20 Dec 2006 amars   » (Journeyer)

The worst of Best Practices

The Good

My bank is making an effort at providing better security for online account access.

The Bad

I can't trust it.

The Backstory

For weeks, after logging in, I've been prompted to opt-in to a program that is supposed to improve security by providing answers to security questions -- they call it multi-factor authentication. Given the option to "do it later", I always passed. That is, until I was presented with three questions I never supplied answers to and no access to my account without the correct answers.

I call the number that is suggested when I run into problems. They tell me it was supposed to be gradually implemented over the period of a few months and the deadline passed for voluntarily opting in. I was aware that they were trying to implement this feature, I was not aware that it would be mandatory. I asked if I could opt out altogether, I'm happy enough with an account number and password. They tell me that it was mandated by a federal regulation, but weren't able to give me any information about what regulation mandated this change, specifically. Nor are they able to give me any details about where and how this supposedly private information is stored and to whom access is afforded. Either way, they would be happy to temporarily change the password to an arbitrary number, not of my choice, which when used would prompt me to select and answer the security questions. Each of which are somewhat personal in nature and frequently crop up at other sites (for password reset/retrieval) and most staggeringly are all questions for which the answers can be found in public records! To top it off, and to make things easier no less, I'm given the option to bypass this step in the future for the computer I'm using at the time, or for any other computer I authorize in the future.

Yep, sounds secure to me.

On the subject of Best Practices

I'm still impressed by the American Express technique of partially occluding the user name when returning customers log in... and no silly third-party solutions that may or may not have been federally mandated.

Syndicated 2006-12-08 04:10:01 from Something More Than a Machine

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!