Problems with composing security "best practices"
My local bank has been frustrating me with its current security “improvements”. I have not chosen my bank on the basis of its technological savvy, and if I didn’t have such inertia with this bank I would probably look for another bank.
Clearly, this bank has been chasing the security improvements made by the big boys. Unfortunately, blindly applying these changes particularly when starting from some rather weak security underpinning does not make for an attractive result. You get the worst of both worlds. A system with weak security plus intrusive security features that annoy the end user.
On the face of it, each security improvement sounds quite reasonable, but in total it just doesn’t work. I’ve seen all these errors on other sites, but my bank seems to have more than its fair share. First is the issue of password safety. The bank site implements a three strikes and you’re out policy. If you miss the password three times, your account is disabled and you must call a person during normal business hours. The security goal is admirable. You want to protect vulnerable accounts from a brute force attack. However, with the proliferation of passwords and different requirements on passwords at different sites (alpha-numeric only, must have a non-alpha-numeric character, at most 8 characters, at least 12) you either must write down your passwords or probably miss a few times as you enter the variants of your password families. If you can call a human 24×7 to reset as you can with most credit card companies this wouldn’t be so back, but for me it is invariably Sunday night as I’m trying to get the accounting done that I lock myself out. An alternative to defeat the brute force attackers is a timed backoff. After one failure pause 1 second, after two failuers pause 5 seconds, etc. Somewhat annoying to the legitimate user, but fatal to the brute force attacker.
Of course, we all lose our passwords, and my bank has the recover your password option that emails a password to your previously registered email account. That is all pretty standard. As long as you reset your password immediately, your exposure is pretty low. However, most sites will reset your password and send you a new randomly generated password. This way your password can be stored in a form that can never be retrieved in plaintext by bank employees (e.g. in a cryptohash), but my bank actually sends your previous password. Not only is my password being sent through insecure email, but presumably some bank employees can retrieve my password at will. If you tend to use families of passwords this not only exposes your bank account security, but it also exposes all other accounts that have passwords in the same family.
Recently, the bank has added a ninety day lockout. If you don’t use the bank web interface for ninety days, the interface is disabled. Again, sounds like a great idea. Closing unneeded holes can only improve security. But how is the account reactivated? You call the bank and give them the secret 4 digit number that was given to you on account creation. This magic number has a close correaltion to your social security number. It isn’t too infeasible for a random person to find an account number and 4 digits of the social security number (through dumpster diving or social engineering). Then the attacker enters the information in the web, picks a new password and away he goes.
Finally, the bank web interface has added the pictures to avoid phishing links and the personal questions. I’m ok with the pictures. If I’m presented with a picture I’ll probably remember it is the one I selected (recognition vs recall), and If I’m not going to remember the picture it doesn’t deter me from getting to my account. I just don’t gain from the additional security. However, the personal questions are quite annoying. This is a growth from the “Mother’s madien name” question that we’ve had for years. Anyone who is somewhat paranoid will put in a fake name that only they recall. But in the last year, I’ve seen a number of web sites add more presonal questions. Generally, you get to pick one or two that are meaningful for you. However, my bank site had an unusually large number of personal questions. Some questions are factual and easy enough to recall, e.g. what city were you born. Others might have answers that are hard to spell, or variations that are hard to recall, e.g. what was your first car? Did I enter “Volkswagen” “Beetle” “Bug” or some combination? But the worst are the favorites. Who was your favorite teacher? What is your favorite movie, book, sports team? My favorite 2 years ago when I registered for the site may have changed or been forgotten. This is a classic issue of security vs usability. Either the user tries to play along and answer legitimately, or he might write down the answers and post them on sticky notes on his desk, or he just answers the same word for all questions. If the security is too annoying the user will seek ways to avoid it.
Hmm… As I’m writing all of this down, I think it might be time to reconsider my bank selection inertia or no inertia.