Monday, February 16, 2009

How *not* to implement online security

I have an online account with a bank which shall remain nameless. Let's just call them Amgirl Direct. They use a really "sophisticated" security system which they have apparently leased from a third party named Information Technology, Inc.

Here's how I login to my account:
  1. First I must enter my 9 digit number account which I have not been able to memorize because I use it once a month. So I have to search for it in my email each time.

  2. I then am told I need to answer a security question because the bank doesn't recognize my IP address. (Of course it doesn't... my home computer is assigned a new one periodically by my ISP.) The security question is always the same:

    What is your high school mascot?

    I went to two high schools, and I have no idea which mascot I entered originally. But it doesn't matter... if I type in the mascot of either high school, the answer is always wrong.

  3. After I answer the first security question wrong twice, I'm finally asked for my mother's middle name. Thankfully it recognizes my answer to this question.

  4. Next I'm asked to enter my password. But supposedly my password has something to do with an "authentication image" which is always a white vase. I have no idea why. There's no link to an explanation. It's always the same image, and I have only one password, so I'm left wondering what-in-the-world this vase has to do with anything.

    (Note Information Technology, Inc.'s proud declaration of ownership for their system.)

  5. After entering my password, I'm finally logged in (usually). But be careful! If you ever click the back or forward browser button at any time, you are presented with this most unhelpful error message:


    A Security Error Has Occurred. Your Online Session Has Expired.
    Possible Reasons Include Double Clicking A Link Or Pressing The Browser's Back Forward Or Refresh Buttons.
    Return To The Login Page To Continue Your Session.

    They "expire" my session for using navigation buttons that most users are accustomed to using. And there is no link to a login page... you just have to re-type Amgirl Direct's original URL and proceed through the steps above once again.

I keep asking myself, is using an online bank with this lousy of a system really worth the 2.25% APY?