Defending The Kingdom

A friend and reader left some great questions in the comments section to a recent post. I’ve answered three of them today, and will answer the rest in a future post.

1) You mention that you change your online banking passwords every three months. What is your reasoning for doing this? If you have a high security password, is their an increased risk in it being broken the longer you keep using it?

I change my critically important passwords (banking and email) every three months just in case someone has figured them out. The biggest risk, as I see it, is from keyloggers. If keylogging software lodges itself in your computer even for a couple of days (in between virus scans, for example), it could steal your passwords and send them to a bad guy without tipping you off that anything is wrong.

2) Do you recommend having a different password for every different type of account you have? What are the risks in using the same password for multiple things?

I recommend having a different password for each of your important accounts. The risk of using the same password for everything is that someone who gets the password to one of your accounts gets access to all of them. Your bank probably does a good job of preventing people from getting into their databases, but shareyourpicswithfriends.com may not. If you were a hacker, how would you approach this problem, knowing that many people use the same password over and over?

Personally, I use the same password for accounts that would not cause me to weep if a criminal got access to them. I use distinct, strong, and frequently changed passwords for the rest.

3) I see the security threat in forgetting to logout of a email account, bank account, etc. at a public computer; someone could come on the computer after you and breach your privacy. Is there a threat of keeping accounts open for an extended period of time on a private computer?

I’m not very concerned about it. There is a danger that information sent from your computer to, say, your bank’s servers (and back again) is intercepted by some clever person, but there is little you can do about this. You can avoid wireless connections or avoid the internet completely, but most people (including me) would find this to be an unacceptable tradeoff.

Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.

I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed – and advising me that I ought to get in touch with them if I had not done the changing. Here’s the email I got from RBC:

What they get right

They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)

Second, they assure me in the email that “RBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.” That’s super. If I ever get an email asking me to confirm confidential information, I’ll know it’s fake.

What they get wrong

I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisher’s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.

On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.

Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (“Dear Customer” or the like), be wary.