Need reminding to lodge your monthly or quarterly BAS on time?

Then join the AFYF mailing list and receive ongoing information, news and updates on the latest tax, business, marketing and accounting developments. We’ll even remind you to lodge your BAS on time!

Out Sourcery

  • Bookkeeping
  • MYOB Setup and Training
  • Business Systems and Management

MYOB | Professional Partner learn more »


This is not advice. Items herein are general comments only and do not constitute or convey advice per se. The information contained in these articles is for guidance only and should not be relied upon without obtaining professional advice having regard to your direct circumstances.


Repelling the hackers

Passwords are not very secure, which is why banks are increasingly offering “two factor authentication” systems that make logging on to internet banking or your own email much safer. 

IMAGINE FOR A MOMENT that you are a hacker. Like most, you know your way around a computer. But you’re aware that computers are quite well defended these days. The glaringly obvious security holes in software have all been plugged and new ones are fixed within a short time of their discovery. Hacking, in short, is therefore pretty hard these days.

Second guessing people, however is comparatively simple.

The infamous Nigerian scam shows you how. This scam sees spam emails offer you a share of the proceeds from a massive oil deal, if only you will help a Nigerian by lending them money to make the transaction happen. For a few tens of thousands of dollars, the emails promise, you can reap millions, if you will only trust someone on the other side of the world who you have never met.

Most people see through the scam in seconds, but many do not. In 2007, Queensland Police reported they had identified 134 victims of Nigerian and similar scams, with $18 million lost. The force has since updated those estimates.

The Nigerian scam shows how hackers second guess people using “social engineering”, a phrase that translates to a digital upgrade of “con tricks”. Computers have made con tricks easier to perpetuate by allowing them to do be delivered using email, a low-risk medium compared to face-to-face contact with a victim.

The meeting of social engineering and computers is on show in the “phishing” scams that see emails purportedly sent from banks asking you to log in and verify your password. The web sites phishing mails direct you to a website that looks just like a bank’s site but are bogus and operated by criminals who record the password you enter and then empty your account.

It takes a fair bit of effort to construct a fake bank website, but phishing shows how the con trick approach used by Nigerian scammers (who are often from other nations, but pose as Nigerian) can yield a password of immense value to a criminal.

Today, criminals do not even need to guess your password. Many people are careless in the choice of password, choosing a birthday, the name of a spouse or a pet. Criminals can start to make educated guesses about these passwords just by looking in your home mailbox and seeing which bank you use. If you have a detailed Facebook page, criminals get even more, as the personal information contains hints-a-plenty about the words which are to stick in your memory and therefore become a likely password.

Safer than passwords

Because passwords can be so easily be deduced or stolen, passwords alone are now well and truly out of fashion. The alternative is “two-factor authentication,” a technology that relies on something you know and something you have to prove who you are when logging on.

The “something you know” part of the equation is simple, as this is your password. In theory only you know it, so this is reasonably secure. The “thing you have” is called a “token” and is usually a small device that flashes up random series of numbers.

The token comes into play when you try to log in to a computer or online service. As always, you enter your user ID or customer number and then your password. After this step, you enter the random number from your token. Software operating at the service you are trying to log into knows that you have a token and also knows the random number it should be displaying at any particular time. You will therefore be asked to enter the number on the token as an additional proof of your identity.

A variant of this system in favour with several Australian banks sees you sign up to have special codes sent as SMS messages to your phone. After you enter your password, you will receive an SMS with a special code that only works for a few moments. Enter the code and you will be logged in to internet banking, as the bank is satisfied that you have proved your identity – given the low likelihood of someone knowing your password and having access to your mobile.

Two-factor authentication of this sort is safer than a password alone because it is all-but impossible to deduce your random number. Moreover, the random number changes very often, making this a much safer way to log on to online services.

Speak to me

Two-factor authentication can also use your body to prove who you are. Fingerprint readers are now built into many laptop computers and provide an even more secure method of logging in. Some tokens even come with a fingerprint reader, for an extra layer of protection.

Another increasingly popular method of logging in is voice identification, a method that sees you speak a pre-determined pass-phrase into a phone so that computers can identify the phrase and the subtle nuances in each individual’s voice that can identify them

My Business has learned that at least one of the big four banks intends to adopt this technology by the end of 2008 for its telephone banking services.

Two-factor authentication is most visibly deployed by banks, which do so because they are often liable to losses caused when hackers deduce a password and use it to steal.

The technology is also used by thousands of businesses around the world because it is far more secure than using passwords alone to do things like logging on to a server over a virtual private network or using a web-based email system. If you want to give your team access to your server or email after hours, and that server contains sensitive information, you should therefore think about two-factor authentication.

Happily, products exist that make it relatively simple for small business to adopt the technology. Security vendor RSA sells an “introduction pack” which, for $2124, includes all the software and tokens needed to start using two-factor authentication yourself. Another vendor, Secure Computing, sells tokens and software at $160 per user.

Both systems will probably require professional help to install.

How to create a strong password

To create a strong password:

• Make your password as long as possible
• Mix letters, numerals and signals
• Try not to use a word: simply replacing the letter “A” with 4 in a password like “4pple” is simple to decode
• Don’t use elements of your name, address or company name as they are easy to guess
• Don’t use the same password for every online service you use
• Change the password every six months or so, just to be safe
• Don’t write down your password

By Simon Sharwood
My Business, September 2008


« Back