This is a guest post by Green Panda’s husband, Blue Panda.
Alex Papadimoulis wrote two articles about online banking security on his Information Technology-related humor blog that struck home with me. The first article was on the deficiencies of the new trend in logging in to online banks, which he calls Wish-It-Was Two-Factor (since it isn’t really two-factor authentication). The second expands on it with a specific poor implementation of two-factor authentication. While Alex’s blog is primarily humorous, he does take the time to point out serious pitfalls in the IT world. In this case, it’s about a false sense of security.
An increasing number of banks have been following Bank of America’s lead in adding security features to their own online banking sites. After all, if people perceive another bank to offer safer online banking, then they may move to that bank. The problem is that Bank of America’s features don’t offer greater security. If anything, they can be somewhat less secure, as a New York Times article on a study of site images explains:
Rachna Dhamija, the Harvard researcher who conducted the study, points out that swindlers can use their dummy Web sites to ask customers those personal questions. She said that the study demonstrated that site-authentication images are fundamentally flawed and, worse, might actually detract from security by giving users a false sense of confidence.
RSA Security, the company that bought PassMark last year, “has a lot of great data on how SiteKey instills trust and confidence and good feelings in their customers,” Ms. Dhamija said. “Ultimately that might be why they adopted it. Sometimes the appearance of security is more important than security itself.”
Now, I never liked the security questions to begin with, because I can’t always remember what the answers were. As Alex points out:
Users are asked to pick from all sorts of different “secret questions,” ranging from “In what city is your vacation home?” to “What is your second-favorite post-modernistic European novel?” And if they’re lucky, users can actually remember what answers they gave and figure out exactly how they typed them in.
How many ways might someone enter “East First Street”?
The user can’t always avoid questions which might have ambiguous answers. Often, several of the questions the site asks don’t apply to me, forcing me to make up “close” answers for one or more of them. Now I have to remember which “close” answer I gave whenever those questions appear.
But how secure are these answers? Anybody who knows me has a pretty good idea as to the possible answers. Fundamentally, the answers are just easy-to-guess passwords.
It’s a shame that many online banking sites seem to be more interested in the “appearance of security” than actual security. Of course, the criminals who want get past any security measures in place aren’t going to be fooled, so you don’t want to get lulled into a false sense of security.
If the security measures at your bank’s web site bothers you, let the bank know that you don’t feel safe with the security it has implemented. After all, it’s your money. And if the bank still cares more about looking secure than actual security, do you really want to trust them with your money?