Wednesday, February 18, 2015

Information Security and the Lack of it in Banks - Update

There is zero belief in me that anyone on the planet knows the age of his/her sister-in-law(s) yet that was one of the security questions the bank asked before it would approve my debit card transaction.

So I failed the test and have since sent a wire transfer which cost $25.  That seems a high price for not knowing the age of my sister-in-law.  So, do you know the age(s) of yours??

Update:  PowerMax will refund the transfer charge.  Definite points on coolness for that as they could have told me to suck it.

Update 2:  they couldn't do cash but that's alright as they have a cable I need for my disk drive.  Excellent resolution.

There is no rant as I'm awaiting confirmation of receipt and the computer should ship immediately thereafter.


However, the information used in this security test is disturbing.

My sister-in-law's age is not available in my own account so these security questions are being prepared without any consideration for anyone's privacy.  If I guessed correctly then I would had information she may not have wanted me to have.

There's no need for an extended review of information security as it seems obvious there isn't any.  When they want to verify security for me, they look freely in the accounts of other people without specifically requesting permission from them.  I regard this as unacceptable.


The second problem is the information wasn't correct.  I was asked what type of vehicle did I have registered in Tennessee.  There was only one for quite a long time and that car maker wasn't on the list.


These aren't even the creeps in Bluffdale but rather it's a bank doing its normal business.  When the bank is committing security violations to prevent security violations, someone didn't tighten down all the loose screws.

4 comments:

Kannafoot said...

The "Security Questions" concept has disturbed me for quite some time, for two reasons.

1) Almost all of the questions they ask are available publicly, so that doesn't sound like a viable security measure. If someone stole my identity, they'd already have that information.

2) What is NOT available publicly falls in the category of something I don't want being put in a database in someone's server farm.

I heard an excellent statement from a security expert on CNBC a couple of weeks ago. "If any financial firm says they have not been breached, it simply means they have not detected the breach, yet."

As long as we rely on the current ineffective methods of identification - typically some ID and Password combo - then there is no viable security in effect. In the meantime, spare us the "security questions" because they aren't worth the disk space required to store the responses.

Unknown said...

Something I've used as a standard is bank security as I have not heard of attacks yielding cash transfers. Then a few days ago I heard of a billion dollars (?) getting shunted somehow from a bank.

I know you can't reveal details of actual operations and this is the view from my unreal version of a real world. That's the only cash hack I've seen. I sure hope it's not really more pervasive than that or that blows my faith in security on anything.

Kannafoot said...

I've not heard of cash transfer fraud, per se. Most of what makes the news has to do with credit card fraud. More disturbing is the theft of personal data, which appears to be rampant in every industry. I think we're just starting to see the impact of that. Did you catch where Turbo Tax had to halt filing state tax returns because so many of their clients were victimized by fraudulent returns submitted first? That strikes me as a trial run, using the personal data obtained in a variety of hacks. I don't think we've seen the full impact, yet.

Unknown said...

I saw that and I was surprised as I thought TurboTax was salt of the earth kind of stuff. Seems the state owns the problem as their friend / foe dialog isn't keeping out the riff raff too well. Damn shame as that was a nice piece of software, maybe too nice as I never learned anything about taxes. TurboTax can figure it out.

I suppose a large part is that people knew the Internet was a money game eventually but no-one had any idea how much money or how criminal it could become. Still, the present-day warriors own that as if any change is needed to protocols to get some real security then it seems this would be a good time to get cracking on it.