My pin code is … ****

Yes, you read that right, I gave you my pin code, it’s … ****. Of course, unless you lack a brain, you know that **** is not even a valid pin code. It’s what you see on screen when you enter your code at any ATM. No need to protect that … or is there?

One bank in Belgium goes to great lengths to protect you from devious people trying to read that “****” while you enter your code. They have a special film on the display that makes it impossible to read the display unless you are standing perfectly in front of it. So, nobody can read that “****”, only you can. They even have a sticker on the machine telling you how they do their best to protect you.

They do not protect you in any way from someone looking at what you type on the key pad though. In fact, from the looks of it, they do their very best to make it as easy as possible for strangers to see what you are typing on the key pad.

I know many of their ATM locations are surrounded by excellent spots from which you can undisturbed see any pin code being entered on they key pad. Even when the ATM is indoors, it is conveniently located near a large bright window. A large bright window lacking any protecting measures for that matter. Someone living in the house opposite the street can easily farm many pin codes a day.

It’s good to see how smart people are doing their very best to protect me from fraud and theft. Thank you.

Some still don’t get it!

This post is about security, so if you are not into that, feel free to skip it.

Today I get a friendly email from the national railroad company of Belgium (NMBS) in which they announced a brand new site to order international train tickets. It also mentioned that instead of using my made up user name I could now use the email address I used while registering to log in.

That sounds great, another site that uses an email address to log in instead of something like “johnsmith342”.

Then they kind of messed up. For my convenience and to make sure I would be able to use their shiny new site to buy lots of international train tickets they included my password. Yes, you read that right, they mailed me my password. Without me asking for it.

They have no clue about processes and procedures for dealing with passwords. They are not helping the world in teaching people how to deal with authentication secrets, social engineer and phishing.

I can only hope the password is not stored clear text. Due to password policies it is often necessary to access the password in clear text, only storing a hash is not working any more. Common databases like Microsoft Active Directory, Novell eDirectory and probably many others use two way encryption to store passwords. They have many secure access layers between a public api and the encryption keys to access to the clear text version of the password.

Honestly, emailing me my own password without my consent doesn’t generate a lot of trust in how they deal with sensitive information. That includes my trust in how they store my password in their systems.