通过

the recurring nature of security versus usability

  • 项目

Last February, I complained about my bank's updated security requirements which require me to answer three so-called personal questions. Today, I found out that the situation is even more annoying than I had originally thought. They want me to change my questions annually.

My bank does this by randomly selecting questions from some list, and presenting three non-overlapping groups of questions. Last year, I had to repeatedly generate new questions (by quitting the process and logging back into the website) until I could get one question in each of the three groups that I could actually answer. The questions this year appear to be worse. Or maybe they're asking the same questions, and I'm just crankier about it because I didn't think that I'd have to go through this whole thing again.

Reading through my bank's website, I see that they're going to continue to do this about once a year. This is enough to make me consider switching banks. I'm generally happy with my bank, but I've recently established a relationship with another bank for a mortgage. The general desire to minimise the number of accounts that I need to login to and the specific desire to avoid security features which don't actually make my account more secure is enough to make switching banks look rather attractive.

Another point that annoyed me about going through this process this time was reading the FAQ to see why they were doing this again. I'm rather annoyed that the FAQ insists that my personal information is even safer than before. If they're going to make that kind of assertion, I'd like to see some kind of proof. They also recommend that, if you have a joint account and both of you login, you should select answers together so that both of you know them. But their questions are all written with a single answerer in mind, so both parties have to somehow know where one of their four (or more, if there were divorces) grandfathers were born.

My favourite useless question of those presented to me is 'what is your favourite culinary ingredient', although 'what was the family name of your nearest neighbour in 2000' is a close second, and 'how much were you paid per hour in your first job' is also entertaining. The first is rather subject to a brute-force attack (how many people are going to answer 'garlic' or 'chocolate' to the first?), the other two are questions that I will never be able to answer. I also liked that one of the so-called secure questions is to ask for the name of my high school, which anyone who has access to my Facebook profile can answer.

All of this serves to make my account less secure in practice. I'm generally a good girl about passwords: I update them regularly, they're never things that people could guess (they're randomly-generated strings), I don't share them with anyone, I don't even write them down. I somehow manage to keep all of my passwords in my head -- I don't use any utilities to keep up with them for me. But answers to questions like these, even ones that supposedly I'm the only one who will know, I'm not going to remember very well. Someone suggested ignoring the questions and treating them all as password fields themselves, but I'm not going to be able to remember something used so infrequently. In any case, it seems likely that I'm going to have to write the passwords down, which is inherently less secure than keeping them all in my head.

Comments

  • Anonymous
    February 26, 2008
    The comment has been removed
  • Anonymous
    February 26, 2008
    The comment has been removed
  • Anonymous
    February 28, 2008
    The comment has been removed
  • Anonymous
    March 09, 2008
    The Government's home land security now requires banks to institute the 3 question, password, and id number, access type of security and they ask you to register your computer. If you do not allow this intrusive registration snoop then after 4 times accessing your accouint you are asked the extra questions and may even have your online access to your account (not your bank account just online access) locked out, and you must call the bank and give them information before they will unlock your access. So every 4 times you use online banking you will have a second or 3rd question asked or be locked out and need to call if you do not allow them to register at least one computer you use, it is still supossidly voluntary but with more hassle than it's worth if you don't. The bank claims it is just a simple cookie but I have found it in my registration files and had to manually take it out. This is just a way for Big Brother to keep tabs on honest citizens.