Editorial - e-commerce? Thanks but no thanks.. (August 1998)

This month, Neil McNaughton, PDM's editorreflects on his bank account, the year 2000 problem and wonders who is really running theshow.

I recently received an attractive offer from my bank (on of the largest in France) inviting me to a three month trial of a new, internet-based access to my accounts. This was to allow for consultation, and transfer of funds through a secure internet connection. Great thought I, and signed up right away. Signed quite a few times in fact as the paper documentation was voluminous. While signing I noticed some rather draconian clauses which briefly stated that any fraudulent use of Internet access would be, as it were, for my account. I therefore paid considerable attention to the security measures that were implemented. On the Internet side the access required the installation of a secure sockets layer. Now being a techno-freak, I am prepared to believe that if it is called "secure sockets", then that bit at least is secure. Well I hope so anyhow. As for the rest of the log-on procedure, I was less impressed.

As all PDM readers are undoubtedly aware, the most insecure part of any computer system is the password protection. Passwords are the Achilles' heel of a computer system, allowing for security attack by techniques such as the appropriately named Trojan Horse (see below). I was surprised then, when I found that the password protecting the account was a mere 6 digit number, defined by the user (just enough for a non-Y2K-complaint date-of-birth!). Not exactly a digital Fort Knox - and there was worse. In my reading of the advertising blurb, I understood that I could transfer monies between accounts. What was not so clear however was that these could be any account. In other words, supposing a hacker obtained my password, they could send money out to their bank account over the net. Not for me thought I, so I asked for a restriction on the accounts that could be used, limiting them to my own bank accounts.

This was both a fail-safe, after all it would only allow an intruder to move my money between my bank accounts, and it also happened to be what I wanted. Unfortunately, I was told that this was impossible. Similarly, my refusal to accept blindly "any and all future system enhancements" was likewise considered as beyond the call of duty for the system engineers. The outcome of the whole exercise was that I could either have the system as it was designed, or not at all. I chose the latter. In essence, the system was designed by technologists as a one-size-fits-all, take-it-or-leave-it deal with suspect security. The bank's lawyers then drafted a contract that moved all the risk on to the client. An example of the short shrift that can be the lot of the unsuspecting consumer - of services and of IT.

Short shrift seems to be the lot of the world at large as the millennium approaches. Everyone who reads a newspaper knows about the impending doom that will result from a year being stored as two digits (98) instead of four (1998). The conventional explanation for this problem - proffered by the IT community - is that when all these programs were being written, computer memory was in such short supply that the date truncation was an economic necessity. This of course is first-rate twaddle. The reason that the year 2000 problem arose was because of laziness and poor management. If memory was the problem, then dates would have been encoded in a more compact form. After all, the 6 bytes that are used to store the short date could actually store over 700 year's worth of dates with a compact code that made use of all the available bits. The very standardization of ASCII for writing digits is a luxurious waste of computer memory.

What is the point of all this? Well firstly, I suppose I am just abusing my editorial position to get this off my chest - heck, I should be on holiday! Second, everyone should read about computer security from time to time just for their own good - it may even make you think to change your password - do it now! Thirdly, to squeeze a moral out of this sorry tale, the sad fact is that even in a company that is specialized in moving money around - securely one hopes - the ultimate system design actually results from a collective laziness on the part of system designers, just as with the Y2K issue. I offer this example, not because it reflects particularly on what happens in E&P IT, but as an example of how bad things can get. Never believe that just because company X is the largest player in the field that they have got everything right. With everyone banging on about e-commerce and business over the Internet, we have here a prime example of an abnegation of responsibility from one of the organizations that should be leading the way. In fact never underestimate the capacity of any organization to get things completely wrong, trust your own judgement, complain and if it ain't right, don't buy it!