To all,
Friday, October 1, 1999
Autumn is season
for
forgotten PIN codes
As summer sun fades after the
holidays so too does memory of vital
PIN numbers with queries peaking,
writes Fiona Murphy. My secret
journal will be secret forever. I have
forgotten the password that seemed
so canny two months ago. Now I am
locked out of my private ruminations.
The information technology world has its
seasons just as much as ducks and trees
and dogs and cats. Late summer is the
peak for forgotten passwords and PIN
numbers and the helplines take on extra
staff to deal with the surge in calls.
The feint neural pathways across the
brain made by words and numbers which
have no emotional weight are washed
away in a few weeks by the tides of
summer.
The brain is designed to flush out what it
regards as emotionally insubstantial.
Underlying the early September surges in
calls to helplines and banks, there is
growing evidence that the problem is
getting worse, as people are required to
remember more and more arbitrary
numbers.
Research confirms the greater the
memory load, the greater the likelihood of
failure. According to one company of IT
analysts, the Gartner Group, an employer
with 2,500 desktop computers can spend
more than £500,000 (euro 620,000) a year
resetting passwords. Industry estimates
say 20 to 50 per cent of all calls to
company help desks are from people
needing passwords reset.
There is a lot of research going on to
replace or improve PINs and passwords
but the problem is itself a testament to
their ubiquitous success. It is impossible
to lead a worldly life without them.
What cheaper way could there be to
securely identify certain people and keep
the rest out? They guard bank accounts,
homes, computer files, school buildings,
mobile phones and websites. They have
eliminated armies of doormen and bank
tellers, saved on endless excursions for
meetings. If only there weren't so many of
them.
"Most people think of memory as a store
room," says Prof Martin Conway, author of
Congnitive Models of Memory, "when in
fact it is dynamic, a mean system. Unless
you are allowed to choose a number such
as your birthday, the best way to
remember is to integrate the password
with something already in your long-term
memory". Called "mapping", this process
involves laying the thing you hope to
remember over something else already
fixed in your mind.
One champion memoriser was a running
fanatic and he turned the figures he was
given into running times. The mnemonic
systems of the ancient Greeks, used until
printing came along and revered as one of
the five elements of rhetoric, involved
placing the information in an orderly way
along an imaginary architectural
structure. However, if you turn 3288 into
an eye-popping mnemonic such as a bust
to hip measurement and 1347 into the
height of a mountain, it only adds to the
clutter.
It seems the public is not ready for this
unexpected chore. In IT jobs, or
management consultancy, where some
people have to manage more than 100
passwords at any one time, they have
taken to loading up Palm Pilots with
encrypted programs where their secrets
are stored, so that all they have to
remember is one PIN number and the Palm
Pilot itself. Even that is not easy.
The Stone-Age version is to make coded
entries in your address book, but banks
sternly discourage writing PINs down
anywhere, and, obediently, most people
are still trying to keep them in their heads.
Banks, whose main concern is growing
levels of fraud, have put a lot of money
into biometric methods of identifying their
customers. Eyeballs and fingerprints are
harder to steal, and impossible to forget.
"But biometrics just isn't accurate enough
yet," says Mr Richard Tyson Davies of the
Association of Payment Clearing Services
(Apacs) in Britain. "A failure rate of one in
1,000 sounds good, but that means the
supermarkets turning away 70,000
enraged customers every day."
"Biometrics is not as secure as it seems
either," says Mr Arthur Kaletsky, of Scott
Polar Research in Cambridge. "Your retina
goes down the wire as a string of
numbers. If someone is tapping the line, it
doesn't matter how long the number is.
Then you would have real problems with
your identity."
Contrary to the impression given by scare
stories, the main security problem is not
the PIN; it is the credit card itself. The
chances of a thug peering over your
shoulder, seeing your number, bashing you
on the head and snatching your card are
tiny. The French use PIN numbers for all
transactions now instead of signatures,
and fraud has dropped to negligible levels
there.
However, the magnetic striptype credit
card numbers are just ridiculously easy to
rattle off down the phone or on the
Internet, and, compared to, say, bank
notes, a breeze to copy. The banks are
fighting back with so-called smart cards,
but PINs will stay.
Smart cards were invented by the French
20 years ago. The original idea of a credit
card - a piece of hardware combined with
a secret code to securely identify the
person using it - will still be there, but
instead of the magnetic strip the cards
have a tiny chip which generates a
different encrypted number every time
they are used. The PIN is never
transmitted down the wire and the chip in
your pocket, can't be accessed by
counterfeiters. For the foreseeable future,
they would also be prohibitively expensive
to fake.
"The beautiful thing about them," says Mr
Frederic Engel of ActivCard, which is
making the new Visa and Mastercards for
Britain at the moment, "is that unlike
stupid cards [with a magnetic strip] they
are also capable of multiple functions.
They could be used at work, on buses, on
the Internet, in shops, banks, gyms - like
an electronic wallet. We could all go back
to one PIN."
However, these wonderful objects are not
quite what we are going to get straight
away. The banks are still wrangling over
who would own what if the smart cards'
functions were to be shared. A simpler
version will be marketed over the next few
years; there will be no escaping the
proliferation of codes for a while. But is it
that attractive to imagine your all-singing
all-dancing smart card, issued by a bank,
brimming with personal details? Would we
want our level of security clearance at
work, our account details, which
depilatory we use and whether we eat
between meals all revealed to the same
institution?
PIN numbers will shortly be the only thing
which the commercial world doesn't know
about us. - (Guardian Service)
ireland.com:80/newspaper/finance/1999/1001/persfin17.htm
steve |
