Recently they instituted new mandatory "security" feature they . I had to provide them with answers to a wide range of security questions.
Yes, the "security" questions that provide a yawning back door into your online data, because it's easier for a crook to get answers to the security questions than it is to get at a strong password. Security question attacks are how most celebrity email accounts are hacked.
Today I tried to sync my Quicken data and I was asked where my maternal grandparents live.
I don't know where the #$!%$ my maternal grandparents live. They died before I was born, back in the early part of the last century.
American Express does not do this to me. I respect American Express's security model; ever since I learned the hard way about the Visa/MC systems.
I can't tolerate the pain of switching checking accounts, but US Bank has earned my enmity. I'm going to make them send me paper statements until the last post person falls.
Update: It gets better. I looked up the answer to the security question in my password database. I'd used a longish passphrase, so I gave that back to US Bank. The web site croaked with an error (probably string overflow) and locked my account (yes, like this). They gave me a #$@% phone number to call. US Bank is dead to me.
In What City Did You Honeymoon?And other monstrously stupid bank security questions tells us these passphrases are the fault of RSA Mobile, who provides them to banks. I want a bank that's smart enough to pay for a smarter version of two factor authentication. For example:
... Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What's my favorite bank? The one that doesn't ask me stupid frigging questions...Passwords are dying, and they may take the world's less intelligent banks down with them.
Update 7/3/09: One common workaround for stupidity of this extraordinary magnitude is to come up with a single robust "backdoor" password and use it to answer every secret question. US Bank does not allow this, each "secret question" response must be unique. I need a smarter bank! I can't trust any entity this incompetent with our money and our identity.
I've asked Bruce Schneier if he could write an essay identifying banks who actually demonstrate a basic understanding of security principles. I've also written a note to REI, who's VISA card I like. Unfortunately REI use's US Bank ...
... I love my REI Visa card, and I use it all the time.
Unfortunately, US Bank has introduced new online banking security measures that are proof of security team incompetence...
... I can't use an online bank with an incompetent security team!
I'm sorry I'll have to give up my REI Visa card. I hope you'll consider this email when you evaluate your relationship with US Bank.