Log in

No account? Create an account
entries friends calendar profile Previous Previous Next Next
Security - Qualified Perceptions
So, under ilhander's guidance, I got harrock a suit for his birthday, which was not at all recently, but I have been lame and scheduling the three of us for a shopping trip has been kind of slow. Anyway, they lured me into applying for a credit card with Large Discounts for the suit, which was kind of worth it. The card arrived in the mail, and I went to pay the bill on line. Creating my account with them involved:

1) Verifying my identity, with all the standard types of questions.
2) Choosing a password, with a different set of character restrictions than the usual password restrictions
3) Selecting three different Security Questions, each chosen from a different population of six (what street did my grandmother live on? I don't know!)
4) Choosing a personalized caption for the Security Image that they chose for me. I'm really confused by this one. It looks like when I log into their site again in the future, they will display this image and caption to me. For... reassurance? Really, I'm not reassured by them showing me an image they picked for me and a caption that I chose when I didn't know what it was for. Am I supposed to keep this image a Secret? Do I have to remember what it is?

10 comments or Leave a comment
dpolicar From: dpolicar Date: September 14th, 2008 07:45 pm (UTC) (Link)
well, it reassures you that when you connect to their website it really is their website?
firstfrost From: firstfrost Date: September 14th, 2008 07:52 pm (UTC) (Link)
Maybe it's different for other people, but I'm pretty confident that if I go to their web site again in the future, and try to sign in, that I won't even notice if they stop displaying the random picture. And if I do notice, I'm going to think "Huh, they changed their web site", not "Oh, no, someone has stolen their address and put up a fake site!"

I guess I understand what you mean, though. I'm making them prove that they know a secret (the caption I typed) before I tell them any secrets (my password). But, since I'm not yet trained to require that, it doesn't help me *feel* more secure.
algorithmancy From: algorithmancy Date: September 14th, 2008 08:42 pm (UTC) (Link)
B of A started doing that a while back. They let you pick your picture from a collection of them. I can kind of see how it helps protect against phishing, though I'm not precisely sure how they keep a site from putting up some facade that makes real requests into their site and passes them through.
chenoameg From: chenoameg Date: September 14th, 2008 09:11 pm (UTC) (Link)
Yeah, I have several sites that require pictures now. Happily for me I can choose a theme and all of my pictures are related.

The security questions are a doozy. I just end up writing down the answers; I know someone else who uses the same answer for all of them.
kirisutogomen From: kirisutogomen Date: September 14th, 2008 11:33 pm (UTC) (Link)
If you answer the security questions as expected, it's significantly less secure than any password that isn't "password123". Bruce Schneier says he answers security questions by just banging randomly on the keyboard, and that seems to me to be the most reasonable plan.
countertorque From: countertorque Date: September 15th, 2008 11:10 pm (UTC) (Link)
Is it that easy to figure out my mother's maiden name?
desireearmfeldt From: desireearmfeldt Date: September 14th, 2008 09:41 pm (UTC) (Link)
Yeah, I believe the point is to show you it's not a fake website.

I dunno, I notice the presence of the image on Vanguard's site, but you're right that I might not notice its absence. :)
mjperson From: mjperson Date: September 14th, 2008 09:44 pm (UTC) (Link)
Think of it like a password. You tell them a password, and everytime you connect, you expect them to tell the password back to you before you will do business with them.

Of course, they think you are not clever enough to remember the password yourself, so they make it a caption to a picture. Then you see the picture, you remember the caption you made up, and you see that they know it.
brass_rat From: brass_rat Date: September 15th, 2008 03:36 pm (UTC) (Link)
2) Choosing a password, with a different set of character restrictions than the usual password restrictions

Why are there so many web sites that disallow a portion of our character set (eg., punctuation) in their passwords? Yes, this is a pet peeve of mine.
firstfrost From: firstfrost Date: September 15th, 2008 07:14 pm (UTC) (Link)
I think it's the lazy way of preventing sql injections. :)
10 comments or Leave a comment