If my bank did a better job of protecting its customers who choose to do online banking over the Internet, I might tell you who they are. However, since they have recently decided to implement weaker online protections than they previously had in place, I will from now on refer to them as Last-Place Infidelity Bank (LPIB).
I was already in a funky mood when I received an email from LPIB that read as follows: “Dear Mr. Moore; Your Online Banking account and free Bill Pay service have not been accessed since 9/18/2008. It is our goal to provide you with the most convenient financial services available. For security reasons, please contact Customer Service within the next 30 days to reactivate your Online banking account and Bill pay service. If we do not hear from you, your account will be deleted.”
“Isn’t that just swell?” I thought. True enough, I rarely do online banking; I just don’t have much use for it. Even so, I hadn’t really planned on spending the morning trying to talk my bank into not cancelling my online account. At least they didn’t put links in the email for me to click on; instead, phone numbers for Customer Service were provided. After checking to make sure that the phone numbers were legitimate, I called LPIB and was connected to a cheerful customer service representative.
I should have been tipped off from the get-go when I saw how easy it was to access and change my account information. In order to confirm that I was who I said I was, all Miss Cheerful asked me for was my account number and the amount of my last deposit. Suddenly, I was no longer a stranger, but a valued customer with all of the rights and privileges of a king. The moral of this part of the story: don’t lose your checkbook or throw away un-shredded deposit slips.
The worse was yet to come, though. I was informed that I was going to be issued a new, temporary online banking password, and that I should login to my account and change it to something more secure. My new temporary password was the last four digits of my “Social.” Ugh; that would never do.
If you have been reading my columns for any length of time, or witnessed the password-cracking demonstrations that are part of the free computer security class that I teach at our local library, then you have heard my rants about password security. Good, strong passwords should be a combination of upper and lower-case letters, numbers and special characters, such as “*@&$%!.” A good password should not resemble any word that can be found in any dictionary on earth. Instead, it should look like total gibberish and be as long as possible.
With that in mind, you can imagine my horror when my bank’s website would not allow me to use the best password possible. Before all of this rigamarole, I had a password that was 12 characters long and met all other good-password requirements. Now, some boneheaded junior security novice at my bank, most likely a graduate of the Jethro Bodine School of Double-Naught Spies, has decided that all passwords must be limited to 6-8 characters and special characters are not allowed. This person should be fired. As things now stand, I can have a better password for a Gmail email account than I can have for my bank account. This is totally unacceptable.
I was also very disturbed that Last-Place Infidelity Bank has not implemented any of the security measures known as “two-factor authentication” that are now recommended by the Federal Deposit Insurance Corporation (FDIC) and the Federal Financial Institutions Examination Council (FFIEC). I wrote about two-factor authentication almost three years ago in an article titled, “Two-factor authentication flawed, but a good move.” As of today, all it takes to access a bank account at Last-Place is a username and password. This, too, is totally unacceptable.
Last-Place Infidelity ended their email with the following: “We apologize for any inconvenience this may cause you. We simply want to ensure the safety and security of your financial information. If there is anything we can do to assist you, please don’t hesitate to call.”
Well, I’m calling. A copy of this article will be forwarded to the president of my bank. I’ll give them a week or so to get their security up to snuff. Failing that, I will move my account to a bank that understands online banking security. I hear that Bank of America now offers two-factor authentication; maybe I’ll check them out. I recommend that you, too, scrutinize your bank’s online security policies and, if found lax, fire your bank. There’s just too much at stake.