Dear Banks, Stop Encouraging Bad Security

2008-12-16T00:00:00-08:00

I use an online personal finance site that connects to all my financial accounts and aggregates my transaction history. I love it, it's very useful, and it keeps me financially organized.

The part that annoys me is that most of these personal finance sites require you to supply your username and password for all your bank accounts. For some banks it also requires your social security number, the last five people you've slept with, your home town, your favorite color, etc, etc. Basically all the pesky sign in questions your bank might ask you when you log in.

This is a cruel necessity for companies like Geezeo, Mint, Ameriprise and Quicken Online in order to provide this aggregation service and a scary proposition for people like us who use these services. You're giving full unfettered access to companies you may not have ever heard of to all your finances.

Security questions, and personalized security questions are the wrong way to fix bank security.

People want online personal finance sites. They want all their data in a single place without having to jump through a bazillion hoops for each and every 401K, savings account, checking account, online stock trading system and mortgage account. They will gladly sacrifice security for a chance to better their financial management capabilities.

Banks need to create APIs so third-party software can access transaction data. The authentication for this should be secure, limited and revokable. Meaning, I may authorize Mint to see my Bank of America account, but at any time I can log on to BoA and deny Mint's ability to see my transaction data. OAuth may be one mechanism to achieve this.

This will achieve a few things: * People won't give out their passwords online to anybody but their bank. * Getting data into these aggregating sites will be reliable and secure. * At any time you can see who has access to your transaction data and revoke it.

Please banks, do your part to keep the internet secure. Mint, Geezeo and anybody else, please do your part of turning up the pressure on financial institutions and when the time comes... please start using these APIs.

Dear Bank

2008-02-04T00:00:00-08:00

I can't do simple things because they inevitably make me ranty.

Dear Small Bank in MN,

Your online banking system is difficult to log into and yet insecure.

I have to jump through so many hurtles trying to log into the [Small Bank in MN] eBiz > bank, yet it still isn't that secure.

Instead of entering in my password, it's easier to just reset my password... but the scary thing is... resetting my password means you email me my old password in the clear! Instead of just providing a temporary link, you give me my old password. That's crazy! That means anybody snooping into my email could find it out. Or worse, someone could steal my computer and have all my online banking info.

My bank information should be secure even when my email gets compromised. And it shouldn't be so hard to log into. Look at ING, they have a sufficiently secure and accessible system.

Also... your HTML is inaccessible. checkboxes and radiobuttons should have <label> tags.

Sincerely,

Dave Dash

I hate online banking. It's so frustrating. Each company has a weird set of rules on login ids:

A random Number that they provide
A username which you choose must have at least two numbers

I get it... but really? Is it all that necessary. All it means for me is I only check those bank accounts when I have to, or I write those account numbers in an easy to remember place, like on the palm of my hand. Or it means I call customer support like an idiot and waste more money and time.

Then there's the magic questions:

Where were you born?
Who's your daddy?
Who's your mommy?
Which of your two cats do you like better?
What's your best friends name? (I know "friends" should be "friend's" but that's not what the bank knows)
What is the date that your second girlfriend started holding your hand?

Okay... less annoying, but seriously, how many times do I have to answer them to log into my account?

And then finally passwords:

Passwords must contain numbers, letters, bears, tigers
Passwords cannot be any of the passwords you've used in the last 9 months
Passwords cannot be your daughter's name

And then the inevitable... I give up and click forgot password... and without question it emails my email account with the password I couldn't remember... no questions asked... just a simple request to change my password again.

Um... yeah that's real secure. Thanks Bank!

Oh and never mind that their forms are hard to use because they don't know proper HTML. If you don't use <label>s it's like trying to pee in a Cheerio using your mouse.