My latest Guardian column, “Promoting statistical literacy: a modest proposal” discusses the way that state-sponsored lotteries and sloppy financial regulation promote a dangerous kind of statistical illiteracy; dangerous because it subverts our ability to assess and mitigate risk.
For example, my own bank, the Co-op, recently updated its business banking site (the old one was “best viewed with Windows 2000!”), “modernising” it with a new two-factor authentication scheme in the form of a little numeric keypad gadget you carry around with you. When you want to see your balance, you key a Pin into the gadget, and it returns a 10-digit number, which you then have to key into a browser-field that helpfully masks your keystrokes as you enter this gigantic one-time password.
Don’t get me wrong: two-factor authentication makes perfect sense, and there’s nothing wrong with using it to keep users’ passwords out of the hands of keyloggers and other surveillance creeps. But a system that locks users out after three bad tries does not need to generate a 10-digit one-time password: the likelihood of guessing a modest four- or five-digit password in three tries is small enough that no appreciable benefit comes out of the other digits (but the hassle to the Co-op’s many customers of these extra numbers, multiplied by every login attempt for years and years to come, is indeed appreciable).
As if to underscore the Co-op’s security illiteracy, we have this business of masking the one-time Pin as you type it. The whole point of a one-time password is that it doesn’t matter if it leaks, since it only works once. That’s why we call it a “one-time Pin.” Asking customers to key in a meaningless 10-digit code perfectly, every time, without visual feedback, isn’t security. It’s sadism.