Farce Security Controls

[allen.deryke at hushmail.com (allen.deryke at hushmail.com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lately I?ve been getting very frustrated at farce security controls
being implemented by Banks, CC?s, and Utility?s.  By that I mean
the controls that seem to be designed only to generate late fee
revenue.   Prompted by a previous article about special boot CD?s
to validate bank transactions, I?ll go ahead and share some
unorganized thoughts in the hope for an enlightening response.

Some untargeted examples include:

A large student loan provider who?s implemented some pretty insane
but worthless password policy?s.  Like a 30 day password
expiration, not being able to use the last 50 passwords, alpha
numeric only, must be less the 12 characters, that requires you to
confirm all of your password reset security questions while
authenticating.  What normal user can deal with this? In addition
to that they take 72 hours to post your debit card payments, and it
takes 20 (counted clicks) to make a payment, confirm that you want
to make a payment twice, view two adds, and finally approve the
payment.  <- Their only motive seems to be: make their online
payment site so worthless that you either opt to pay extra for
paper statements to pay by mail, or incur a late fee now and again.
 Why make a user provide the same 5 (generic) password reset
questions needed to reset a password with the password, at that
rate what?s the point of the password?

An online bank that tries to remember which computer can access
your account with a cookie.  Online banking works because you can
access your account from the computer, or cell phone.  It?s a
convince, however this bank seems to think that they need to
validate my valid username and password by emailing me a code to
authorize other computers.  I can almost see an anti malware value
here if 1.) Grandpa had a different email login from his bank login
2.) If people protected their email password better then their bank
password. 3.) Security by secret cookie ever actually worked.

I have many more but they aren?t as dramatic and moronic.

As more and more places are moving away from paper billing and push
users towards the ?green? online payment alternative. What I?ve
been noticing is a persistent effort to lock users online, find a
way to cash in on ?payment fees?, and then use security controls to
establish other fees.

Has anyone else noticed this trend?  And more importantly how do we
avoid the trap of capitalizing on security by using it to lock out
the legitimate account holder.

- -- Allen Deryke
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkrg/xwACgkQDIjDYcBm5pZSngP9GMaMwwnRtScj/G41hGEAYydND2ns
mIJBt8sTOoCGtH71ZTbS1nA/jIQ6jxJpUS7ty5LxR/kBZ3P/hstfVuFlG7k/lz32DX0o
ydyL86vhnUZdvFWUYeePuQCMHoLgCxgOT7Kin9YVGI4IVcVlNvxX1uH8fZl42BpisNhs
BTd+mOI=
=b7Rx
-----END PGP SIGNATURE-----