Sunday, January 29, 2012

Secret question fail

My credit union switched to a new service provider for online banking and bill paying. The good news is that they’ve chosen a service provider that has a fairly modern looking interface, unlike the 1990s interface of their old provider. Among other things, they no longer use a captcha as a security factor and they now require “the latest versions of Internet Explorer and Firefox […] SSL compliant with 128 bit encryption” instead of IE5 and Netscape 6.2.  I keep thinking that old interface was screen scraping TN3270 session in the background. The new interface at least gives the appearance of having been written this century.

They did not set the world on fire with their state of the art authentication though. As far as I can tell, they still think that a secret question is a second authentication factor, and they regressed significantly by prohibiting me from creating my own questions. I used to have a secret question like ‘Who is Z's5.'vYCf!.v/Zu31wkJYjR’ with an answer something like ‘y=t0FgZtH+CMPS-!tjLB_Cac’.

Now I’m stuck with:

Bank-questions

This is really unfortunate. Of the 20-odd questions, at least 11 of them are available via ordinary public record searches, searchable ancestry records or social networks, and some of the remaining questions have limited entropy. In my case, various relatives of mine have published enough family history that all of the ancestry related questions are unusable for identity verification. The selection of questions is really poor.

I certainly hope that the credit union customers are smarter than the service providers and take it upon themselves to compensate for the service providers incompetence by fabricating nonsensical answers to the questions.

I also hope my long gone grandfather isn’t too put off by my assertion that his occupation was ‘.oUDq9%Y^yP7dRJoM9TTSG’ .

No comments:

Post a Comment