Misplaced Security Priorities
Jan. 30th, 2009 10:35 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
le_bebna_kamniToday I had a *doh!* experience in computer security, and I want to share the funny (and perhaps a little frightening) anecdote.
There is a company with which I do business that handles some very sensitive information: credit cards and bank information, and certain assets that are of potential financial value. So they take great pride in the sometimes extraordinary security measures they use to protect their customers.
I've run across several of these measures -- often blocking my ability to change the credit card I have registered with them, or locking my account when I make too many incorrect password attempts. I even have to get a security code via email before I can do things like update my contact information. And almost all of their security measures ultimately result in me having to call customer service.
Today I forgot my password, because I only log into the site a couple times a year and I have at least 20 different passwords that I use. After the first three attempts I decided that I didn't want to lock my account, so I clicked on the link to retrieve my password via email...
...and instead it told me that I had to contact customer support. Again.
I found out the reasons for it when speaking to the customer service representative: they track which IP address you log in from, and if you send a password request from an unfamiliar IP address, they make you call customer service. Pretty spiffy. A little overboard, but I appreciate their willingness to protect my information.
So I did the "Yes I am who I say I am" tango, and got them to send me an email. I'm used to the links that let you reset your password -- presumably to something you remember better. Instead, it was my full login information with account number, full name, user name, and password...in plain text.
Duh...huh? You make me jump through incredible hoops because I'm logging in from an unknown IP address, but can't be bothered not to send my password in plaintext (or at least ask me to change it the next time I log in)?
It's like guarding a bank with uber-AI face recognition, infrared and movement sensors, and laser beams --but it can be disabled like the clap-on-clap-off lamps. *headdesk*
There is a company with which I do business that handles some very sensitive information: credit cards and bank information, and certain assets that are of potential financial value. So they take great pride in the sometimes extraordinary security measures they use to protect their customers.
I've run across several of these measures -- often blocking my ability to change the credit card I have registered with them, or locking my account when I make too many incorrect password attempts. I even have to get a security code via email before I can do things like update my contact information. And almost all of their security measures ultimately result in me having to call customer service.
Today I forgot my password, because I only log into the site a couple times a year and I have at least 20 different passwords that I use. After the first three attempts I decided that I didn't want to lock my account, so I clicked on the link to retrieve my password via email...
...and instead it told me that I had to contact customer support. Again.
I found out the reasons for it when speaking to the customer service representative: they track which IP address you log in from, and if you send a password request from an unfamiliar IP address, they make you call customer service. Pretty spiffy. A little overboard, but I appreciate their willingness to protect my information.
So I did the "Yes I am who I say I am" tango, and got them to send me an email. I'm used to the links that let you reset your password -- presumably to something you remember better. Instead, it was my full login information with account number, full name, user name, and password...in plain text.
Duh...huh? You make me jump through incredible hoops because I'm logging in from an unknown IP address, but can't be bothered not to send my password in plaintext (or at least ask me to change it the next time I log in)?
It's like guarding a bank with uber-AI face recognition, infrared and movement sensors, and laser beams --but it can be disabled like the clap-on-clap-off lamps. *headdesk*
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
on 2009-01-31 05:24 pm (UTC)