firecat | Nutty online banking security stuff

I have a mortgage and I pay it online. When I log into the account, this is what usually happens:

1. They demand that I change my password to something different from what it was before. So I do it. I believe that the strongest passwords include letters, numbers, and symbols. So I enter a password like that. Then they tell me I can't use any symbols. So I have to redo it to something less secure.

I have a program that stores all my passwords now, but before I had that, I had trouble remembering what password I was using for this site (because I constantly had to change it and couldn't use symbols) and I kept having to call them up and get them to reset the account.

2. They demand that I answer a "security question" that I previously set up.

3. When I confirm my payment, they demand that I enter the last 4 digits of my social security number.

This seems ridiculous, especially since a mortgage account ONLY INVOLVES MY GIVING THEM MONEY. I can see reasons for using multi-factor security to protect checking accounts and credit accounts, but I can't think of any reason for someone to hack into a mortgage account.

Crossposts: http://firecat.livejournal.com/724801.html

Flat | Top-Level Comments Only

From:

zeborah

Yeah, both my bank and my workplace refuse to allow symbols in the passwords, which is a blasted nuisance for me, because my standard password-creating algorithm (which creates passwords which are easy for me to remember but still unique to most sites) requires symbols. At the same time, one scientific database I use at work insists on including symbols. I tried arguing about it with both bank and work, but they fed me the "Symbols don't make nearly as large a difference to hackability as length of password does" line, which upon further research I discover to be true, but which isn't my point anyway.

The same research also uncovered that changing one's password at regular intervals makes *no bloody difference at all* and hasn't since something like the paleolithic era. You could attempt to argue this with your bank but I doubt they'd listen.

From:

evilawyer

one scientific database I use at work insists on including symbols

Really? This goes to fortify my belief that science is truer (or at least more honest) than business. And less focused on trying to make us trust it than business (and government, and everthing else) is. "Change that password and make it long. We're only looking out for you when we tell you to do this." Looking out for me, and trying to lull me into the Orwellian era. Thanks, fellas. Glad I have that ooffee can I stuff money into.

From:

zeborah

In this case it's because they're highly protective of their data - it's one of the few databases where the institution has to pay megabucks just for a single 'seat' (ie only one person at a time can use the database) - we can afford four seats, but this still of course makes students' eyebrows raise when I explain it. Oh and every single time you log in you have to agree to their terms and conditions. Every. Single. Time. And you have to register with your institutional email address to get access (most databases trust the institution to do the authenticating for them, using IP addresses / proxies / whatever; this one requires that and registration). So I'm not overly fond of their practices in this case, but I'm unfond in different ways than I'm unfond of bank practices.

From:

evilawyer

But their data is about the members of the public (institutional entities included). Just like the banks' coveted data. Which is fine --- a commodity is a commodity and there has been no privacy for decades at the least --- but I've been depressingly finding of late, a fact that many people don't realize or, worse, still, understand this fact. "I have Ad Block. I don't care about their ads" or "I only bank on on-line when it's absolutely necessary" of "I only do things on the website if I don't have time to get down to the administration office." I'm happy for whatever "protection" any institution affords me. It's just that I hate the thought that they want me to think that it's all an altruistic exercise designed to protect me and other consumers without any sort of benefit to the institution.

From:

firecat

Length more important than symbols. That makes sense. But IME more sites require symbols than disallow them, so they are in my standard pw-creating algorithm.

From:

zeborah

I just get annoyed because the only reason to specifically disallow them is because you're such a sucky coder that you don't know how to escape them properly. And if you're that sucky a programmer then you shouldn't be programming a bank's customer service interface.

From:

amadi

This is exactly what I'm thinking. I'm reminded of the trick, if you use GMail, you can do myaddress+variable@gmail.com and whatever it is on the right side of the + is irrelevant toward getting the mail to you, but can be used to track if businesses or organizations are selling/sharing your email and also for labels. But countless places won't allow the + because their programmers couldn't be bothered to escape for any symbols in email addresses beyond . and @

My bank is one such place. It's frustrating. But they give otherwise good service so I stick with them in hopes that they'll eventually hire a better programmer.

From:

pameladean

I would bet that they just use the same security requirements, if they can be dignified with the name, for all online accounts. If they are an actual bank, they presumably have customers who might remove as well as provide money.

P.

From:

firecat

I would bet the same. But the mortgage account has a separate web site and everything.

From:

evilawyer

My theory: The whole corporate world --- banks, oil companies, governments, pretty much everyone but me --- wants me to have a false sense of security. To believe that they are looking out for me. So that I'll trust them. So they'll be able to hoodwink me on something else later. Plus have me confirm my SS number over and over again for their (and who knows who else's) future use. Nice try, guys. I write and mail checks. Which they then process electronically and get my money in seconds, but I still feel like I've shown them what I think of their "trust us" malarkey.

Maybe I could save a buck if I paid bills over the Internet. I don't care. What was it The Who said. "Won't be fooled again"?

Then again, I'm paranoid. Then again, it's pretty much worked so far.

From:

jesse_the_k

What you just said is an exceptionally accurate summary of the institutional motivation as well as personal delusion. Hurrah!

From:

evilawyer

It's good to be paranoid at times, I find.

Also --- Robber Panda icon! It's adorable!

From:

firecat

I don't understand these people who find that inconvenience gives them a sense of security. Obviously there are a lot of them, or we wouldn't have security theater at airports or needlessly complex login requirements at some web sites. But having to take off my shoes and disclose my insulin syringes and remember bizarre password rules and input all of my private information to log in just makes me feel mad, not safe.

Your way is probably smarter.

From:

evilawyer

But having to take off my shoes and disclose my insulin syringes and remember bizarre password rules and input all of my private information to log in just makes me feel mad, not safe.

Or having an airport security checkpoint person look down my underwear, but I console myself with the thought (and hopefully it's not delusional) that they don't like it any more than I do.

As for my way being smarter ---- Maybe. At least from a personal rebellion standpoint. When I run into to customer service reps who've never heard of checks, however, I'm not ssoure. I still do it, though. Just one small, probably ultimately meaningless thing that makes me feel a little bit better about my individuality in the global gestalt.

From:

firecat

customer service reps who've never heard of checks

o_0

From:

evilawyer

Scary, no? If you don't give them a card number, they need to put you on hold for 20 minutes to figure out what to do, even if all that is is to find and give you the address to mail your payment.

From:

loracs

I do all my banking on-line, including paying our mortgage and I've never heard of anything so convoluted just so you can give them money. If someone wants to hack my mortgage account and pay it off . . . well that would be okay with me. ;-)

From:

firecat

Exactly!

From:

jae

I also have a mortgage and pay it online, but it gets automatically deducted from my account every month. Do U.S. banks not do that?

-J

From:

firecat

Most US banks offer that option. I'm not using it.

From:

wild_irises

Juan Ladwig (

elisem's mammal)is a security geek, and a very smart one. He advised me some time ago to pay bills electronically from one account as opposed to through many accounts, so that's what I do. My online bank has some of the safeguards you're talking about (picture and passphrase as well as password), but nothing like the number of hoops. That would drive me crazy.

From:

firecat

Good to know, thanks!

From:

auntie_m

Yeah, one of my banks, even though I check I am using my home computer, always asks me one of my security questions, every time I go there. Even though I allows cookies and everything. I have a program that has everything memorized, so I don't have to, but it is highly annoying to have to open up that section and so I can see the correct answer.
Bother.
And since Big Harold hasn't bothered to learn anything about how to use the Family Accounts. I have the password for the accounting program and the password programs on a sticky by my computer. I figure if a thief has figured out how to get into the house, then having those passwords near the computer will be a pretty trivial find.

From:

mjlayman.livejournal.com

I pay my mortgage through my credit union and there's only the password to the credit union to put in.

From:

e4q.livejournal.com

maybe they think that if someone hacks into your account that means they can move into your house.

these people are beyond stupid. i know i would benefit from online banking, but i really can't be bothered with the rigmarole. bad enough having to have passwords for all the other stuff i do online. if you knew some of my passwords you would be SO ASHAMED of me.

From:

firecat

maybe they think that if someone hacks into your account that means they can move into your house.

No way! They'd have to get past my ATTACK CATS!

if you knew some of my passwords you would be SO ASHAMED of me.

I recently discovered that one of my passwords that I thought was fairly unusual was in the top 100 frequently used passwords found when Gawker's password database was hacked. Fortunately it wasn't one I used for things I actually cared to keep secure, but still, embarrassing.

From:

e4q.livejournal.com

i just can't be bothered. i should. maybe one day...

it's like tidying the flat...

From:

pyrzqxgl.livejournal.com

My credit union makes me change my password every 90 days, and each password has to be exactly 8 characters long with at least one letter, one number, one symbol. It usually takes me multiple tries to remember what I last changed it to, and the 8 characters used to throw me because I don't usually think about length when trying to reconstruct what I probably would have used for a password with any particular site.

From:

jenk

I have been known to use 1sDumbPW for a site that requires exactly 8 characters, a mix of upper and lower case, and at least one numeral (but no symbols).

Most of my passwords have at least 15 digits.