Praise then darkness, and creation unfinished

We had a locksmith here this morning to replace the lock (cylinder) on the apartment door.

This is because, around lunchtime yesterday, the door to our apartment opened. The upstairs neighbor, not really paying attention, had gotten off the elevator at our floor, walked to this corner of the building, put the key in the lock of what he thought was his apartment, and turned it.

Obviously, this isn't supposed to happen. I've tried to unlock the wrong door before; sometimes the key will go in, but it doesn't turn. Yes, there are a finite number of lock cylinder designs, but apartments 31 and 51 in the same building shouldn't have the same one, because people are more likely to try to walk into the apartment right downstairs than some other random house on the same street.

Before he left, we asked the neighbor to verify that his key really did work in our lock (i.e., that cattitude hadn't forgotten to lock up an hour before that). Then we called building management, who said the locksmith would be here between 9 and 10 this morning. He got here about 9:15, after first changing the cylinder on the upstairs apartment. He then went back upstairs, saying he wanted to make sure we now had unrelated cylinders, returned and gave us the new keys, taking the old cylinder and keys with him.

As locksmith adventure go, this is pretty tame: nothing was lost or damaged, nobody was locked out, and it cost us nothing (though I'll be spending a couple of dollars at a hardware store to make adrian_turtle a new key).

I logged in to the TIAA-CREF website today (my retirement funds are with them, because my former employer somehow qualified as an academic institution), and they wanted me to update my security profile.

That turned out to include adding security questions. The list of options this time includes, along with things that seem too easy to look up, and things that don't apply (I didn't go to the prom), several to which my reaction was "I don't know…" I could ask my mother for my maternal grandmother's middle name; I'm not sure there's any way to find out what city my paternal grandmother was born in. What country, maybe (she was born in Russia, before the revolution, and I think my father said it was Ukrainian, but we had that conversation when it would have been the Ukrainian SSR].

Still, I found some I could answer without making up something random and writing it down in the list of passwords (the software would let me put "How-would-I-know" for my grandmother's middle name, and might have accepted "pi=3.141592," but then I would need to remember having said that), and maybe I'll ask my mother for her mother's middle name the next time we talk.

The chip-and-pin authentication system is badly broken, such that a hacker/thief with anyone's chip-and-PIN Visa or Mastercard can make arbitrary purchases. The problem appears to be that these cards can be used with chip and pin, or chip and signature, and by telling the card they're using one and the terminal they're using the other, people who know where it's broken can make purchases using any arbitrary PIN. The problem behind the problem is that there are lots of different, overlapping implementations of the security for chip-and-PIN, and lots of people with unsupported confidence that their implementations are sound.

The researchers reported this to the banking industry a couple of months ago. They note that this may explain at least some of the cases of phantom withdrawals. It may make it harder for the banking industry to deny refunds on the grounds that the challenged transactions were authenticated with a PIN: the researchers demonstrated using this attack on a system that was calling the bank for authentication, getting the authentication, and completing the transaction.

A cancelled card is still a cancelled card, and won't be authorized even with this attack. Also, it doesn't work at ATMs/cashpoints, only at merchants. But there are lots of stores that will sell any number of things that a thief either wants or can resell.

(If you're North American and don't know what chip-and-PIN is, hope that this gets fixed for real, and on a large scale, before it's implemented as "security" for our credit and debit cards.)

[via Bruce Schneier]

My bank wants me to start using their online bill-paying service, enough that they'll send me a $25 gift card if I use it three times by the middle of August.

So, I went to sign up. Created a userid, ignoring their advice to add random numbers to make one that's hard to guess, because I want one I can remember. I created a password. I then clicked to actually use the bill-paying service. It wants me to create a security key, 8 to 30 characters, with the usual "nothing that can be connected to you" suggestion, and a "virtual keyboard" that seems not to allow for punctuation. Presumably, for security, I shouldn't write that down either.

I realized that I'm not up to coming up with, effectively, another password that meets those conditions at the instant, and being sure I'll remember it next week. (Suggestions not needed, I know the tricks of that trade, but I'm mostly thinking about packing, tea, and such.)