Sunday, June 22, 2008

Making online stuff less secure

There's an interesting trend going on in the online world these days: people are making sites less secure. It's not so much the casual sites, where a simple email and password are enough for access; it's more the financial sites and wanna-be "secure" sites that are making themselves less secure and more annoying to access.

I don't get it... why would you want to make yourself less secure, especially as a financial institution? What benefit does it have for your customers to make their identity and financial information more easily stolen? Are you even aware that your online services are being transformed this way?

Perhaps an example will help. Today, I converted by 401k access account to their new access mechanism. Previously, I used my SSN and a user-chosen password; easy to remember, unique, reasonably secure. Now, they have a custom username, two backup reset questions, and a security image. Not only did I have to write down all that information on the online site where I keep all the access information I can't easily remember (which is not all that secure), but I had to create two backdoors with easier to guess information than a password. Overall, a substantial downgrade to the security of the account, and more annoying as an added bonus.

Why are online sites doing this? What's the thinking (if any)? Is the current generation of online project managers just more retarded, or is there some other scheme behind the scenes to ensure that everyone's access information is more easily stolen? Seriously, I don't get it...

No comments:

Post a Comment