Sent to Gazette as
"Invalid Bank Validations"
I opened an account at a local bank and signed up for electronic banking. Their system immediately robo-called to issue me a random "security" code number to enter in order to get to my account.
Because I don't allow my browser to store cookies between sessions, the bank computer will call me every time I login.
Sound good so far?
It isn't. Here's why:
If you're robbed of your laptop or notebook, chances are excellent the thief will also take your cell phone.
What if you only use a land line?
If someone robs your home, they'll probably check out your computer. A password sniffer can quickly get around a Windows login, you probably have the bank in your bookmarks, and the thief can answer the phone when the bank calls.
The bank's only alternative procedure is to email their code number, but that's even worse.
Too many people let browsers automatically handle logins and passwords. The thief would visit your email account, then copy and paste the bank's code number.
Whoever provided that security software sold the bank a handful of magic beans.
I'd prefer to think they fooled the bank than think the bank is also marketing this silly procedure as security.
My suggestion for a security code:
At enrollment have the customer choose a number between 30 and 100. That number would remain on file unless the customer changes it.
I'll use 62 as an example.
The bank's computer would call or email with a random portion of 62, such as 37. The correct response would be 25.
If someone can't type the right answer with 3 tries, deny access to the account until the customer can be personally contacted by a bank representative.
My suggestion simply changes the nature of the bank's current validation system from 'useless' to 'functional'.
If a bank computer can barf up a random number and blithely tell it to whomever answers a phone or email, it can just as easily present a truly functional security number.
That's all I have to say on this matter, so thanks for the use of your eyeballs.
If you truly need to contact me directly, use the email address on my website.
Ed Howdershelt - Abintra Press