Farce Security Controls

[jim.halfpenny at gmail.com (Jim Halfpenny)]

I don't truely believe online payment systems are designed to extract
extra revenue. Financial institutions have been known to use dirty
tricks to do this e.g. profilling customers to determine timing
reminder letters based on how likely you are to ignore/forget it. You
are not paranoid in my opinion.

Having worked in this sector I know the main motivators are cost.
Eliminating paper billing make a big difference to cost per customer
for billing and collection. Institutions often fail to deliver good
online billing by developing an in-house app which just plain sucks.
Sounds like the password policy you mention is a knee-jerk reaction to
past criticisms.

Jim

On 23/10/2009, allen.deryke at hushmail.com <allen.deryke at hushmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lately I?ve been getting very frustrated at farce security controls
> being implemented by Banks, CC?s, and Utility?s.  By that I mean
> the controls that seem to be designed only to generate late fee
> revenue.   Prompted by a previous article about special boot CD?s
> to validate bank transactions, I?ll go ahead and share some
> unorganized thoughts in the hope for an enlightening response.
>
> Some untargeted examples include:
>
> A large student loan provider who?s implemented some pretty insane
> but worthless password policy?s.  Like a 30 day password
> expiration, not being able to use the last 50 passwords, alpha
> numeric only, must be less the 12 characters, that requires you to
> confirm all of your password reset security questions while
> authenticating.  What normal user can deal with this? In addition
> to that they take 72 hours to post your debit card payments, and it
> takes 20 (counted clicks) to make a payment, confirm that you want
> to make a payment twice, view two adds, and finally approve the
> payment.  <- Their only motive seems to be: make their online
> payment site so worthless that you either opt to pay extra for
> paper statements to pay by mail, or incur a late fee now and again.
>  Why make a user provide the same 5 (generic) password reset
> questions needed to reset a password with the password, at that
> rate what?s the point of the password?
>
> An online bank that tries to remember which computer can access
> your account with a cookie.  Online banking works because you can
> access your account from the computer, or cell phone.  It?s a
> convince, however this bank seems to think that they need to
> validate my valid username and password by emailing me a code to
> authorize other computers.  I can almost see an anti malware value
> here if 1.) Grandpa had a different email login from his bank login
> 2.) If people protected their email password better then their bank
> password. 3.) Security by secret cookie ever actually worked.
>
> I have many more but they aren?t as dramatic and moronic.
>
> As more and more places are moving away from paper billing and push
> users towards the ?green? online payment alternative. What I?ve
> been noticing is a persistent effort to lock users online, find a
> way to cash in on ?payment fees?, and then use security controls to
> establish other fees.
>
> Has anyone else noticed this trend?  And more importantly how do we
> avoid the trap of capitalizing on security by using it to lock out
> the legitimate account holder.
>
> - -- Allen Deryke
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkrg/xwACgkQDIjDYcBm5pZSngP9GMaMwwnRtScj/G41hGEAYydND2ns
> mIJBt8sTOoCGtH71ZTbS1nA/jIQ6jxJpUS7ty5LxR/kBZ3P/hstfVuFlG7k/lz32DX0o
> ydyL86vhnUZdvFWUYeePuQCMHoLgCxgOT7Kin9YVGI4IVcVlNvxX1uH8fZl42BpisNhs
> BTd+mOI=
> =b7Rx
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Sent from my mobile device