worthless security measures

Sat, 2007-09-01 10:30.
  • Bookmark this post.
»
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket

my bank has the worst security for their online banking. honest.

for years, the only security feature (if you can call it a feature) was the password: seven letters or less, alpha-numeric. you couldn't even use punctuation symbols.

i guess there was one other security feature: if you messed up your password three times, it would lock your account. once locked, an account had to be reset by calling the bank during business hours and talking to a teller...

at some point the bank decided that this security was insufficient. but instead of improving their existing security (i.e. by letting me use a password of sufficient length), they decided to supplement it.

ultra-high-security lockdown

i still log in by entering my account number and seven-alphanumeric-characters-or-less password. then i hit the "extended security" page.

it appears to be a standard-issue "ask a predetermined question" security page. these are great because they don't require the user to remember anything else. a question like "what's your pet's name" is a great "are you really you" sort of check, without really increasing the chances of users writing down the answers.

except this isn't your standard security question page. this one has requirements almost as special as the password...

when my online banking went into high security lockdown mode, i got a notice that i would have to answer some questions. unfortunately, i never got to choose which questions i answered.

  1. Favorite Movie? this is a tough one. my favorite movies change regularly. i guess i'll just enter something. shouldn't be too hard to remember.
  2. Favorite Color? yeah. colors are good. blue. light grey. and green. that's a good color too. favorite? i don't think i have a single favorite.
  3. Favorite Sport? nope. not applicable.
  4. High School Name? ooh. i know this one. :)
  5. Spouse's Middle Name? what? i'm not married. ergo, i have no spouse. ergo, i have no spouse's middle name. ergo, i can't actually answer this question.

but my bank doesn't give me the option of skipping any of these terribly selected questions. i have to enter something for every single one of them.

remember how the reason for using security questions is to keep the user from having to remember something extra? now i have to remember the bogus answers i made up for each of the above mentioned questions. one of which was actually worth asking me. thanks for the added security.

as a bonus, i get to choose another password to remember. fortunately, this one can be longer than seven characters. unfortunately it doesn't even do the most basic security checking. i can enter "1" as my "secure" password. in fact, nothing in their system keeps me from entering "1" as my answer to every single one of their security questions, and as both of my passwords.

that's pretty quality security.

how to fix this

if you work for my bank—or anywhere else that has poor online security—here are a couple of suggestions:

  1. give me the option of choosing a user name. that's a ton harder to guess than my account number.
  2. please, please, please let me choose a secure password. real security systems don't limit me to seven characters. real security systems let me put punctuation symbols in my password. most even encourage it.
  3. do away with the second password. in fact, replace the first password with it. by requiring users to remember two passwords, you are, in effect, decreasing security. your users will be far more likely to write their passwords down if you make it too hard on them. if your first password is sufficiently secure, you don't need the second. even if you know exactly how long it is, the odds of successfully guessing my password are about 1/1029. isn't that good enough?
  4. implement some basic complexity settings. require users to enter a password eight characters or longer. make sure it has at least one letter and one digit. encourage the use of punctuation characters.
  5. let me choose which security questions to answer. don't assume that because you have a spouse with a middle name everyone else does too... assumptions make for inherent unsecurity.
  6. increase the number of failed password attempts. i've used up my allotted three tries on typos before. even giving me a ten times as many tries will not have a significant mathematical impact. the only real reason to limit attempts is to stop robots, and for those you could prob'ly put the cap at three tries per second and still catch 'em all.
»
»

Comments

Sam | Sat, 2007-09-01 16:23.

HAha - your bank sucks. Seriously, I've never heard of something so bad. My bank recently "upped" their security with these stupid questions too, but at least they let you choose or write your own.

To see just how secure these kinds of security questions were, John Hargrave investigated:
http://www.zug.com/pranks/visa/

»
justin hileman | Mon, 2007-09-03 05:23.

to put the odds of guessing my password in perspective:

  • odds of finding a four leaf clover on your first try ~ 1/105.
  • odds of being dealt a royal flush ~ 1/106.
  • odds of dying by being struck by lightning... twice ~ 1/107.
  • the odds of me being canonized (made a saint) ~ 1/108.
  • chances of dying from parts falling off an airplane ~ 1/108.
  • odds of being killed during a 5 mile bus trip ~ 1/109.
  • odds of winning the Powerball lotto ~ 1/1012.
  • odds of a meteor landing on my house ~ 1/1015.
  • odds of guessing my password ~ 1/1029.

moral of this story? if you want to die a horrible death and be canonized for it, start trying to guess my password.

»
traci | Wed, 2007-09-05 00:21.

key bank won't let you enter in a password longer than 6 characters. alphanumeric only. their new "high security measures" make you enter in your debit card number if the don't recognize your computer, which is LAME if you need to access your account from another computer and don't have your debit card, or if your card was lost/stolen and you don't have your new one yet.

hey! i just remembered why i don't keep the majority of my money at key.

»
Adam Findley | Wed, 2007-12-12 04:39.

True two-factor authentication would be nice. I say you demand a RSA token.

»