A lot of you have asked, so here's the skinny on my bank problem.
It started when I went to check my balance and saw this message. The relevant line is "Your initial password will be the same as your User ID...." Holy crap!
So, I sent a detailed email to the bank's address as well as to the two people I'd had previous email contact with. The email not only pointed out why that password policy was totally insecure, in case it wasn't obvious, but it detailed the steps they'd need to take in order to remedy the problem. This was Sunday night.
Monday morning, and no response, and no change on the site. Monday afternoon, I called the operations VP at the bank (who hadn't been on the original email). I introduced myself and explained the problem. After several minutes of her trying to claim that the system was not insecure and me explaining why she was wrong, she admitted that she had read my email (why didn't she say so before?) and had forwarded it to their IT person, who had "taken it under advisement". I confess to getting completely flustered at this point, and we hung up. I was just so amazed, and I still am, that officers of this bank are apparently the only people in the whole world that don't see this as a significant security breach.
Right before the close of business on Monday, she sent me an email. Apparently their IT manager had read the email and wished to respond, so she wanted to know if I'd be free for a conference call later this week, or an in-person meeting early next week. What is she, his secretary? He couldn't respond to me himself? I sent a response, giving more examples of why it's a problem, and letting them know that the thing that bothered me most was not as much the initial situation as their continuing casualness about the security of people's financial information.
The next day she sent me an email notifying me that her response was being sent via US Mail. I haven't the faintest clue why she couldn't send them via email, but anyway.
Today the letter arrived. It was more of the same. Some choice quotes:
"Only a current customer of internet banking or a person our customer shared their ID would know the formula, therefore the risk of who would have the ability to enter the system is negligible."Gee, why even have passwords, then, if the usernames are so hard to guess? They aren't, of course. Out of courtesy to the bank's other customers (because I'm sure not feeling very loyal to the bank anymore), I won't reveal the whole scheme here, but suffice it to say that users have no choice over their account name, and it contains nothing but (deterministic parts of) your full name, followed by a number which is usually 00 (presumably a serial number).
"Your suggestion that the password should have been mailed or requiring clients to come into the bank has several flaws. Stealing someone's mail is still the highest form of identity theft today. Many of our clients do not live conveniently close by or keep hours that would allow them to stop by the bank to receive a new password. This method would prevent a vast majority of our clients from receiving a new password, and therefore, access to their online account(s). The idea behind internet banking is customer convenience."The clear message here is that the bank ranks customer convenience as a higher priority than customer security, and furthermore that they are willing to sacrifice everyone's security for some people's convenience. Furthermore, she is implying that the security risks posed by thieves stealing mailed passwords are greater than those posed by simply giving the thieves the passwords outright. It'd be comical if it weren't so serious. The chilling punchline: "Our new provider is one of the top internet banking companies in the nation."
In an interesting recent twist, I notice that the page detailing the new password policy no longer exists—not only is there no link to it, they've actually taken the page down. I wonder if they randomised the passwords of the people who've not yet logged in? Because, as I told them, that's not enough; since this hole has been open for nearly three weeks now, they have to assume that even if an account has been used since the changeover, that might have been by a malicious user. So now I think they're trying to cover their tracks, perhaps realising the flaws in the original security, perhaps not, but still not willing to actually fix the security breach.
So, like I said, now seeking another bank. Hopefully local. But while being a local bank may win you warm fuzzy points, it certainly can't trump a complete disregard for information security. At this point, I can't imagine what they'd have to do to convince me to stay, after their thorough work at convincing me they are completely clueless about security and just don't care. I just hope their other customers are lucky enough not to fall victim to fraud and theft as a result of the lax security.
"That there is still a craving for occasional formality is evident on the two such occasions left for it---the prom and the wedding. It would be nice if the older generation could show them what it really is. A hint: It is not riding around town in an impossibly long and expensive car, throwing up." --Miss Manners
Posted by blahedo at 10:54pm on 22 Mar 2006