Re: Northern Rock bailed out by Bank of England
I never made any definition on what an acceptable SLA should be. Your expectation of an SLA that is able to satisfy all NR's customers simultaneously is absurd though.
My expectation is that the service either functions as advertised, or it degrades in a graceful way that is both meaningful and useful. Accessing the service and having to wait up to several minutes, watching a supposedly active login session, to find out whether or not your login succeeded is not "graceful", it's just a wing-and-a-prayer approach to providing a service. You seem happy with it though, so clearly there is a market for this approach.
I don't know the ins and outs of the security process that NR have implemented but I'm presuming that after a certain number of attempts it blocks the account completely. If it does this then it would still be in agreement with current best practises in security. If not, then you have a point as accounts could be easily bruteforced.
The reason that this technique you refer to as "nonsense" is considered a best practise is that it's possible that a customer may have been observed entering their account on one occasion. An attacker could keep reloading the login page until the questions that they observed randomly appear. You might need to look into upskilling your security knowledge as it doesn't sound too hot right now.
Hmm, you say that you don't know the ins and outs of the authentication process in use by NR (which is a well defined approach and has been in use for years, by the way), yet you describe it as "best practice" and suggest that I "upskill" my security knowledge as I seem not to understand it. You should probably have thought that through before you wrote it - telling someone that they are talking crap tends to lose it's effectiveness when you yourself admit that you don't know what you are talking about.
I have described this issue already, in some posts from the original thread here:
...but I'll try again if you feel up to the task of trying to understand what in reality is a very simple concept.
Right, basically, your password is only useful as long as some malicious person, lets say JoeBloggs, doesn't know it. If you are always prompted for the same password, then JoeBloggs just needs to know that one password to login as you. JoeBloggs might learn your password by looking over your shoulder as you type or, more prevalent these days, by managing to install some software on your machine to record what you type at the keyboard in response to a prompt on your screen. He might also try to brute force his way in by guessing every possible combination of characters - most systems, NR's included, provide some level of protection against this by putting a limit, usually 3, of the number of wrong passwords you can enter before you are locked out of your account.
It would be better if you were prompted for a different password every time, 'cos now JoeBloggs needs to know all of your passwords to ensure that he can get in. If you have 10 passwords, and are asked for any one of them randomly, then if JoeBloggs has only 4 of those passwords he may expect to successfully login as you only 40% of the time - that is still a lot of the time but it is better than the worst case scenario of 100% of the time.
However, if you have 10 passwords, but the service only ever prompts you for passwords 5 and 7 each time you try to login, then if JoeBloggs has those two passwords he will now get in 100% of the time = a decrease in security.
With NR's service, you have a single password made up of multiple letters, which is just a variation on the above theme - basically, with the NR system your effective password is 2 characters long every time. That is a very short password and by its nature very weak, but the strength of its security lies in the fact that those two characters are pseudo-random (i.e. they are random from within the limited set of characters that make up your full actual password). If the system keeps asking you for the same two characters on successive occasions, then the random element of this security mechanism is lost = the same 2-letter password each time = a decrease in security.
Until something better is devised, about the best approach to authentication right now is for the user to have a hardware token that generates characters which are much closer to being truly random (they are not truly random as the server side must also be capable of generating/predicting the same "random" numbers). The display on the hardware token changes regularly (maybe every minute or so, or at the instigation of the user), and the user supplies what this hardware token displays plus some piece of information known only to the user (essentially a static password). In that scenario, what the token displays is not something that JoeBloggs can reliably predict = greater security. Rabodirect use this type of solution, for example. The solution that NR use is reasonable when you are trying to keep costs down, but it is usually a choice based purely on cost. I have no problem with the NR approach, but only when it is implemented properly, which isn't the case here.
To compare the technical capacity of an entity that has a side business in selling compute power (i.e. Amazons Elastic Compute Cloud) with another entity that is only in the business of banking is neither here nor there. If you can find an example of a bank that is able to deal with all it's customers logging in to make transactions at the same time then you might be on to something.
I don't have to find a perfect service to recognise one that provides a service that is very far from perfect. My own level of acceptable service lies quite a bit below perfect, because I know of at least some of the issues that make a perfect service difficult, if not impossible, to achieve. NR's online service falls very far short of even my relatively modest expectations.
Worse still, the poor performance of NR's online service has served to cause even more concern and panic amongst people unable to access their savings, leading to greater demands on the service itself as more people got caught up in the rush, and so it spiralled ever downwards. It is a very effective service is self-destruction is one of its goals.