Tuesday, June 30, 2009

U.S. Bank's ID Shield makes me scream

U.S. Bank, alas, is my bank.

Recently they instituted new mandatory "security" feature they . I had to provide them with answers to a wide range of security questions.

Yes, the "security" questions that provide a yawning back door into your online data, because it's easier for a crook to get answers to the security questions than it is to get at a strong password. Security question attacks are how most celebrity email accounts are hacked.

Today I tried to sync my Quicken data and I was asked where my maternal grandparents live.

I don't know where the #$!%$ my maternal grandparents live. They died before I was born, back in the early part of the last century.

American Express does not do this to me. I respect American Express's security model; ever since I learned the hard way about the Visa/MC systems.

I can't tolerate the pain of switching checking accounts, but US Bank has earned my enmity. I'm going to make them send me paper statements until the last post person falls.

Update: It gets better. I looked up the answer to the security question in my password database. I'd used a longish passphrase, so I gave that back to US Bank. The web site croaked with an error (probably string overflow) and locked my account (yes, like this). They gave me a #$@% phone number to call. US Bank is dead to me.

In What City Did You Honeymoon?And other monstrously stupid bank security questions tells us these passphrases are the fault of RSA Mobile, who provides them to banks. I want a bank that's smart enough to pay for a smarter version of two factor authentication. For example:
... Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What's my favorite bank? The one that doesn't ask me stupid frigging questions...
Passwords are dying, and they may take the world's less intelligent banks down with them.

Update 7/1/09: Michael A. points out that parents and children know each other's secret questions (children may need to do a bit of social engineering). On the other hand, spouses don't. My wife and I share a US Bank account, and she doesn't know my "High School mascot". There's got to be a lawsuit in here somewhere. Children hacking parental bank accounts, spouses denied access, users denied access ... I fear we don't have enough hungry lawyers these days.

There's a simple solution for US Bank that would be a win-win. Provide an option for customers to choose an alternative authentication option. Customers using option B would be required to have a strong password (but not to change it routinely, that's been shown to harm security) and, if they need to reset it, to physically travel to a bank branch, present legal ID, and pay $20 cash to cover the extra costs.

Update 7/3/09: One common workaround for stupidity of this extraordinary magnitude is to come up with a single robust "backdoor" password and use it to answer every secret question. US Bank does not allow this, each "secret question" response must be unique. I need a smarter bank! I can't trust any entity this incompetent with our money and our identity.

I've asked Bruce Schneier if he could write an essay identifying banks who actually demonstrate a basic understanding of security principles. I've also written a note to REI, who's VISA card I like. Unfortunately REI use's US Bank ...
... I love my REI Visa card, and I use it all the time.

Unfortunately, US Bank has introduced new online banking security measures that are proof of security team incompetence...

... I can't use an online bank with an incompetent security team!

I'm sorry I'll have to give up my REI Visa card. I hope you'll consider this email when you evaluate your relationship with US Bank.


Mike said...

Since you hate stupid security and US Bank about as much as Live Meeting, maybe you can answer a question for me: How does putting your user name and password in on separate screens increase security? US Bank started doing this a while back and I simply could not figure out the logic behind it. I mean it's one thing if you have a user-selected picture on the second phrase to help identify phishing schemes, but US Bank just wants you to click an extra button.

With locations within a mile of my house and my office I won't be giving up US Bank anytime soon, but sooner or later they're going to get sued.

Incidentally, Aron Ralston--the guy who had to cut his own arm off in Utah--was found in part because his Mom hacked his yahoo account using the backdoor security questions.

JGF said...

I've seen that a few places. Maybe it's supposed to confuse automated attack scripts?

Good point on the familial attack. Kids and parents know each other's secret questions. I wonder if Sanford's embarrassing emails were revealed by his lover's children.

Anonymous said...

There was that teenager who changed the password of Sarah Palin's email account by looking up her information in Google and answering the security questions with the correct answers :D

I stopped using my US Bank account because I couldn't access my online account, making it useless to me. It asked for my father's high school, and I don't even know my father. Sheesh...