Stupid bank security
I’ll be commenting on those answers to special questions that some banks use.
Yesterday, I logged into my bank site to check the balance. The first page I saw told me how they were going to protect my security. Then I was asked for information. The first item was a phone number. Okay thus far, though I’m pretty sure that they already know that.
The next information was three questions to which I should supply answers. I had some choice in the questions.
That was when I bailed out. I did not have time for that tomfoolery, so it would have to wait till the next day. Except there was no way to bail out. There was no “cancel” button. There was no “logout” button. There was no “remind me to provide this information next time” button. All I could do was close the browser. I hope that they were only using a session cookie, which would have been flushed by closing and restarting the browser.
So today, I went back to the bank site to provide them with their silly information. As I did so, I opened an editor to update the file where I keep records of such things. It is an encrypted file, which makes editing it more tedious. When I looked at that information for this bank in my file, I could see that I had already gone through this nonsense twice before. The first time (probably when I opened the online access account) I had provided answers to four questions. The next time it was three questions. This time I also entered the date, so that I’ll know that when they do this to me again.
The claim, on the bank page, is that these questions protect me. They say that they might ask me for the answers from time to time (though they never have). But what protection do they provide if the bank just throws them away and asks for a new set of answers? Why did they not at least ask me to give the answers to the old questions before requiring me to change them? If these questions were for extra security, they should have required such verification.
Why have they never notified me that the old questions and answers have expired. Perhaps I need to have 10 sticky notes attached to my screen in case they ask for any of the 10 answers I have provided.
This whole procedure is sloppy. My suspicion is that they weaken my security, rather than strengthen it. They probably allow login with these question if I cannot provide the password, and that could potentially be a weakening of security.