Phoned my business bank today to reset my Web password. (If they didn't make me change it every month, I wouldn't keep forgetting it...).
The only way of doing a password reset is on the phone. I called in from my desktop VoIP client, not my home/business line. They ask for my account number, name, and two of the four digits of my PIN. They then confirm my online user ID (since there are multiple people with access).
The operator then reads me my new password.
You don't need to be Bruce Schnier to see that this is about as secure as a damp paper bag holding a gold bar. Someone needs to tell them that insider fraud is the #1 risk. And that IVR systems can capture PINs. And read back passwords. There are even side channels like email...
You can't but help think that there has to be a better, more secure, way of conducting telephony. Indeed, why can't my bank issue me with a VoIP client itself? It's one of the few relationships where I feel it might be justified to create "yet another softphone".
I daren't tell you my bank's name, in case you want to repeat the exercise on my behalf. Sadly, there's not much there for you to rob as I've just sent it all to the taxman.
Posted by Martin Geddes at 12:33 PMTrackBack URL for this entry:
http://www.telepocalypse.net/cgi-sys/cgiwrap/mgeddes/MT/mt-tb.cgi/776