Bank Website Security
Conversation today with a bank person over the phone:
Me: Can I get you to start sending me statements in the mail again?
Bank rep: We've gone all online now! It's so easy and convenient!
Me: I prefer to limit how much banking I do online, for security reasons.
Bank rep: Oh, but we have two factor security! It's secure! You can change your account name so it doesn't have to be your social security number -- AND you can set a security question so only you can reset your password!
Me: Right.
(The conversation progresses. She promises to send me a statement, but meanwhile it develops that there are some questions I need answered that can't be done easily over mail and require an online account. We proceed to set that up ...
Bank rep: ... and now you're at the password screen, right?
Me (reviewing the list of security questions): Um, you know that every one of your security questions is something that anyone could look up, right? Last 4 digits of driver's license? Last 4 digits of phone number? Last 4 digits of credit card?
Bank rep (astonished): What? Aren't there any that couldn't be looked up?
Me (scanning through list again): Well, the one on "last 4 digits of your best friend's phone number" at least requires guessing who your best friend is before they look up the number.
Seriously, every single one of their security questions was "last 4 digits of" something that's either a matter of public record, or something that's probably trivially available for $5 on shady websites.
Of course, you're thinking, you don't have to use the real 4-digit numbers for any of these. No, of course you don't! You can make up a number and use it as the answer for any of these.
In which case a better, more honest, security question would be: "Please enter a 4-digit PIN."
[ 15:59 Dec 17, 2012 More tech/web | permalink to this entry | ]