Posted by j10o207 on February 22, 2009, 12:55 pm
When accessing Fifth Third bank account online recently, it asked me
to create/update my security (login) questions, even though I created
my security questions before.
Called customer service manager, and she said I have to update it
every year. Isn’t it excessive?
The worst thing is, none of the security questions in the drop-down
list is the one I used last time, and that essentially forced me to
create 3 new answers to 3 brand new security questions. But that will
force me to accumulate and remember 3 new additional questions/answers
every year, just for the sake of Fifth Third Bank! I don’t want to do
it.
I told the manager, but they did nothing so far. You be the judge.
I am going to close the Fifth Third bank account soon.
Posted by Dave Garland on February 22, 2009, 2:14 pm
j10o207@yahoo.com wrote:
> When accessing Fifth Third bank account online recently, it asked me
> to create/update my security (login) questions, even though I created
> my security questions before.
>
> Called customer service manager, and she said I have to update it
> every year. Isn’t it excessive?
On the one hand, yeah. None of my banks does that. Though one of
them makes me change my password every 90 days. And another makes me
enter my email address, a password, pick the magic word out of a list,
enter my account number, and then enter another password.
On the other hand, it's good security.
Good security is often at odds with convenience. So (in the worst
case) the question is, would you rather have an account where you have
to do that once a year, or would you rather have an account that's
easier for somebody else to break into?
Dave
Posted by Jeff on February 22, 2009, 4:10 pm
Dave Garland wrote:
> j10o207@yahoo.com wrote:
>> When accessing Fifth Third bank account online recently, it asked me
>> to create/update my security (login) questions, even though I created
>> my security questions before.
>>
>> Called customer service manager, and she said I have to update it
>> every year. Isn’t it excessive?
>
> On the one hand, yeah. None of my banks does that. Though one of
> them makes me change my password every 90 days. And another makes me
> enter my email address, a password, pick the magic word out of a list,
> enter my account number, and then enter another password.
>
> On the other hand, it's good security.
I've come to the conclusion that it is common for a large business to
have two sets of customer security. The first is for your access to the
account, the second is to keep their customer service personnel from
knowing your passwords, so they use those questions. If there weren't
account personnel involved, a strong password would be enough. Obviously
the questions offer much poorer security. It's not that tough for a
hacker to look up your city of birth or your mother's maiden name.
I have a feeling that banks don't really trust that, so they patch in
these new questions. Whether they are trying to paper over other flaws
in their system is a good question.
It all looks hit and miss to me.
Jeff
>
> Good security is often at odds with convenience. So (in the worst
> case) the question is, would you rather have an account where you have
> to do that once a year, or would you rather have an account that's
> easier for somebody else to break into?
>
> Dave
Posted by tweeny90655 on February 22, 2009, 4:39 pm
It's not that tough for a
> hacker to look up your city of birth or your mother's maiden name.
A friend of mine uses her paternal GRANDmother's maiden name, and
misspells it to boot - a bit tougher to crack. I bet a lot of folks
don't even KNOW their pat. grandmtr's name.
Some guy told me once of a security breach bec. someone got his
mother's maiden name from his dad's obituary. Sounds farfetched
though.
Posted by Dave Garland on February 22, 2009, 5:14 pm
Jeff wrote:
> I've come to the conclusion that it is common for a large business to
> have two sets of customer security. The first is for your access to the
> account, the second is to keep their customer service personnel from
> knowing your passwords, so they use those questions. If there weren't
> account personnel involved, a strong password would be enough.
Not just employees. If an employee can access the password, then
anyone who has gained access to the server probably can, too. It's
very bad practice to store passwords in any sort of readable form.
The other stuff is because if you forget your password, how can you
prove (perhaps over the phone) that you're you?
Another of my banks does a callback (to the phone number they have on
record) to give me a code to enter online. That's good additional
security.
> Obviously
> the questions offer much poorer security. It's not that tough for a
> hacker to look up your city of birth or your mother's maiden name.
The security people know that. If you can remember the answer, feel
free to use bogus answers for those questions.. like "George
Washington" for your birthplace or "Novosibirsk" for your mother's
maiden name. They'd much rather ask really hard questions that no one
else would be able to find the answers to, but humans have trouble
answering those.
Dave
XML site map
> to create/update my security (login) questions, even though I created
> my security questions before.
>
> Called customer service manager, and she said I have to update it
> every year. Isn’t it excessive?