The other day, via CNET Networks' internal email system, fellow ZDNet blogger and TechRepublic technical director George Ou sounded an alarm about an urgent online banking issue he came across on the Web site for the SANS Institute. It probably didn't get the attention it should have. Ou blogged the item with a headline that for many may require That culture of convenience, laziness, and ignorance is going to doom the US in the long run. no further reading: Many banks failing to use SSL authentication. Ouch. The risk to you if your bank isn't using SSL authentication is that you could end up logging into a Web site that looks like your bank's Web site but isn't (some banks like BofA are using interesting technologies to avoid this). By logging into the impostor Web site, you'd be turning over your banking credentials (user ID, password) to the bad guys and what happens next may not be pretty. Wrote Ou:
This looks really ugly for the American Banking system as a whole and it's time that they cleaned up their act and learn to use some basic cryptography. If you have a bank on this hall of shame list where "SSL Login Form" is listed as "optional", be sure to complain to them that this is unacceptable.
What's really scary about this is that for something as sensitive as online banking, even the best banks in the US are still using little more than single factor security to grant you access to your bank account. Two years ago, a friend from The Netherlands who was visiting asked if he could use one of our PCs to do some online banking. As he began to login to his bank's Web site, he pulled a credit-card sized authenticator out of his wallet. Hardware-based authenticators like RSA's keyfob-esque SecurID 700 generate a random sequence of numbers at regular time intervals (eg: every 60 seconds). The way this works is, at any point in time when yo login to your banking system, you have to use your authenticator to randomly generate a key. I watched my friend as he pressed a button on his authenticator and then, from authenticator's LCD display, he read-off and keyed-in (on the keyboard) a long string of randomly generated digits.
If you had something similar and you were using one of RSA's authenticators, then, the bank would have an RSA-built appliance on its internal network that's generating matching keys for your account. The only way someone can log into your account is if they have your UserID, your password, and your authenticator. Randomly generated keys are only good for a minute or so. So, even if someone gets a hold of your UserID, password, and one of the randomly generated keys (eg: if they watched you key it on your keyboard), by the time they got to a computer to pretend to be you, the randomly generated key would have expired.
This to me is secure. I asked my friend how much it costs to have the added level of security. "Nothing" he said. While I'm sure the cost gets absorbed somewhere and is passed along to customers, it comes with the account (much the same way you get a free ATM card in the US). I'm not sure if every European bank does this. But apparently, a bunch do. After observing my friend in action, I started asking knowledgeable people why US banks don't do the same thing. The consensus answer, I'm afraid, is a sad commentary about our culture rather than some technological roadblock. There are, of course, plenty of Americans who would gladly exchange this bit of friction in the system for the security it offers. I'm one of them. But America is a culture of convenience and additional friction -- especially friction that requires you to carry more gear with you -- apparently doesn't fly with most Americans.
Other examples of this are how most businesses don't even check your ID anymore when you use your credit card (I wrote "C PHOTO ID" on the back of mine but half the clerks don't even turn the card over) . Some merchants -- for example the Dunkin Donuts in my neighborhood -- don't even require a signature anymore. It gets me through the drive-in faster. Everywhere you look, friction is being squeezed out of the system and customers love it. Just try adding friction to the system and customers will take their business elsewhere. Even worse, the more secure system involving authenticators is apparently too sophisticated for most Americans. As much as I don't want to believe this, I've encountered enough of my compatriots in person or have seen them on Jerry Springer to know this is true.
Compared to other parts of the world, we're a relatively unsophisticated bunch, us Americans. And that culture of convenience, laziness, and ignorance is going to doom the US in the long run because of how it will deprive America of its edge in other areas where it was once a beacon to the world. Democracy is one of those. Education the other.
On the political front, we are no longer a nation of people that goes deep on the issues and seeks out the truth. I'd like to believe there was a time when the majority of Americans were passionate about democracy and politics. But perhaps I'm fooling myself. The People, helped along by a failing media complex, have established a preference for fast food politics. Forget any real exploration. Just give us the sound bites please, thank you very much.
Just yesterday, our culture of political convenience was probed and picked apart on National Public Radio when Tom Ashbrook interviewed Time Magazine columnist Joe Klein whose book Politics Lost: How American Democracy was Trivialized by People Who Think You're Stupid was published this month. American democracy is being trivialized because we Americans are letting it happen. During the show, one caller remarked on how John Kerry as a communicator was very different in his town meetings leading up to the 2004 Presidential Election than he was on TV in front of the news cameras. Al Gore was the same way.
Before interviewing Gore on stage at one of Research In Motion's annual Wireless Symposiums (this year's event is coming up next month), I spent some time with him backstage. I felt like I was talking to someone I'd never met or seen before. I've heard the same about President Bush too. I'm not sure it's their fault. The law of political information supply and demand practically says there's no demand for the person with the biggest supply of information. Cure the sound-bites please (and kill democracy while you're at it).
And if you want real evidence of how our culture of convenience is going to doom the US (long term), just check out what's going on in our education system. The rest of the world's kids are hungry for worldliness and knowledge. OK, maybe not all of them. But enough of them to make most American kids look like laggards that are too lazy to embrace benefits of two-factor security (like the aforementioned authenticators) or, worse, real democracy.
What motivates a child to weather sandstorms and bullet crossfire to get into a classroom? Is it them? Their parents? Their governments? Or, is what's taking place in a technology-deprived classroom in the foothills of an Afghan mountain that much more titillating than what's happening in American schools. Perhaps one day when we as a people wake up to the reality that China, India, Pakistan, and Singapore have billions of engineers working in the R&D labs that American companies had to relocate to Asia just to stay competitive, things will change. But right now, as evidenced by Time Magazine's recent cover story -- Dropout Nation -- as far as I can tell, most American children are being left behind and so too is this country. Unfortunately, we have no one else to blame but ourselves. Think I'm wrong? In response to a recent blog of mine that quoted Mark Cuban on the education issue, ZDNet reader Chris W pointed me to a treatise by former New York State and New York City Teacher of the Year John Taylor Gatto who wrote:
Boredom is the common condition of schoolteachers, and anyone who has spent time in a teachers' lounge can vouch for the low energy, the whining, the dispirited attitudes, to be found there. When asked why they feel bored, the teachers tend to blame the kids, as you might expect. Who wouldn't get bored teaching students who are rude and interested only in grades? If even that. Of course, teachers are themselves products of the same twelve-year compulsory school programs that so thoroughly bore their students, and as school personnel they are trapped inside structures even more rigid than those imposed upon the children. Who, then, is to blame?....We all are.
Whether its online banking fraud, anarchy, or academic underachievement, as long as we continue take the convenient path of least resistance, the bed that we'll all have to sleep in today, tomorrow, or in 10, 20, or 30 years will be the one that most of us asked for.