The worst of Best Practices
My bank is making an effort at providing better security for online account access.
I can't trust it.
For weeks, after logging in, I've been prompted to opt-in to a program that is supposed to improve security by providing answers to security questions -- they call it multi-factor authentication. Given the option to "do it later", I always passed. That is, until I was presented with three questions I never supplied answers to and no access to my account without the correct answers.
I call the number that is suggested when I run into problems. They tell me it was supposed to be gradually implemented over the period of a few months and the deadline passed for voluntarily opting in. I was aware that they were trying to implement this feature, I was not aware that it would be mandatory. I asked if I could opt out altogether, I'm happy enough with an account number and password. They tell me that it was mandated by a federal regulation, but weren't able to give me any information about what regulation mandated this change, specifically. Nor are they able to give me any details about where and how this supposedly private information is stored and to whom access is afforded. Either way, they would be happy to temporarily change the password to an arbitrary number, not of my choice, which when used would prompt me to select and answer the security questions. Each of which are somewhat personal in nature and frequently crop up at other sites (for password reset/retrieval) and most staggeringly are all questions for which the answers can be found in public records! To top it off, and to make things easier no less, I'm given the option to bypass this step in the future for the computer I'm using at the time, or for any other computer I authorize in the future.
Yep, sounds secure to me.
On the subject of Best Practices
I'm still impressed by the American Express technique of partially occluding the user name when returning customers log in... and no silly third-party solutions that may or may not have been federally mandated.
Syndicated 2006-12-08 04:10:01 from Something More Than a Machine