PaulDotCom mailing list archives
Farce Security Controls
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Fri, 23 Oct 2009 08:50:46 +0100
I don't truely believe online payment systems are designed to extract extra revenue. Financial institutions have been known to use dirty tricks to do this e.g. profilling customers to determine timing reminder letters based on how likely you are to ignore/forget it. You are not paranoid in my opinion. Having worked in this sector I know the main motivators are cost. Eliminating paper billing make a big difference to cost per customer for billing and collection. Institutions often fail to deliver good online billing by developing an in-house app which just plain sucks. Sounds like the password policy you mention is a knee-jerk reaction to past criticisms. Jim On 23/10/2009, allen.deryke at hushmail.com <allen.deryke at hushmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately I?ve been getting very frustrated at farce security controls being implemented by Banks, CC?s, and Utility?s. By that I mean the controls that seem to be designed only to generate late fee revenue. Prompted by a previous article about special boot CD?s to validate bank transactions, I?ll go ahead and share some unorganized thoughts in the hope for an enlightening response. Some untargeted examples include: A large student loan provider who?s implemented some pretty insane but worthless password policy?s. Like a 30 day password expiration, not being able to use the last 50 passwords, alpha numeric only, must be less the 12 characters, that requires you to confirm all of your password reset security questions while authenticating. What normal user can deal with this? In addition to that they take 72 hours to post your debit card payments, and it takes 20 (counted clicks) to make a payment, confirm that you want to make a payment twice, view two adds, and finally approve the payment. <- Their only motive seems to be: make their online payment site so worthless that you either opt to pay extra for paper statements to pay by mail, or incur a late fee now and again. Why make a user provide the same 5 (generic) password reset questions needed to reset a password with the password, at that rate what?s the point of the password? An online bank that tries to remember which computer can access your account with a cookie. Online banking works because you can access your account from the computer, or cell phone. It?s a convince, however this bank seems to think that they need to validate my valid username and password by emailing me a code to authorize other computers. I can almost see an anti malware value here if 1.) Grandpa had a different email login from his bank login 2.) If people protected their email password better then their bank password. 3.) Security by secret cookie ever actually worked. I have many more but they aren?t as dramatic and moronic. As more and more places are moving away from paper billing and push users towards the ?green? online payment alternative. What I?ve been noticing is a persistent effort to lock users online, find a way to cash in on ?payment fees?, and then use security controls to establish other fees. Has anyone else noticed this trend? And more importantly how do we avoid the trap of capitalizing on security by using it to lock out the legitimate account holder. - -- Allen Deryke -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrg/xwACgkQDIjDYcBm5pZSngP9GMaMwwnRtScj/G41hGEAYydND2ns mIJBt8sTOoCGtH71ZTbS1nA/jIQ6jxJpUS7ty5LxR/kBZ3P/hstfVuFlG7k/lz32DX0o ydyL86vhnUZdvFWUYeePuQCMHoLgCxgOT7Kin9YVGI4IVcVlNvxX1uH8fZl42BpisNhs BTd+mOI= =b7Rx -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Sent from my mobile device
Current thread:
- Farce Security Controls allen.deryke at hushmail.com (Oct 22)
- Farce Security Controls Jim Halfpenny (Oct 23)