated for humans to read too. Invariably user success comes
after a few tries.
There are
many more such examples. Our challenge is to recognize the side effects and
work out ways to minimize them, rather than let customers live with them. This requires
better architectural designs and innovation in security technology.
No comments:
Post a Comment