*headdesk* New Prettier Online Banking Site

[rose-welch.livejournal.com]

My bank overhauled it's perfectly fine secure online banking site and the new site was unveiled today.

Too bad nobody can see it.

They've given messages concerning the changeover everytime we logged in for the last two weeks. I printed out a copy so I wouldn't have to call in and bleet at them like all of the other stupid sheep. I wore a smug smile on my face as I stapled the two sheets together and placed them in a folder on my desk. It said we would have to reset our passwords.

It did NOT say that they would reset our passwords for us.

And not tell us what the new ones were.

*headdesk*

So I call the number it tells me to. I get network failure. Seven times. Huh. They must be very busy. Wonder why?

I call my bank. The cheerful switchboard operator tells me to put in the last four of my social. Doesn't work. She says try it again. Doesn't work again. But it does lock me out of the system. She transfers me to the local call center. I try to be really nice because I KNOW that they have had the Morning From Hell.

The guy tells me to put in the last five of my social, not the last four. I tell him he probably needs to call the main line of the bank and tell them that because that's what they're telling everyone else. He demands, 'Who told you?' and I start to say 'the switchbo...' and he demands again, 'Who told you?' and I start to say who and then he interrupts again and I waited until I heard silence and said that if he'd be quiet for a second I'd tell him who. He got very quiet. I told him who and then he transferred me to his supervisor so I could tell her what I just told him.

The supervisor of the tech support call center cannot reset my password. I asked her if she's sure, because when I first started using the website, I'd had a password problem and they reset it in like five minutes at the main branch of the bank, over the telephone. She explained that with the new system, only the call center can do anything. Not the local call center, the national call center.

So I call them and wait in the queue. I finally get someone, who resets me, I log on and am presented with layers of stupid security. It wants to know my father's birthday (haven't a clue), what high school I attended (I didn't.), what the mascot was (Of the high school I didn't attend?), what street my mom grew up on (Army brat.), and other dumb security questions that ensure that not only can fraudulent users not use your account, but real users can't either. I don't have an answer for any of the questions offered.

What a novel idea! If no one can use it, then no one can steal information. Perfect security!

On top of that, every feature uses javascript so my pop-up blocker is going nuts. Some of these can be right-clicked and opened in a new tab, but not most of them. Oh, yeah, plus, it wants me to designate this computer as a 'safe' computer. This means that I'll only have to put in my login info once per day and if I use any other computer I'll have to go through six billion layers of 'security', including but not limited to the three security questions. Anyone wanna take a bet on how many people make thier shared work computer their 'safe' computer?

The worst part is, the old site was perfectly secure. It was fine. It wasn't as pretty as this site, and the bank logo wasn't splashed everywhere, but it was a good secure, simple site that WORKED.

*headdesk* *headdesk* *headdesk*

Comments

[lillyflowers.livejournal.com]

Our bank converted to this fiasco of a system sometime ago. It asks me Every Damned Time 3 security questions and it's annoying as hell.

It also strikes me as rather funny that this is "security". Consider that the sheep are online, frequently via poorly/non-secured wifi. All this info "flying" about to be snatched by some war driver is secure? Ya, okay. Just give them more info to work with to snatch someone's identity/money...

[wxgeek.livejournal.com]

If you're sniffing and cracking an SSL connection with the laptop in your car, I'm really, really impressed.

[lillyflowers.livejournal.com]

Not me. But it's been done all too frequently.

[mattcaron.livejournal.com]

Cracking SSL? Doubtful, unless a really weak algorithm is being used.

All this crap about insecure WiFi (aka - an insecure Layer 2) is just that - crap. The only difference with wired is that you need to compromise a switch. There is a reason that application-layer (Layer 7) and Network/Transport (3/4, respectively) encryption predates wireless - because wired is not secure either.

[lillyflowers.livejournal.com]

Hmmm. Then, I wonder how they got the Hannaford stuff, or the TJX stuff or [insert some other company]. As I recall, the data was wireless and it was sniffed. Some guy did manage to break into a Home Depot (?) system as well.

Nothing is secure. But, I don't believe I'm wrong in saying some ways are more secure than others.

[mattcaron.livejournal.com]

As I recall, the data was wireless and it was sniffed

That may be so, but that has nothing to do with the standard https connection most folks use to talk with banks, excepting that they share a transport medium.

But, I don't believe I'm wrong in saying some ways are more secure than others.

You are not. However, to believe that wired is more secure than wireless is a common mistake. Assume that NEITHER is secure because you do not control both ends of the pipe + all intermediary connections, and then act accordingly.

The only thing I ever assume in e-commerce is that their backend is secure (which is completely false, but you are not liable for it). This is why my accounts for shopping are different then my accounts for other things. If you get those systems, you don't get my systems.

[lillyflowers.livejournal.com]

I probably wasn't all that clear. LOTS of people just pop their wireless rig out of the box and start surfing. They don't change the admin, pw or filter by MAC address etc. THAT info is just floating out there for some smart guy/gal to grab.

For many reasons, when it's feasible, I've been doing the in person cash route more and more these days. It's a bit more of a hassle, and you could be out the cash if you loose it somehow, but that's the extent of your exposure.

[mattcaron.livejournal.com]

I probably wasn't all that clear. LOTS of people just pop their wireless rig out of the box and start surfing. They don't change the admin, pw or filter by MAC address etc. THAT info is just floating out there for some smart guy/gal to grab.

And what I am saying is that it doesn't really matter if you do that. It doesn't matter if you don't use wireless at all. I can still dump all your traffic from somewhere else along that pipe - unless you're encrypting it. Why do you think we use https over wired? So that people can't sniff your stuff in transmit. Similarly, if you are using unencrypted wireless (layer 2) but are using https (layer 7) it means I need to break the 256bit AES encryption which you are using for your layer 7 before I can sniff what you are doing.

To put it another way - how do you get your email? POP? IMAP? Are you using SSL on that? If not, then you are sending your username and password over the intertubes in plain text, which means that I can conceivably snarf that and read your email. I hope you don't use that username/pw other places.....

[mattcaron.livejournal.com]

He who approaches the bank of death must answer me the questions three, ere his account he sees!

Ask me the questions bank keeper, I am not afraid?

What - is your name?

J. Random User!

What - is your quest?

I seek my account balance.

What - is the name of your Aunt Alice's childhood cat?

What do you mean, her black cat or her orange striped?

Uh.. I don't know that. (FCHOOOM!) AAAAAAAaaaaaahhhhhhhh.

[fixerkitty.livejournal.com]

Hah!! Well done.

I'd love to see that overdubbed on the Python clip. ;)

[lillyflowers.livejournal.com]

It sure feels like that Monty Python big, doesn't it? TDF

[laviededavid.livejournal.com]

thats priceless.....

[wxgeek.livejournal.com]

Was the old site secure?

[guinevere33.livejournal.com]

The American Express website explicitly forbids passwords LONGER than 8 characters :P I've considered phoning them to tell them what I think of this policy.

[jecook]

Yeah. I'm a bit cranky about that myself.


All this big huge fuss over security, and they won't let me toss one of my "standard" secure passwords in because it's longer then 8 charecters, AND has funky charecters in it.

It's almost like the password are being stores on an ancient OS/400 machine or something...

[lintilla.livejournal.com]

My bank won't let me use non-alphanumeric characters. That pisses me right off.

[altorogue.livejournal.com]

Oh, I HATE one of my banks specifically for that reason. I was overseas for awhile and it didn't like my laptop over there. I finally gave up at one point and emailed all the login info to my mom back in the States, and let her deal with it.

Now my other bank, I just checked my balance at work. *loves*

[fnordx.livejournal.com]

As someone who actually works on bank systems for a living, a lot of those "security" measures are actually required by the FDIC to prove that you are who you say you are, etc. The trick to those is that it doesn't actually care what answers you put in those questions, as long as you can remember it...

Just don't be TOO clever, or else something like this (http://www.wired.com/culture/lifestyle/commentary/alttext/2008/02/alttext_0220) might happen...

[ravan.livejournal.com]

Father's birthday: Feb 50, 1930
High School: NeverNever Land
HS Mascot: Existential Blue Grue

You can put in BS, as long as it's consistent BS.

But yeah, the "three questions" BS assumes a very suburban, white, middle class life.

[jecook]

Indeed.

One of my creditors put this crap in. *every* time I've done a payment on their site, I get asked the damn questions.

I mean, it's not very secure if one has to resort to keeping a text file floating around somewhere with the answers to the 654687354E8635 challance questions they force you to use...

[mariasama16.livejournal.com]

I'd even have a hard time with those security questions. I attended 2 different high schools in 2 different states (and ironically, for 2 years each). Depending on my mood, I might choose one or the other. Thankfully, my bank hasn't gotten that bad (and did the normal of letting us choose our own security questions).

[jjjiii]

Egads, man. Abandon ship!

[mirar.livejournal.com]

Yes, I'd say "okthxbye" and switch bank.

[mirar.livejournal.com]

The funny questions is a weird interpretation of security rules some actual initiated security fellow(s) figured out; you will achieve higher security by
1) checking that the user knows something (password, pincode)
2) checking that the user has something (challenge-response codebox, lottery ticket, smartcard)
this immediately got misinterpreted, since it's expensive to give the users something physical. The new interpretation is now
1) checking that the user knows something (password, pincode)
2) checking that the user knows something else (answer to irrational questions)
which makes everything harder and doesn't improve security.

*sigh*

I'm so happy my bank in the latest lets-rewrite-everything just changed the layout to annoyingly boring and gray. (Yes, they managed to get a boring grey layout to be annoyingly boring and gray. On an online bank.)