Académique Documents
Professionnel Documents
Culture Documents
~ 1 ~
Introduction:
With the advent of the internet, various aspects of life have been
revolutionized; everything has been taken to a different level. Amongst all
these revolutionary changes is the shifting of trends concerning data
security. Gone is the time when lock and key were supposed to be kept
hidden. This is the digital era where everything is accessible by the click of a
button. With the banking industry also being revolutionized by information
technology, the biggest threat to its modernization and adaptation is threat
of data security. Internet banking allows its users to conduct a variety of
tasks from the comfort of their homes, once thought impossible. Various
internet services are being provided by banks globally from as simple as
checking bank account balances to the wire transfer of millions of dollars at
the click of a button. With any new solution comes a problem and with that
problem comes a solution waiting to be unearthed. Internet banking while
having brought the ease and convenience of transacting from the comfort of
one’s home or office brings with itself the very real exploitation threat. There
has been an increasing number of electronic crime cases reported or rather
more commonly known as e-crime. E-Crime generally refers to a criminal
activity where a computer or computer network is the source, tool, target, or
place of a crime. Despite the unavoidable references to ‘computers’ or
‘online activity’, e-Crime encompasses a whole range of ‘traditional’ crimes -
such as fraud, theft, blackmail, forgery and embezzlement. For the sake of
our discussion and to simplify the definition this report will deal with e crime
as defined by criminal activity where personal and financial information is at
stake because of weak or inadequate network security. Exploitation can
occur during various stages. This report will deal with shortcomings in
security on part of the user, pertaining to password setting, one of the most
basic aspects and something that the user can control arbitrarily.
For the progress of online financial services offered by banks to gain pace,
specially in an under developed country like Pakistan, where most people
hesitate in getting involved in the banking sector due to religious reasons,
the only way internet banking can gain popularity and be accepted is when
the benefits of the above are widely published and all threats eliminated or
at least diminished. Banks benefit from offering this service due to its low
costs and economies of scale. The cost for serving 100,000 customers is
virtually the same as serving 10,000. Hence this system boasts of huge
savings for banks. For the users, the major advantages are convenience and
accessibility on-the-go, with a wide range of attractive internet packages
~ 2 ~
being offered by telecom companies this serves as a rich ground for the
growth of internet banking.
One of the key aspects of security, the most basic and the first step to
understanding the importance of security is the significance of a good
password. A strong password can protect personal and financial information
from those wishing to exploit along with supplementary albeit equally crucial
measures. Since there has been virtually no research conducted in this area,
in Pakistan, we would like to take this opportunity to research on the
awareness of the importance of passwords people place on them.
Methodology:
The rationale behind this research is based on the belief that many people
do not pay adequate attention when setting passwords. The focus of this
study is to identify the importance of the strength and privacy, people place
on passwords and whether they understand the role of how weak passwords
can lead to exposure of crucial information. A direct issue arising from this is
of people revealing personal information which may seem harmless, but can
be a deadly arsenal for someone waiting to exploit and compromise the
situation of such people.
~ 3 ~
Literature Review:
Passwords have been a necessary part for most of the online activities
people do. We require passwords to protect our data and accounts form Data
Snatchers, who’re constantly looking to access our data. Passwords are
actually the keys that help the hackers to open up the accounts you exercise
most of the time on the internet i.e. your email, bank account, social
networking websites, etc. So, people who use single password for various
accounts can put their valuable information or money at risk. Single
passwords actually help hackers to snatch what you have because using the
same password for various times on different web sites helps them to
“crack” the password easily.
Previous studies have shown that users often write their passwords down,
and post them in obvious locations (Barton and Barton 1984; Adams and
Sasse 1999; Dhamija and Perrig 2000; Horowitz 2001). Users often
create weak passwords based on obvious dictionary words or personal
information, which can be guessed by people who know enough about them.
These weak passwords include birth dates, personal names, nicknames,
names of partners or favorite celebrities, and even the word ‘password’
(Riddle, Miron et al. 1989; CentralNic 2001; Sasse, Brostoff et al.
2001; Brown, Bracken et al. 2004). Password sharing between friends
and work colleagues has also been noted as a common practice. Many users
do this because of convenience and practical reasons (Adams and Sasse
1999), or as a result of social pressure. A recent study (Gaw and Felten
2006) showed that password reuse tends to increase as people accumulate
more accounts. Ives, Walsh et al. (2004) described the ‘domino effect’ of
multiple systems being susceptible to attacks because of password reuse.
~ 4 ~
tended to find ‘workarounds’ to circumvent system restrictions, which often
resulted in insecure password practices.
A few of the cases are mentioned below to let people know the importance
that they should be aware of the hacking techniques to safeguard their
online activities or they should keep their keys (passwords) strong enough to
be revealed by the hacker.
The scenario
A number of times people have complained that they have not made any
purchases for which they’re asked to make payments. It happens because
the victim’s credit card information is stolen by the Data Snatchers and they
misuse it for making online purchases and then the victim is asked to make
payments. Actually the bad guy or the Data Snatchers are liable who have
stolen the valuable information of the credit card holders as well as those
who have misused it.
~ 5 ~
The suspect install key loggers1 and other password revealing softwares in
public computers such as cyber cafes, airport lounges, etc and the innocent
people use these computers to make online purchases and when they enter
their credit card information; it is emailed to the suspect. Another technique
to know about the victim’s credit card information is the various people
who’re actually using your credit card to make receipt for your purchases
such as petrol pump attendants, hotel waiters who note down the
information and later sell it to criminal gangs that misuse it for online frauds.
Anyone can easily become a victim of e-crime as there are various ways to
steal your password or personal information. This is what happened to the
American President Barack Obama.
~ 6 ~
Attacks on Password Authentication Mechanisms
User End
~ 7 ~
Questionnaire Findings
Question 1:
How do you access internet?
Question 2:
Do you use the same password for multiple accounts?
~ 8 ~
usually
33.3%
never
40.0%
yes
26.7%
Question 3:
How many characters do your passwords usually have?
Question 4:
What kind of passwords do you prefer? Tick as many as applicable
~ 9 ~
Question 5:
What do your passwords usually look like?
Question 6:
Do you share your passwords with anyone? Tick as many as applicable
Question 7:
Are you aware of any software (Password Revealer, spywares) that can be
installed on your computer to retrieve passwords entered on various
websites?
Question 8:
Do you think strong passwords can help keep financial information secure,
and virtually risk free from hack attacks?
~ 10 ~
disagree
23.3%
neutral
30.0%
agree
33.3%
Question 9:
Do you trust Internet cafe or Internet library?
Question 10:
Would you use your credit card for shopping online and other transactions?
~ 11 ~
always
13.3%
never
26.7%
frequently
30.0%
rarely
30.0%
Question 11:
Do you think there is a fear using credit card?
Question 12:
~ 12 ~
If yes, then if there is an arbitrary password associated with using your credit
card information would you use your credit card then?
dont know
43.3%
no
23.3%
yes
33.3%
Question 13:
Do you conduct transactions using your online bank account?
no
46.7%
yes
53.3%
Question 15:
What do you think is the reason behind increasing cases of Electronic
crime?
Tick as many as applicable
Research Analysis
The research based on response of the sample population of 30 individuals,
ages above 25, professions ranging from lecturer to industrialist, to banker
and sub editors of newspapers, from freelance software writer to production
manager. Thus this ensured the sample population came from different
backgrounds and were exposed to different circumstances.
~ 14 ~
The results of the questionnaire about accessing the internet showed that
cable internet was the most popular means of access while DSL and wireless
competing for the second and third popular spots. Satellite internet or any
other means to access the internet received zero responses. It shows that
most of the users of internet are accessing it through cable network which
requires higher safety than DSL or any other means i.e. personal firewall is
needed.
DSL Internet 8 25
Cable Internet 16 55
Satellite Internet - 0
Wireless Internet 6 20
Others - 0
Total 30 100.0
Our assumption that people prefer to have the same passwords for various
accounts was based on the belief that about 80% of the population would
conform to this. On the contrary, the results showed only a small minority of
26.7% always set the same password while 33.3% “usually” used the same
password. This could signify that important accounts like banking or private
business email accounts had different passwords while other less important
ones had invariably the same passwords. What was surprising was a majority
of 40% of the sample chose “never” meaning that they never chose the
same passwords for multiple accounts. This result was extremely favorable
since it showed that even if passwords were compromised, information from
all of an individuals’ account would not be misused.
Always 8 26.7
~ 15 ~
Never 12 40
Usually 10 33.3
Total 30 100.0
4-6 7 24.8
7-9 15 50
Total 30 100.0
There were mixed results to the question which inquired about the
information used in the passwords. While an overwhelming majority did not
used any obvious personal information like their own or their spouse’s name
or even phone numbers, a surprising 50% of the population confirmed to
using their pet names in their password. This proves our assumption and also
exposes vulnerability. People need to understand that using information that
is commonly known among peers can prove to be dangerous and lead to
damaging results. People who do not use any personal information in their
passwords cited other ideas for the same. From names of cars and
medicines, to random phrases, things they like, and initials of phrases and a
combination of dates and numbers.
~ 16 ~
Use of Personal Info Yes No Yes % No %
Date of Birth 5 25 16.66667 83.33333
Nickname 15 15 50 50
Phone number 5 25 16.66667 83.33333
Spouse's name 3 27 10 90
The most favorable result of the research pertained to what a password was
constructed of, i.e. 50% of passwords had at least two types of characters
either i) alphabets and numeric, ii) numeric and special keys, or iii) alphabets
and special keys while another 36.7% used all three types of characters in
their password. Only a small minority of 13.30% used simple passwords. The
result although encouraging, highlights a key component that people do not
place importance on their passwords even though many websites now
provide the testing of one’s password. They require the password to be
entered and a bar will show the strength of the password whether weak,
moderate or strong. Since these tools are easily available and there is the
strong likelihood that individuals are aware of these tools due to the
widespread availability, the mindset is such that even strong passwords
would not protect data against a hacker. While true in some cases, a
password can protect against hackers contrary to the beliefs of many.
Total 30 100.0
~ 17 ~
Concerning the sharing of passwords, 14 of the 30 people surveyed
responded that they did share their passwords while the rest of the 16 did
not share their passwords. Of the 14 people who do not keep their passwords
to themselves, 50% shared their passwords with their husbands or wives
while 4 people each responded to having shared their passwords with friends
or siblings while an insignificant minority of 2 people out of the 14 admitted
to having shared their passwords with their boyfriend or girlfriend. The
assumption behind this question was respondents would be more likely to
share their passwords with their respective spouses and girlfriend/boyfriend.
This was however invalid as people also shared such information with their
friends and siblings. The results were skewed towards the unfavorable side
since trusting people with crucial key combinations of bank accounts and
credit card information can leave one penniless if one ever came across a
person who wanted to misuse such financial information.
The most disappointing result of this research was the question which
surveyed awareness about various softwares that can steal passwords off
computers if installed on them. These softwares are likely to across in public
computers at airports, internet cafes and other public places. Once the login
and password is entered it is stored and can be retrieved either by accessing
that same computer or even from an off location computer by accessing it
through the internet. This can lead to various information being
compromised, more so because there is a severe lack of awareness about
such software. An astounding 56.7% of the people pledged to be unaware of
the existence of any such software. This result was highly disappointing
because of the nature of the sample population. Aged above 25 and having
used the internet extensively for about 5 to 7 years they were oblivious to
potentially damaging programs.
Yes 13 43.3
No 17 56.7
~ 18 ~
Total 30 100.0
When asked about whether respondents thought passwords could help keep
their financial information secure, 56.6% agreed to this statement while 30%
were unsure about it. A mere 13.3% of the responses disagreed with the
statement. This result is reassuring and although not as strongly seen in
other conclusions of this research objective that states a majority of people
may not choose the characters in their passwords carefully.
Agree 10 33.3
Neutral 9 30
Disagree 4 13.3
Strongly Disagree - -
Total 30 100.0
When inquired about whether they trusted computers in public places, 90%
said no. Despite the population being unaware of why publicly logged in
computers are unsafe, there is a severe lack of trust in the same. Although
contrary to the previous result, this result is encouraging. At least the
population is aware that such places are not to be trusted.
Yes 3 10
No 27 90
~ 19 ~
Total 30 100.0
Concerning the next aspect of this research report, about the use of financial
transactions available online, many people indicated a fear of using credit
cards and online banking accounts. 90% of the responses stated that there
was some fear associated with using their credit cards but despite this fear
only 56.7% of the people answered that they rarely and never used their
credit cards due to this fear that their information could be misused and they
could be charged for expenses they did not actually incur. In such cases if a
bank is notified that a credit card has been misused, usually the person to
whom the credit card has been issued to, does not have to pay if he can
prove that he did not authorize the transactions. In some cases where the
person cannot prove the same, he is liable to pay or the bank can assume a
limited liability role depending on the rules of the issuing bank. Bottom line
being many individuals believe there is a risk when using credit cards. This
result is highly contrasting to that of more developed countries. In the USA
for example, even everyday groceries are purchased by credit cards where
as in Pakistan, a large investment such as a car is also paid for by cash. Thus
there is huge shift in mindset that needs to occur before widespread
acceptance of credit cards. This can be achieved if people start accepting
that credit cards can be protected against misuse.
Averse to interest - -
Total 30 100.0
Yes 20 66.7
No 10 33.3
Total 30 100.0
Total 30 100.0
Online bank account usage has not caught on much in this country. The
reasons are many. From not having the necessity to use the bank account,
since even some business transactions are carried out with cash, religious
reasons based on interest being haram, and the risk factor associated with
online transactions, it discourages people from using an extremely
convenient method of managing their finances. 53.3% report using their
banks online accounts, the figure being positive, can also simply mean that
~ 21 ~
bank balances are checked using the service. Hence this result is ambiguous.
When the 46.7% of the people who do not use online services were asked to
quote a reason, they varied from security issues to having no needs for such
services while 20% also stated that their banks did not provide such service
yet. This is also a significant finding since the non-availability of online
banking services denotes slow adapting of the banking industry.
Yes 16 53.3
No 14 46.7
Total 30 100.0
Yes 10 33.4
No 20 66.6
Total 30 100.0
The reasons behind increasing cases of e crime were reported and a 22 out
of 30 voted for loopholes in technology used, for example bugs in software or
inadequately performing anti-virus editions and so on. Only 10 people
reported that simple passwords could be behind e-crime while password
sharing received just above 50% of the votes. Other reasons quoted
concerned the naivety of people which leads them to be exposed. This result
also confirms that respondents did not believe strong passwords could
contribute to security of data.
~ 22 ~
Reasons behind Ecrime Yes No Yes % No %
Simple passwords 10 20 33.33333 66.66667
Sharing of passwords 16 14 53.33333 46.66667
Lack of antivirus 15 15 50 50
Loopholes in
technology 22 8 73.33333 26.66667
Statistical analysis:
Hypothesis 1:
Ho= No awareness of any software that can retrieve passwords
Ha=Awareness of any software that can retrieve passwords
~ 23 ~
a
a you
.T
1
C
d
A
sAre
Can
P
0
5 retrieve
aware
your
of
e
5
0
sfh
o
.a
csfyi3
-3
stm
e
T
S
p
lw
h
S
.q
a
lo
e
t
sru
a
S
e
d
m
srt
i(?
i
e
.g
n
t.s
i0
t
h
%
m
i
)a
u
tc
m
s
h
a
e
xv
e
p
e
ce
tx
p
e
e
d
c
ct
e
ld
l
f
fr
re
q
e
u
q
e
u
n
e
c
n
ci
ye
s
i
sl
e
s
1
s
5
.
t
0
.h
a
n
Rejection region:
Reject Ho if X-value<0.05
~ 24 ~
Conclusion:
Since X-value is less than 0.05 i.e. 0.03 so we reject Ho and conclude that
people aren’t aware of any software that can retrieve passwords.
Hypothesis 2:
Ho= Strong passwords cannot keep financial information secure
Ha=Strong passwords can keep financial information secure
~ 25 ~
a
.T
3
C
d
A
icS
0
5
a
e
0
tsfh
a
.n
s
ryi0
cfn
t
2
-5
m
o
e
T
5
S
p
lkn
h
S
.q
lsg
e
t
u
se
a
S
cp
m
rt
a
i(u
i
e
.rfsg
n
s.
e
i0
t
n
?
%
m
)i
u
c
m
s
h
a
e
xv
e
p
e
ce
tx
p
e
e
d
c
ct
e
ld
l
f
fr
re
q
e
u
q
e
u
n
e
c
n
ci
ye
s
i
sl
e
s
7
.s
5
.t
h
a
n
Rejection region:
~ 26 ~
Reject ho if X-value<0.05
Conclusion:
Since X-value is less than 0.05 so we fail to reject Ho and conclude that
strong passwords can keep financial information secure.
Hypothesis 3:
Ho= People don’t trust internet cafes
Ha= People trust internet cafes
~ 27 ~
R
D
2
-1
3
yn
T
O
E
7
2
5
1
0
o
xb
e
.
t2
sp
y
.0
a
ie
o
crl0
d
tv
u
e
a
t
ld
r
u
N
s
t
i
n
t
e
r
n
e
t
c
a
f
e
s
?
~ 28 ~
a
a
.T
1
C
d
A
ciD
0
5
e
9
1
sfh
o
n
.a
.s
cftyi2
t
2
-4
ym
e
T
0
S
p
lsro
h
S
0
.q
u
n
l?
e
t
u
se
a
tS
m
i(rt
i
e
g
.u
n
s.
i0
t
%
m
)i
u
c
m
s
h
a
e
xv
e
p
e
ce
tx
p
e
e
d
c
ct
e
ld
l
f
fr
re
q
e
u
q
e
u
n
e
c
n
ci
ye
s
i
sl
e
s
1
s
5
.
t
0
.h
a
n
Rejection region:
~ 29 ~
Reject ho if X cal<0.05
Conclusion:
Hypothesis 4:
Ho= There is no fear using credit cards and online bank accounts
Ha= There is fear using credit cards and online bank accounts
~ 30 ~
-R
2
1
5
3
yn
T
O
E
.5
0
o
xb
e
.
t0
sp
0
a
ie
crl
d
tv
u
e
a
ld
I
s
t
h
e
r
e
f
e
a
r
u
s
i
n
g
c
r
e
d
i
t
c
a
r
d
~ 31 ~
a
T
.3
1
d
iA
u
C
0
5
a
e
0
sfh
.a
s
3
criy0
3
-5
tm
n
d
e
T
3
S
p
g
l?
h
S
l.q
e
t
scru
a
S
re
m
rt
i(e
i
e
g
a
.d
n
.s
i0
tf
%
m
i
)e
u
c
a
m
rs
h
a
e
xv
e
p
e
ce
tx
p
e
e
d
c
ct
e
ld
l
f
fr
re
q
e
u
q
e
u
n
e
c
n
ci
ye
s
i
sl
e
s
1
s
5
.
t
0
.h
a
n
Rejection region:
~ 32 ~
Reject ho if X cal<0.05
Conclusion:
Since X-value is less than 0.05 we reject Ho and conclude that people have
fear using credit cards.
Statistical Analysis
Awareness of Software
~ 33 ~
Fear using credit card
Conclusion
Internet banking, a relatively new phenomenon in our part of the world, has
unleashed its opportunities almost suddenly. So fast that many users of this
technology are still not able to grasp the abilities and consequences of the
same. With our research we aim to prove that once basic internet security is
understood by our population, acceptance of internet banking will follow
hand in hand.
Most of our assumptions behind this research were proven true. These
assumptions were:
~ 34 ~
• Fear in using E banking; credit cards, online banking etc.
• Unawareness about the reasons behind increasing rates of e-crime
Our research has proven that anyone can easily become a victim of e-crime
as there are various ways to steal your password or personal information if
you are not concerned about protecting your account and personal
information against security hazards.
Recommendations
• You should change your password regularly and always after a trip
where you could have exposed your password at a remote site.
~ 35 ~
• Investing in a good antivirus to protect information.
Bibliography
http://www.utexas.edu/its/secure/articles/importance_strong_passwords.php
http://www.associatedcontent.com/article/137084/the_importance_of_choosi
ng_strong_computer.html
http://www.spamlaws.com/data-security-importance.html
http://crpit.com/confpapers/CRPITV98Notoatmodjo.pdf.
~ 36 ~