Wednesday, 30 January 2008

What will happen when Yahoo Site Explorer stops to function

There are not that many functional tools for finding links left - Yahoo Site Explorer rules and is the most frequently referenced tool.

Google Webmaster Central is great for finding out your own links but what about finding your competitors'?

Wednesday, 23 January 2008

More on Card and Reader

Bloggers among UK Barclays Bank's customers went ballistic last year after the bank rolled out a Card and Reader solution similar to Tatrabanka's I ranted about yesterday.

I griped about the new security device - a card and reader issued to me involuntarily to use with internet banking transactions. My main gripe: the poor, poor user experience. I would need to carry the bulky device, which won't fit in my wallet, with me to log in to Internet banking. The branch office refused to issue me with a second one (even though I offered to pay for it).

An anonymous but kind reader pointed out in the discussion on my blog post that Barclays Bank in the UK introduced a similar solution in 2007 (on different hardware from another manufacturer). In the Slovak blogosphere the response has been largely favourable, orchestrated by Tatra Banka's PR. Bloggers who previewed the card reader seemed to like it. Unlike me, though, they probably don't make tens of online payments from numerous locations.

I have now had a chance to read up a little on the response of Barclays's customers (anger and a petition against the new device) as well as on actual security reasons for introducing the card and reader solution in general.

So let's look at the positives. Masabi, a company, which offers a security solution for transactions explains incredibly well what the key vulnerabilities in internet banking are. Simply having a password of some form (e.g. a pin and perhaps a code from a grid card) is easy to compromise: someone finds out your passwords and can transfer funds out of your account easily.

A stronger standard is a two-factor protection solution (also known as 2FP), which combines something you know (e.g. a password) with something you have (e.g. a card reader and credit card or a SecurID). The problem is these can be compromised too with something called a man in the middle (MITM) attack - someone inserts themselves in the internet connection between you and your bank (e.g. by hacking into your wireless router or running a compromised wireless router), serves you a page pretending to be your bank's, lets you enter the one-time password generated from the SecurID or card reader with card and uses it to authorise another transaction (not the one you intended). If I have lost you here, do read the Masabi blog entry linked to above.

A card and reader solution as employed by Tatra Banka addresses this vulnerability by making you enter the account details and amount for each transaction into the card reader, which then generates a unique code for this very transaction. Pretty damn secure and pretty damn clunky.

What then? How does this security/usability trade-off resolve? Here are my thoughts:
1. Even some of the weaker solutions are good enough for most situations. Tatra Banka presently uses a code sent to my mobile phone for me to sign in to the internet banking application (a form of two channel protection). This can be compromised only if someone simultaneously knows my password and gains access to my mobile phone.
2. Barclays uses the device to sign in and authorise payments to new recipients - i.e. if you have paid into an account number before, tha banks does not require you to authenticate the transaction. This seems as a pretty sensible key to sort higher risk transactions from lower risk.
3. You must recognise that in as much as bank fraud online has costs, making hundreds of thousands of people (clients) carry an undesirable device and punch in numbers in has costs too in terms of their time and convenience. You can transfer some of the risk onto the client and let him or her decide how much security they desire. You can do this either by letting them take some of the fraud risk if they opt to use online channels or, even better, in my opinion, simply charging them more if they refuse to use the clunky, secure solution (or rather giving a discount to clients who agree to carry around the calculator and punch in all account numbers and amounts twice).
4. You can build a statistically acceptable (i.e. less secure than the extreme version but secure enough on average to keep bank online fraud losses bearable) solutions by combining the existing elements judiciously and only requiring high security on selected transactions. Like with (much less secure) credit card payments, if something seems fishy, you can simply call up the client on the phone and check. Also, in Tatra Banka's case, you can reduce some of the costs of using the device e.g. by allowing clients to have multiple devices - if I have one for my home and one for the office, I at least don't have to carry it around every day.
5. Let the device actually be usable as a calculator, if it looks like one, it may make it more worthwhile for some people to carry around (if I was the smooth type in a suit with a briefcase, I guess I wouldn't mind as much but I don't always carry a bag around).

If you do this the Tatra Banka or Barclays way do not be surprised there will be many clients frustrated and pissed off (UK's Independent newspaper column predicts Barclays may lose customers to banks which will skip this technology and wait around for the more usable next generation). Barclays has been clever about letting its users not use the device if they get too upset (see the comment by VW). Some clever guy in the UK hooked up the reader to an SMS board, stuck his credit card in permanently and can now receive the required code by SMS.

P.S. I read lots of discussions in various UK forums. Here are a few additional points to consider. What happens when you a. lose your card, b. lose your reader when travelling? What about visually impaired users?

Tuesday, 22 January 2008

Back with more Tatrabanka ranting - the Calculator

UPDATE Jan 22, 2008: I have corrected the text below to make it clear that I have no information that someone paid bloggers to praise the Tatrabanka 'calculator'. What I meant was that I saw several favourable reviews of the device, which seemed as if they were paid for without any disclosure of the nature of the deal and found a blogger (linked to below) who felt the same way.

A representative of the PR agency, which carried out the calculator's PR campaign emailed me saying that the agency simply provided the device to bloggers for testing. My contacts confirm this.

I apologise to Tatra Banka and its PR agency Neopublic Porter Novelli for the unintentional insinuation - it seems that unlike me and, the bloggers praising the 'calculator' genuinely liked it.
What better way to get back to blogging in 2008 than with more ranting on Tatrabanka - my bank. I am being forced to use an immensely impractical 'calculator' to access my internet banking under the pretext of making my transactions safer. Tatra Banka is the first in the Slovak market to introduce this ingenious 'card&reader' solution - they brag about it all over and even apparently paid young and naive Slovak bloggers to 'review' it and say how great it is. and have provided the device in advance to young bloggers who have given it pretty good reviews. So what if it makes a few clients angry?

Anyway, as soon as I realised the details of this evil device I've come to call the calculator (it looks like one, with buttons and a screen, but of course no calculator functionality) I called Tatrabanka's Dialog phone line and gave the poor soul on the other end of the line an earful - I asked them to pass my complaint on to someone in charge and received no response. I also visited Tatra Banka's website devoted to promoting this ingenious solution and submitted a complaint through their form (no response). Hence I am unloading here.

I believe Tatrabanka has a special position among sophisticated clients in Slovakia (although I have no hard statistics on this). Having started from scratch in the early 1990s after the end of one party rule Tatra Banka used to be very different from the post-Communist banking dinosaurs.

It had a fresh, blue image, young friendly faces and a functioning internet banking platform. Having a Tatrabanka account is almost de rigeur among web savvy Slovak companies for these and other reasons. At our company when we send out invoices about three quarters of our clients who are all web-aware have Tatrabanka accounts - a network effect must be at work here, since having an account in the same Slovak bank reduces bank transfer time from two days to instantaneous.

I have been banking with Tatra Banka since 2000 and after a brief and aborted experience to switch to Unibanka (now Unicreditbank) Tatrabanka remains the only bank I use (not count the ING Konto, a super and unmatched savings account). Ocassionally I get frustrated with them but usually a trip (or two) to the branch resolves matters - that's what puts them apart in my mind from other Slovak banks I've had experiences with (there were many - Ludova banka, Slovenska sporitelna, Vseobecna uverova banka, Unicreditbank).

Enough of an introduction. Right now, Tatra Banka has made me very frustrated - they have made a move that directly inconveniences me and makes their award winning internet banking unusable for me.

Over time authentication procedures for Tatra Banka internet banking have evolved - from using a Grid Card to sending a code to my mobile phone by SMS on login. For payments no additional authentication was required. However, to get over a daily transfer limit of Sk 100,000 a SecurID was used - a small credit-card sized token displaying numbers on a LED display.

SecurID had its disadvantages - notably the one Daniel found where once you used the number for a payment you had to wait up to a minute for a new number to appear for your next payment even if you were fast enough to enter two payments within that amount of time. Nonetheless, a satisfactory solution for my needs. I carried it around in my wallet and used it to make transfers whenever needed and wherever I needed.

Then, suddenly a few weeks ago I pulled my SecurID out of my wallet to find the LED display cracked - fair enough after carrying it in my back pocket for several years.

Enter the Calculator

Tatra Banka no longer issues SecurIDs - it is now pushing its new, market leading solution, which is much safer, much more overhyped and much more bulky. You get issued a card reader (made by Swedish Todos), size of a credit card but five times thicker. Why does this make me angry?

The 'calculator' cannot be carried around in your walet because it is to bulky and fragile. Unless you carry a purse you must keep it in one location - at home or at the office. I bank at Tatrabanka both privately and with the company so I would like to use it at both locations but the bank will only issue one of the little miracles to me.

The 'calculator' makes you work harder - to enter a payment you must type in the account number and the amount to generate a verification code. This is a hassle - account number often have 10+ digits and it is bad enough to have to type them in once. Of course, this would be no big deal because you can turn the use of calculator on and off - you can keep it off unless you need to exceed the SKK 100,000 per day.

But here comes the catch: once you turn it on for authorising individual payments it will automatically become the method of authorisation for logging in to the internet banking and it CANNOT be turned off anymore. In other words, once you use it you are stuck either carrying it around or stuck without access to your accounts online.

According to a press release of the calculator producer the calculator "in the future will be the only authorization tool for all its banking channels". Well let me tell you: this is not a future I look forward to and I will start looking for a bank that cares a little more about the comfort of its clients.

P.S. Apparently I am not the first to notice (link to blog in Slovak) that the 'calculator' is a hassle and that someone apparently paid bloggers to rave about it without disclosure. although several Slovak bloggers have given it highly favourable reviews at launch time without stating explicitly whether or not they have been rewarded for their efforts.