Telephone Identification (Was Re: Banking under Enduring Power
of Attorney)
ukcrypto@chiark.greenend.org.uk
ukcrypto at chiark.greenend.org.uk
Sat, 11 Apr 2009 20:41:58 +0100
Quoting Igor Mozolevsky <igor@hybrid-lab.co.uk>:
> And while we're on the subject, I found (through experience) that a
> frightening number of websites (as in, legitimate businesses) that
> require profiles ask the same security questions as the banks, etc. Do
> these people not realise that if everyone asks the same question, the
> answer is no longer secret/secure, especially given that the answers
> are most likely stored in cleartext?
After the Nationwide had a huge data breach they tightened up their
online "security".
I had to chose extra "security" questions, and provide answers to
them. Nationwide said they'd randomly ask these questions when I was
online, but I didn't stay with them long enough to see if that was true.
The frightening thing is that this isn't a vague "better safe than
sorry" situation. Real people lose real money every day to fraud, and
its in their interest to get it right. So I have no idea why they get
it so very wrong.
Any bright university student could probably make a fortune if they
devise some product / protocol.