ThePickards
standards, accessibility, and ranting and general stuff by the web chemist

Three reasons, actually. The first one is basic common or garden paranoia.

I consider it more likely that my computer will become compromised than that my house will be burgled by a burlgar who manages to locate the wall safe behind the Hans Holbein painting in the Billiard Room, somehow get the safe open, get access to my bank books and then either successfully guess my signature or PIN.

Particularly since I don’t have a Billiard Room, a Hans Holbein painting or a wall safe.

I use an up-to-date Virus Checker, an up-to-date firewall, an up-to-date browser (which isn’t Internet Explorer, which is the one most frequently targeted), up-to-date spam filters and I don’t open email attachments I’m not expecting unless the text associated with them is sufficiently personal to convince me that it has been deliberately sent by that person, and I always close my internet connection when I’m not actively using it.

I also try and avoid “dubious” sites. It’s one thing to minimise the likelihood of coming across them — using legitimate, licensed software is a good start, rather than downloading Trojans masquerading as product key generators. It’s more difficult to prevent ever encountering them.

For example, a few months ago, I was reading some technical piece about web design. It contained a link to another site which would supposedly tell me further about a particular item of interest. Unfortunately, that destination site had been taken over by something which was claiming to be “the best search engine in the world” and was bedecked with adverts for online casinos and pharmaceuticals. I guessed that this wasn’t the original target of the link, but that the previous domain holder had probably not re-registered the domain and it had then been taken over by someone else, along with their somewhat less trustworthy content.

Not only that, but it’s not a one-way process: all the time you are connected to the internet, other people can theoretically connect back to you, and will be trying to remotely hack into your computer. Back in 2004, one experiment revealed that an unprotected PC with a broadband connection was subject to three hundred and forty-one hacking attempts in an hour. Which, when one firewall I had showed the number of intrusion attempts whilst connected, I can quite believe.

Even if you’re fully firewalled and anti-virused up, you’re only as good as your most recent update or set of patches. And even then there is no guarantee that the most recent toolkit will protect you from every wild virus:

Tests in February 2007 showed that the latest versions of McAfee Virus Scan and Symantec Norton Anti-Virus only detected 99.62% and 99.68% of all known ‘wild’ windows viruses. Okay, that’s a fairly high hit rate, but there are still some they would miss: and against Trojans and back-door hacking attacks the protection rate (although still high) is lower.

So they might block out the majority of attacks, but that isn’t the same as all of them.

Therefore I don’t ever assume that my computer is virus-free, even if it tells me that it is. For a start, I have some bad habits too: I generally run using an administrator account, meaning that if my computer is compromised, whatever has gained access will have administrator priviledges. That’s basically because I’m too lazy to create two accounts and switch between them as necessary. Also, I don’t use a different password for every single thing. I don’t just have one password, but I do just have about twelve because otherwise my chances of remembering them are about nil.

To counter this, I have various habits which I use to reduce the chances of my passwords: I don’t type them in. I either have them remembered automatically by cookie, by my browser or I cut and paste various sequences of text together to generate my password. This last method wouldn’t prevent my passwords from being stolen, it would only close off one route to stealing them — that of using a keylogger.

A keylogger is a piece of malicious software that is installed on your machine and runs silently and undetected (the ones which get detected get removed!) and records every keystroke you press. Every now and again, your entire keystrokes get uploaded to some server owned by the hackers, who go through every keystroke you’ve typed in, normally looking for things that look like bank account or credit card details so they can use them to empty your accounts.

Like I said, it’s verging on paranoia, when you consider that I’ve got pretty decent, up-to-date anti-virus protection, I’ve got a pretty decent, up-to-date firewall, I take some sensible precautions when browsing (probably more than most) and I still consider that there is a chance that my PC is compromised. I accept it’s a small chance, but I’m not ruling it out entirely…

So that’s one of the reasons I don’t bank online: I think Burglar Bill in the Billiard Room is less likely than Harry the Hacker on my hard drive.

The second is that I have considerable faith in human nature to cock things up and act incompetently (as a rule of thumb, where some people think “conspiracy story”, I think “cock-up”).

In other words, if it turns out I have trusted organisation X with my data, I don’t trust them to keep it secure. Not because I don’t trust their firewalls, security policies and the like, but because the stories you hear generally involve someone trusted to access data not processing it properly (like when a Newcastle Council employee released 54,000 sets of credit card details onto the web) or when laptops containing personal data and not sufficiently secured are stolen (as has happened to Nationwide and Marks and Spencer).

Although in these sort of cases when the data is not ‘hacked into’, all records, not just those of people who have conducted online transactions, are likely to be vulnerable, so in this regard ‘personal banking’ isn’t much safer than ‘internet banking’.

Thirdly, aside from my internet security paranoia (possibly brought on by the fact that I’m mates with our Network Security Officer), there’s also what given recent news items, I could call the ‘Northern Rock effect’.

(For anyone outside the UK, Northern Rock is either the UK’s largest morgage lender or one of the largest, but because of issues relating to the sub-prime debt market in the US, they’ve found it more difficult to borrow money from other banks, meaning that they have had to borrow a certain amount of money from the Bank of England, causing investors to panic and to try and withdraw all of their money and the share price to collapse).

I’ll declare an interest here: I used to work for Northern Rock and they gave me my break in the IT sector. I left because at the time I was offered a promotion opportunity with a year 2000 retention bonus elsewhere, and was not offered either a promotion or a retention bonus to stay, so they failed to ‘retent’ me. I feel I left on good terms however, and I certainly don’t have any form of axe to grind.

Northern Rock’s assets in terms of mortgages is significantly in excess of the investment funds they hold. I don’t know the exact figures but I think the ratio is something like £120 billion in mortgage book assets in comparison to around £20 billion in investments. The main problem here is that obviously you only get access to this mortgage cash on a drip-feed basis, and they need liquid cash in order to be able to give out more mortgages and keep the business going. With the markets being less willing to lend money out, it’s proving more difficult for them to obtain, hence the current situation.

But I’m wandering off the point. The point is, if I was a Northern Rock investor wishing to withdraw money, and I had a passbook account, I could have joined the queue in one of the branches, and after waiting for some time, have been able to withdraw my money. I might have had to wait a while, but I would have moved forward in the queue. If I had an internet-only account and the site was down (whether through high demand causing bandwidth problems or whatever), I’m stuffed. No access to the money at all.

It’s the same principle as buying anything. If I buy a product in a shop that is sub-standard, I can go back to the shop and noisily kick up a fuss about it, putting other customers off until such point as they have rectified my complain. And I’ve done this before with some degree of success. If I’m buying something online, however, and the product or service is substandard, it’s much harder to kick up an effective fuss (although not impossible as my tussle with Lothian Buses demonstrated). That’s another reason I prefer to shop in person.

Hmm. So rather than me turning out to be someone who takes sensible precautions and knows my consumer rights, it turns out that I’m paranoid, don’t trust people to do their jobs properly and I like to complain. Damn, I had been sure I was going to come out of this looking good…

This entry was posted on Thursday, September 27th, 2007 at 8:04 am and is filed under Scams & Spams, The Pickards, Web. You can follow responses via my RSS 2.0 feed. You can leave a response or trackback from your site.