Tuesday, November 19, 2013

Improved online security - banking with Rorschach

Security is hard, and nothing can ever be completely secure.

Banks, large and small, have tried to improve security of online transactions. One way in which this can be done is to enhance the login process. Rather than just having a user enter a username and a password, the system (called PassMark or SiteKey depending upon the bank) requires the person to view a picture, and then enter text associated with the picture. In the Bank of America example, a picture of an animal appears, and the person who set up the account chose to associate the phrase "Ground Hog" with that picture.

Of course, even such a complex method is not 100% secure, since brute force or pattern recognition can be applied to try to guess the sitekey/passmark associated with a particular picture.

But what if the picture were more abstract?

Carnegie Mellon University computer scientists have developed a new password system that incorporates inkblots to provide an extra measure of protection when, as so often occurs, lists of passwords get stolen from websites.

This new type of password, dubbed a GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart), would be suitable for protecting high-value accounts, such as bank accounts, medical records and other sensitive information.

To create a GOTCHA, a user chooses a password and a computer then generates several random, multi-colored inkblots. The user describes each inkblot with a text phrase. These phrases are then stored in a random order along with the password. When the user returns to the site and signs in with the password, the inkblots are displayed again along with the list of descriptive phrases; the user then matches each phrase with the appropriate inkblot.


This, of course, is more difficult, since an inkblot is not a direct representation of a specific object. Perhaps to you, a particular inkblot may look like a dog, while to me, that same inkblot may appear to be Salma Hayek stepping out of the shower just after...well, you get the idea.

Of course, this system is not 100% secure either, since it may even be possible for an algorithm to be developed that can interpret the meaning of an inkblot. But it's a start.
blog comments powered by Disqus