My credit union decided to change their password recovery system today. Now, you have to choose three questions and answer them. The problem is that they are all “What is your favorite n” where n is restaurant, band, movie, song, actor, book, drink, food, place, past-time…
Uhh… have we not learned anything? People’s favorites change over time. This is not something that a customer will remember and if it is stable, it is probably all over the web on their profiles for dating and social network sites. So not only is this not a reliable way to help customers, it’s about as insecure as you can get. Furthermore, the likelihood of a person writing this down is *huge* because it’s not something that they know by heart (like “where were you born” or “what’s your first pet’s name”).
Can people please stop using favorites in the password recovery process? Pretty please with a cherry on top??
I can already imagine the bank’s sysadmin going, “Silly End-User… Trix are for Kids!”
Oh, come on danah … you don’t actually *answer* the question, do you? Regardless of the question, I tend to use the same answers, like “beats me” or “fucked if I know.”
That way, when I call and they ask the verification question and my answer, I get to say things like “fucked if I know” at them and they have to acknowledge it as correct.
What’s even better is when the system allows you to enter your OWN question in free-form text. #1 on my list: “Would you like to see me naked?” I won’t reveal the answer I use (so you can’t pwn my accounts) but it’s great fun to make a Customer Service Rep have to ask me that question on the phone.
That reminds me, I could start calling some customer service numbers, just for thrills.
Yeah, I’m childish, immature and possibly evil. But, I’m having a blast.
I switched off my credit union account to a NetBank account (which I’m very pleased with, btw) recently because I managed to brute force hack my way into my own account in under 5 minutes. They required 4 character numeric-only passwords, and your “username” is your account number, which is available for any would-be hacker on every check you write. Plus, there wasn’t a limit on how many times you could enter an invalid password. So I just wrote a quick-n-dirty Ruby script that run through every combination of numbers from 0000-9999. My password (issued by them, not set by me) happened to be on the lower end of the spectrum. 5 minutes to crack my way in. I never got a warning related to the incident. It’s been almost 6 months since I did it.
Banking websites, sadly, are frequently less secure than the average blog.
I blogged about this very same thing a while back, here. My main problem was that I actually didn’t have answers for any of the questions.
Some of the questions are completely absurd… what book did you enjoy the most? Yes yes of course, Where the Red Fern Grows, now and forever.
agreed… er, mostly. users should also be diligent in changing their password and security questions to something that *isn’t* common knowledge and easily found. per
Security expert Bruce Schneier ( http://www.schneier.com/) has pointed out that your “password recovery” system is usually MUCH less secure than your password itself. He recommends NOT using the recovery system; for example, type random data (without looking) in response to the questions to make sure that neither you nor anyone else can guess the answers.
– Precision blogger