Open Letter to Online Banking Providers It's not 1980 anymore
So I've been looking into banking alternatives since my current bank is a company that I really don't want to support any longer. This has run me straight into a wall that honestly I was surprised to find was so common.
I'm looking into credit unions and alternative online banking solutions and have found, at least so far, they all fail to deliver on the following, somewhat basic facilities. Mind you, many that I have looked into are far from small operations.
blog comments powered by Disqus
Passwords
I have been just plain stunned at how bad the password policies are, after checking through about six different online banking alternatives. The worst one of all was a 4 digit PIN, numeric only for access to online banking! Most are 8 chars, but alpha-numeric only, no special characters at all...this is just plain INSANE. Online banking is such a huge target, anyone providing this service should provide for at LEAST 12+ characters, accepting any printing character a keyboard can produce. Please, a 4 digi numeric PIN? This could be cracked in a disturbingly short amount of time with a computer 15 years old. Two-factor authentication as an option. Really...this is not hard to do. There are completely free HOTP compatible two-factor tokens all over the place. Why oh why haven't banks just freely adopted two-factor token auth by now? I even protect my email access this way, yet my bank account is far more exposed.One Time Use Credit Card Numbers
So, in a single year I was frauded three times due to making purchases through vendors that use the small merchant bank transaction systems. Even though I wasn't charged for the problem by my bank, I had to go through a security audit process to file the claim and then change my CC number across about a dozen or more established accounts that I have...THREE TIMES in a single year. My current big evil bank has a disposable card system whereby for each online transaction I make, I generate a new CC number specific to that purchase. This has options for the max limit of that number (which I set to the next even $5 amount vs the total) and an expiration date (which I set to 60 days). This means there is a 60 day window for fraud exposure, with a maximum potential yield of the difference between my transaction and the next higher $5 increment. These one-time CC numbers also mean that I can sign up for nasty services that require annual renewals and do so automatically without my consent and they simply can't get to my account beyond the initial transaction. This allows me to opt-out from companies that will make it nearly impossible to cancel. They simply have no valid information for my account unless I choose to give it to them for the next year of service. These things are not expensive to implement, nor for a customer to understand, yet here I am, struggling to find anyone who has. If you apply all of the above the potential for fraud is dropped dramatically. I've spent a couple years of active online transactions using the disposable CC numbers without a single fraud issue. This has saved me a lot of hours of aggravation and I can't even imagine the cost overhead to my provider that has been saved. Get with the program banks!blog comments powered by Disqus
Published
04 November 2011