Not so long ago I was asked to create a secure online banking Ruby On Rails web application within a day. There was one problem with that – my Ruby knowledge. I can print “Hello World” with Ruby. That’s all.
I have a pretty good idea though when it comes to security measures, countermeasures and counter countermeasures.
It goes without saying that there will be a strong password requirement. I am not talking about the banking industry average of eight characters passwords containing only letters and numbers. No! Passwords have to be at least 64 characters long and contain at least one of all the possible types of characters. There will be some checks to make sure that you are not using words, names or anything else that would be easy to guess.
In fact the Ruby on Rails bank will require you to use a proper password manager. This would be a separate desktop, web or mobile application provided by the bank. Probably also based on Ruby (on Rails). Something akin to KeePassX or KeePass, but more polished. By the way it seems that there is no limitation on the size of the KeePassX key file. I created one with an online random generator that has thousands of lines of twenty characters each.
Obviously we can’t expect the Ruby on Rails bank customers to create their own key file. A key file will be e-mailed to them as an attachment monthly. And they will have to change their password each month.
E-mail, SMS and One Time Passwords
Customers will need to have an e-mail address. I don’t know whether we should provide free e-mail as a separate Ruby on Rails website. It’s possible I guess. However, we should only accept e-mail addresses from providers that we deem safe. One time passwords will be sent by e-mail, a cheap electronic USB gadget, snail-mail or by SMS.
Allowed IP Addresses List
It will be mandatory for clients to compose a list of trusted IP addresses from which to log in. An IP address is a special address in the format xxx.xxx.xxx.xxx, where each x stands for a number between 0 and 9 (including 0 and 9). You can lookup your IP address easily – for instance, from a special website. If done correctly this measure should limit the number of people who would be able to log into your Ruby on Rails bank account.
We will have captchas to discourage simple bots. Users will be asked to gradually compose a list of personal questions and answers to those questions. This list is for extra verification. Each week a new question and answer pair will be added. The Ruby on Rails bank will additionally request proof of frequent successful virus scans. This requirement will be more relaxed towards Linux and Mac users.
We want premium account holders to have a camera pointed at their face. For their safety we will be running face recognition and gun-to-the-head recognition algorithms. Also an algorithm will be monitoring for perspiration and other signs of stress.
This concludes our security design of the Ruby on Rails bank. Now I am going to focus on the design of the security badges. Be prepared, ever vigilant and paranoid! See you tomorrow …
Disclaimer: don’t create banking applications with Ruby on Rails. I have never heard of such applications and I am pretty sure there are valid reasons for that.
Content for April 17, 2013