I saw this post on The Daily WTF about bank security, and how horrible it is, and it reminds me how common it is that people will present you information before verifying anything yourself asking you if it’s correct. In fact, I remember that happening on the phone changing one of my accounts for something the other day. I can’t remember who it was, but they read off all my personal info (name, billing address) asking me if that was correct.
Anyway, the post reminds me of some lax bank security issues I’ve run into myself lately. First of all, my credit union’s website is horrible, in that they pitch this great thing where they don’t send out paper statements in the mail anymore, telling you instead to check them online. That would be nice and all, except for the fact the their website won’t freaking let you search farther back than three months at a time.
So, since I didn’t have my statement, and I never got a tax form from one of my companies I worked for last year, I needed some past statements. I go into the local branch, and ask the teller to print out some statements for last year, and all she asks me for is my account number. Granted, there’s nothing really interesting on my personal statements (aside from a lot of stuff I buy on Amazon.com), but it was a little scary how she handed it over without ever verifying anything.
The second thing is that the credit union website, along with other banking websites I’ve seen, when you sign on, they have this layer of “extra security” which in reality is just another question/answer challenge that you’ve setup. Something like, “What’s your mother’s maiden name” or stuff like that. Anyway, my credit union has this feature that instead of asking you that question, has a checkbox on the same page that says “add extra security, for this computer only!” Well, I figured one day I’d try it out. I assumed it would want to install some ActiveX control or something stupid like that, so I’d need Windows and Internet Explorer to use it. Since I was using Seamonkey and Linux, I never bothered trying. But one day, I checked it just to see what would happen, and it’s never asked me for that middle question since. Which means its either setting a cookie or recording my IP address. The thing that strikes me odd though is this — wouldn’t asking less questions be less secure, instead of more? I actually felt more comfortable about someone getting in before adding that “extra security,” but now all they would need is just my password and access from my computer.
I’m starting to build the perception more and more that the best way to guard my private data and financial information is to see that it is given to as few parties as possible. You have to realize that anytime you make a charge with your credit card, that company now has it archived, which means if their security gets breached, your data is at risk. It’s gotten me thinking a lot more about not only if I want to do business with someone, but how.