Satya's blog - Elaborate security is not better security

Jul 15 2009 10:45 Elaborate security is not better security

I've been trying to set up an online account to access a mutual fund brokerage.

The registration page asks for my social and account number, among a few other unimportant details. Strike zero point five.

Then they deliver the next set of instructions through a web-based "secure" system called zixmail. Third-party, strike one. And haven't they heard of PGP, GPG, and so forth?

Okay. The "email" contains instructions for first login, which do NOT tell me where to go. Anti-phising, or just lame? Anyway, the web site has at least 3 different logins, each slightly different. I'm not even sure I'm using the right one (mutual funds, brokerage, or managed investment? Who knows.)

The login name involves my last name and social. The password involves my mother's name and my date of birth. Strike two. Naturally, I use slightly different names on each site. It doesn't work. I call to have it reset. It doesn't work. They reset again. It works.

At least that was the initial password. I'm asked to change it, and new password must be between 8-12 characters, CANNOT contain special characters (strike 2.5). The instructions include "not contain any special characters. For example, AA-BB-CC". I didn't know what to make of that.

After passing that hurdle, it asked for security questions four. I could pick a question each, out of 4 different lists (one per security question). I happened to pick two questions that had the same answer. Bzzt. The rules say: 1. All four questions must be answered. 2. All four answers must be unique. 3. Answers must contain minimum of 3 alphanumeric characters. 4. Answers must contain only alphanumeric characters and spaces. So I had violated rule 2. Sigh.

After getting through all that, they wanted me to set up a personalized security passphrase and an image from their image library. (The security phrase must be between 3-50 characters.) This is for anti-phishing purposes.

Now is all that stuff actually going to protect my account? Maybe. Better than just username+password, plus a one-time pad that they snail-mail to me? Heck, no. (The US Treasury does that one-time pad thing. It's cool, but then they fail with their random-order on-screen keyboard thing.)

Go go gadget Schneier. Debunk this!

Tag: rant security