Thursday, May 8, 2014

Internet Security and Identity Theft

I am cynical and skeptical by nature, and it is often frustrating to witness the blatant inconsistencies and contradictions policymakers put into place compared to the day-to-day usage those policies are supposed to handle.

For example:  My financial institution is small by most standards.  They have close to ten branches, but they offer online banking so I was sold.  Their online banking is heavily encrypted.  I must have a password that is at least eight characters long, contains number, letters, and at least one capital and one lower case letter (they haven't gone as far as asking for special characters yet, but I'm already ahead of them on that one).  I have a picture I'm supposed to verify before logging in.  If the photo is not the photo I chose, and if the caption to the photo is not the caption I wrote, then I should know I've been re-directed (as if I wouldn't be able to tell from my browser).  I am asked a random security question each time I attempt to long in.  These are questions I answered when signing up for my account.  Finally, I am asked to change my password every ninety days to ensure proper security measures.

With all of that, I have forgotten my most recent password.  I attempted to log into my online banking, and after three attempts my account was locked and I had to actually call the bank to unlock it.

That's pretty impressive.

However, when I called the bank all I did was explain the problem I was having and tell them my name.  The person on the other end of the line reset my password for me to something benign, let me know that when I logged in again I would be prompted to change that benign password to something more personal, but that otherwise I was good to go.


With all of the security in place to ensure the safety of my financial information (which is a TON of security, by the way - check out this article from LifeHacker, specifically the chart that discusses the amount of time it takes a computer to generate a password, if you think all of that security is necessary), you're simply going to give a voice over the telephone a brand new password to an account with no more information than a name?  No need to verify my account number, my social security number, my address even?  Just a simple, "We're sorry about that.  Here you go, please have unlimited access to this account.  Thanks for calling!"

I'm not paranoid.  In fact, I'm pretty secure in the notion that nobody's out to get me - nobody's going to hack into my system and steal my identity.  Maybe because I don't really have much of an identity to steal.  I'm pretty insignificant in the grand scheme of things.  That being said, it is still pretty ridiculous to install so much security to then simply give out a password to a voice over the phone.

What can I expect from this country, though?  These are probably the same people who believe arming teachers will keep their children safe at school, or the same people who believe that the inconvenience to business professional of having to take off one's shoes at the airport can simply be bypassed through a higher ticket price.