Northern Rock and online banking capacity

[jrewing]

In my experience as someone who uses 4 different bank websites, the NR website has always been of poorer quality (slower, more prone to crashes/freezing) than other banks.

 

[askew70]

Re: Northern Rock bailed out by Bank of England

Nothing is insurmountable but the cost of provisioning for a system that could handle so many transactions at the same time just does not make sense economically. I'd rather see my bank put its funds elsewhere than have it wasted on resources for crazy "what-if" scenarios.

I'd rather see my bank provide the service that they advertise. One of the main selling points of online banking is that you have access to your account 24 hours a day, 7 days a week. I have yet to see a proviso on that along the lines of "unless more than X number of you all want access to your accounts at the same time, in which case you may have to wait for a few days".

The NR online service seems to be a service that has had very little in the way of quality control, and perhaps (but not necessarily) funding, thrown at it. The current "what-if" scenario, as you describe it, is a mad panic by worried customers. We have no way of knowing whether the service would suffer similar problems if, for example, 20 people were to access it at the same instant at any other time. You may choose to believe that the system is currently creaking and groaning because over a million people are accessing it simultaneously, but in fact the only people who really know what load the system is capable of handling are those that implemented the service (you'd hope) - I am not convinced that it is capable of handling even a small percentage of customers simultaneously.

Of course there is room for improvement on QoS and reusing SSL connections is a technique that can speed things up. This could compromise security somewhat which means it's use in banking web services is limited. Higher security obviously has to take preference over higher quality of service in the banking world.

I have written in previous posts in this thread of the inherent security weakness in how the authentication phase of NR's service is behaving. They have clearly, and demonstrably, not given preference to higher security over higher quality of service.

I don't think that the likes of ticketmaster or amazon have yet encountered a situation where up to 1.5 million customers were all trying to log in and perform transactional operations at the exact same time, and over such an extended period. I would imagine they would experience a lower QoS too given the circumstances.

I haven't checked for any statistics on the number of Amazon customers, and particularly the number of simultatneous customers, but I would not rule out the possibility that it does handle 1.5 million customers well. At the very least, I would be shocked if the system effectively fell apart in such circumstances, as NR's online service has.

I have already stated that I am not a fan of Ticketmaster's site, but it does handle tens of thousands of credit card transactions, typically in a short few hours. Admittedly, it can be an painful experience, but it works because they are aware that if their online system was unusable for days at a time then they are likely to be out of business.

Whatever about the others, Google's service does handle a ridiculously high load, and if you ever use their service when was the last time that you ever experienced anything worse than a slight delay in search results being returned? I am risking turning this into an ad for Google though, which is not my intention, as I am sure that Yahoo's search engine, and those of others, are more than capable of handling far far greater load than that which has NR's service falling flat on its face.

Again, the key to this difference in service quality is that some companies treat their online service as core to their business, and others don't. When a bank is selling an online account, you would expect them to treat their online service as core to that aspect of their business, but NR clearly did not.

 

[Afuera]

Re: Northern Rock bailed out by Bank of England

I am not convinced that it is capable of handling even a small percentage of customers simultaneously.

In normal circumstances only a small percentage of its customers will require to use its services simultaneously. Your demands are not realistic and I doubt you will be able to find any bank out there to guarantee the service you expect.

I have written in previous posts in this thread of the inherent security weakness in how the authentication phase of NR's service is behaving. They have clearly, and demonstrably, not given preference to higher security over higher quality of service.

Reusing an SSL connection for the same person does not constitute a weakness in security. Reusing it in other ways does.

I haven't checked for any statistics on the number of Amazon customers, and particularly the number of simultatneous customers, but I would not rule out the possibility that it does handle 1.5 million customers well. At the very least, I would be shocked if the system effectively fell apart in such circumstances, as NR's online service has.

I have already stated that I am not a fan of Ticketmaster's site, but it does handle tens of thousands of credit card transactions, typically in a short few hours. Admittedly, it can be an painful experience, but it works because they are aware that if their online system was unusable for days at a time then they are likely to be out of business.

Whatever about the others, Google's service does handle a ridiculously high load, and if you ever use their service when was the last time that you ever experienced anything worse than a slight delay in search results being returned? I am risking turning this into an ad for Google though, which is not my intention, as I am sure that Yahoo's search engine, and those of others, are more than capable of handling far far greater load than that which has NR's service falling flat on its face.

Again, the key to this difference in service quality is that some companies treat their online service as core to their business, and others don't. When a bank is selling an online account, you would expect them to treat their online service as core to that aspect of their business, but NR clearly did not.

Apples and oranges.

 

[askew70]

Re: Northern Rock bailed out by Bank of England

In normal circumstances only a small percentage of its customers will require to use its services simultaneously. Your demands are not realistic and I doubt you will be able to find any bank out there to guarantee the service you expect.

You choose to be happy with the level of service you are currently receiving, which implies that you expect no bank's online service to ever be able to cope with whatever simultaneous number of users are hitting NR's service for the last several days. And you are making this judgment without knowing what that number of users is, at which the service ceases to function at any kind of a reasonable level. You are defining an acceptable level of service based on little or no quantifiable data, but simply on the hope that NR have done everything reasonable within their power to provide a robust service. Your choice, but certainly not mine.

Reusing an SSL connection for the same person does not constitute a weakness in security. Reusing it in other ways does.

The security weakness that I referred to was not re-use of an SSL connection (maintaining an SSL connection is not "re-use" by the way, in the conventional sense of that word in an IT environment - the SSL connection remains "in use" until such time as it is explicitly torn down or times out. It is a subtle difference, but an important one if talking about security).

The weakness I was referring to is the behaviour of the authentication step which prompts you to enter a "random" pair of characters from your password. If you fail to login because of a problem with the service (and perhaps under other circumstances too), the next time you attempt a login you are asked to supply the very same supposedly random characters. As the particular characters being asked for are the same (i.e. not random) each time (until you have successfully logged in), then you effectively have a 2-character password for as long as the service won't successfully log you in. That pretty much makes a nonsense of the otherwise very sensible approach of having you provide some randomised portion of your password every time you attempt to login, leading to weaker security.

Apples and oranges.

Somehow I find that unconvincing as an argument. Maybe if you could elaborate you might convince me.

 

[Afuera]

Re: Northern Rock bailed out by Bank of England

You are defining an acceptable level of service based on little or no quantifiable data, but simply on the hope that NR have done everything reasonable within their power to provide a robust service. Your choice, but certainly not mine.

I never made any definition on what an acceptable SLA should be. Your expectation of an SLA that is able to satisfy all NR's customers simultaneously is absurd though.

The weakness I was referring to is the behaviour of the authentication step which prompts you to enter a "random" pair of characters from your password. If you fail to login because of a problem with the service (and perhaps under other circumstances too), the next time you attempt a login you are asked to supply the very same supposedly random characters. As the particular characters being asked for are the same (i.e. not random) each time (until you have successfully logged in), then you effectively have a 2-character password for as long as the service won't successfully log you in. That pretty much makes a nonsense of the otherwise very sensible approach of having you provide some randomised portion of your password every time you attempt to login, leading to weaker security.

I don't know the ins and outs of the security process that NR have implemented but I'm presuming that after a certain number of attempts it blocks the account completely. If it does this then it would still be in agreement with current best practises in security. If not, then you have a point as accounts could be easily bruteforced.

The reason that this technique you refer to as "nonsense" is considered a best practise is that it's possible that a customer may have been observed entering their account on one occasion. An attacker could keep reloading the login page until the questions that they observed randomly appear. You might need to look into upskilling your security knowledge as it doesn't sound too hot right now.

Somehow I find that unconvincing as an argument. Maybe if you could elaborate you might convince me.

To compare the technical capacity of an entity that has a side business in selling compute power (i.e. Amazons Elastic Compute Cloud) with another entity that is only in the business of banking is neither here nor there. If you can find an example of a bank that is able to deal with all it's customers logging in to make transactions at the same time then you might be on to something.

 

[askew70]

Re: Northern Rock bailed out by Bank of England

I never made any definition on what an acceptable SLA should be. Your expectation of an SLA that is able to satisfy all NR's customers simultaneously is absurd though.

My expectation is that the service either functions as advertised, or it degrades in a graceful way that is both meaningful and useful. Accessing the service and having to wait up to several minutes, watching a supposedly active login session, to find out whether or not your login succeeded is not "graceful", it's just a wing-and-a-prayer approach to providing a service. You seem happy with it though, so clearly there is a market for this approach.

I don't know the ins and outs of the security process that NR have implemented but I'm presuming that after a certain number of attempts it blocks the account completely. If it does this then it would still be in agreement with current best practises in security. If not, then you have a point as accounts could be easily bruteforced.

The reason that this technique you refer to as "nonsense" is considered a best practise is that it's possible that a customer may have been observed entering their account on one occasion. An attacker could keep reloading the login page until the questions that they observed randomly appear. You might need to look into upskilling your security knowledge as it doesn't sound too hot right now.

Hmm, you say that you don't know the ins and outs of the authentication process in use by NR (which is a well defined approach and has been in use for years, by the way), yet you describe it as "best practice" and suggest that I "upskill" my security knowledge as I seem not to understand it. You should probably have thought that through before you wrote it - telling someone that they are talking crap tends to lose it's effectiveness when you yourself admit that you don't know what you are talking about.

I have described this issue already, in some posts from the original thread here:




...but I'll try again if you feel up to the task of trying to understand what in reality is a very simple concept.

Right, basically, your password is only useful as long as some malicious person, lets say JoeBloggs, doesn't know it. If you are always prompted for the same password, then JoeBloggs just needs to know that one password to login as you. JoeBloggs might learn your password by looking over your shoulder as you type or, more prevalent these days, by managing to install some software on your machine to record what you type at the keyboard in response to a prompt on your screen. He might also try to brute force his way in by guessing every possible combination of characters - most systems, NR's included, provide some level of protection against this by putting a limit, usually 3, of the number of wrong passwords you can enter before you are locked out of your account.

It would be better if you were prompted for a different password every time, 'cos now JoeBloggs needs to know all of your passwords to ensure that he can get in. If you have 10 passwords, and are asked for any one of them randomly, then if JoeBloggs has only 4 of those passwords he may expect to successfully login as you only 40% of the time - that is still a lot of the time but it is better than the worst case scenario of 100% of the time.

However, if you have 10 passwords, but the service only ever prompts you for passwords 5 and 7 each time you try to login, then if JoeBloggs has those two passwords he will now get in 100% of the time = a decrease in security.

With NR's service, you have a single password made up of multiple letters, which is just a variation on the above theme - basically, with the NR system your effective password is 2 characters long every time. That is a very short password and by its nature very weak, but the strength of its security lies in the fact that those two characters are pseudo-random (i.e. they are random from within the limited set of characters that make up your full actual password). If the system keeps asking you for the same two characters on successive occasions, then the random element of this security mechanism is lost = the same 2-letter password each time = a decrease in security.

Until something better is devised, about the best approach to authentication right now is for the user to have a hardware token that generates characters which are much closer to being truly random (they are not truly random as the server side must also be capable of generating/predicting the same "random" numbers). The display on the hardware token changes regularly (maybe every minute or so, or at the instigation of the user), and the user supplies what this hardware token displays plus some piece of information known only to the user (essentially a static password). In that scenario, what the token displays is not something that JoeBloggs can reliably predict = greater security. Rabodirect use this type of solution, for example. The solution that NR use is reasonable when you are trying to keep costs down, but it is usually a choice based purely on cost. I have no problem with the NR approach, but only when it is implemented properly, which isn't the case here.

To compare the technical capacity of an entity that has a side business in selling compute power (i.e. Amazons Elastic Compute Cloud) with another entity that is only in the business of banking is neither here nor there. If you can find an example of a bank that is able to deal with all it's customers logging in to make transactions at the same time then you might be on to something.

I don't have to find a perfect service to recognise one that provides a service that is very far from perfect. My own level of acceptable service lies quite a bit below perfect, because I know of at least some of the issues that make a perfect service difficult, if not impossible, to achieve. NR's online service falls very far short of even my relatively modest expectations.

Worse still, the poor performance of NR's online service has served to cause even more concern and panic amongst people unable to access their savings, leading to greater demands on the service itself as more people got caught up in the rush, and so it spiralled ever downwards. It is a very effective service is self-destruction is one of its goals.

 

[Afuera]

Re: Northern Rock bailed out by Bank of England

Hmm, you say that you don't know the ins and outs of the authentication process in use by NR (which is a well defined approach and has been in use for years, by the way), yet you describe it as "best practice" and suggest that I "upskill" my security knowledge as I seem not to understand it. You should probably have thought that through before you wrote it - telling someone that they are talking crap tends to lose it's effectiveness when you yourself admit that you don't know what you are talking about.

Maybe you should actually read what I wrote properly instead of mincing your words.

If you are constantly only getting asked for the same 2 passwords, even with a new clean session, and on different terminals, than that would be insecure. Frankly though, your writing is so bad I'm not actually sure if that describes the situation you were encountering or whether your browser is simply badly set up. Why don't you go and take it to Northern Rock as maybe they can understand your ramblings and conjecture better than I?

 

[askew70]

Re: Northern Rock bailed out by Bank of England

Maybe you should actually read what I wrote properly instead of mincing your words.

If you are constantly only getting asked for the same 2 passwords, even with a new clean session, and on different terminals, than that would be insecure. Frankly though, your writing is so bad I'm not actually sure if that describes the situation you were encountering or whether your browser is simply badly set up. Why don't you go and take it to Northern Rock as maybe they can understand your ramblings and conjecture better than I?

And with that vitriolic response dies any hope of reasonable debate. Oh well.

I tried taking it to Northern Rock, as you suggest, but I couldn't get through. Maybe there is something up with their system...

 

[jpd]

why stop at banks ? Telephone service providers can't cope with a rush of customers eithder - try sending a text message from Croke Park when Dublin are playing!

 

[MugsGame]

On a day like last Friday, the scene in the IT department at Northern Rock would have been manic.

 

[gearoid]

Bandwidth is not the only issue.
I can now login but NR says I don't even have an account with them. I closed it on saturday but I should still be able to see the progress of the EFT. This is appalling. The integrity of their account enquiry processes is compromised. This is a core part of their system.