Friday, December 2, 2005
Time to Find a New Online Bank....
I'm no fan of palliative security measures.
My online bank has "boosted" its security over the past year, resulting in an effective decrease in actual security, and a more unpleasant user experience to boot. They now require a password change every 180 days, with the new password not being allowed to bear any similarity to any previous password you have ever used. This asinine requirement quickly leads to the running out of easy-to-remember, familiar tried-and-true password combinations, which results in either the password having to be written down somewhere (usually near the computer), or else being unable to access the online account.
The one leads to severely compromised security, the other defeats the whole purpose altogether.
Now, I'm tired of my having to switch from online bank to online bank, trying to find one that gets it right. I've been through five or six, abandoning some, having some abandon me (through mergers or corporate parents deciding they aren't profitable enough). I've been with this current one a number of years, during which they weren't terrible, and so I have really not wanted to have to start up all over again with a new bank.
And so I have been honestly trying to improve this one through detailed customer feedback, and not only in this matter. I have time and again taken the time and tried to give detailed, constructive criticism, not only to customer support representatives on the phone, but also in writing. Up to recently this has lead to exactly nothing, a feeling of shouting into the wind. But now they have escalated in their obvious indifference to customer concerns to the level of trying to quell dissatisfaction through glib little stories of a mendacious nature.
In response to my latest renewed complaint against the overly aggressive forced password changes, which I submitted in writing after the usual unfruitful session with customer service on the phone, I received the following reply:
Dear Mr Wagenfuehr,
Thank you for your message. I do understand your frustration and I am sorry. However, the government agency that we are under is the OTS (the Office of Thrift Supervision) they are requiring that we require our customers to change passwords every 180 days. We really have no control over this part of the system. They are the agency that we report to and if we do not abide by their rules and regulations we could be fined.
Again I do understand how upset you are though we must abide by the rules and regulation the OTS imposes on us.
Should you have any further questions, please feel free to contact our Customer Care Center 24 hours a day, 7 days a week toll-free at 888.xxx.XXXX (xxxx) or if you prefer, email us at service@[redacted].com.
Happy [redacted]Banking!
[redacted],
AVP Customer Care
************************************
[redacted] Customer Care Center
[redacted]
[redacted]
P: 888.xxx.XXXX (xxxx)
F: 888.xxx.xxxx
E: service@[redacted].com
************************************
[redacted]Bank, the only bank you'll ever love
Oh really? How odd, I have an online account with ING Direct, who also fall under the supervision of the Office of Thrift Supervision, and they don't require me to change my password... So I replied asking for the citation of the relevant OTS handbook or regulation where this is covered. I received the following reply:
Dear Mr Wagenfuehr,
Thank you for your message. I do not have the regulation, if you need to have this information please contact the OTS.
Should you have any further questions, please feel free to contact our Customer Care Center 24 hours a day, 7 days a week toll-free at 888.xxx.XXXX (xxxx) or if you prefer, email us at service@[redacted].com.
Happy [redacted]Banking!
[redacted],
AVP Customer Care
************************************
[redacted] Customer Care Center
[redacted]
[redacted]
P: 888.xxx.XXXX (xxxx)
F: 888.xxx.xxxx
E: service@[redacted].com
************************************
[redacted]Bank, the only bank you'll ever love
Well, I took the trouble to actually get in touch with the regional branch of the Office of Thrift Supervison they fall under. I also took the time and trouble of going over to the Office of Thrift Supervision website and going over the regulations myself. And you know what? I'm filing a formal complaint against my bank for fraudulent and unethical misrepresentation of banking regulations.
The Code of Federal Regulations, Title 12, part 555 deals with Electronic Operations of Federal savings association. Specifically, § 555.210 says:
If you use electronic means and facilities under this subpart, your management must:
(a) Identify, assess, and mitigate potential risks and establish prudent internal controls; and
(b) Implement security measures designed to ensure secure operations. Such measures must be adequate to:
(1) Prevent unauthorized access to your records and your customers' records;
(2) Prevent financial fraud through the use of electronic means or facilities; and
(3) Comply with applicable security devices requirements of part 568 of this chapter.
Part 568 of Title 12 of the Code of Federal Regulations deals almost exclusively with physical security devices, such as vaults and cameras and alarms, but in § 568.5 it says:
Savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) must comply with the Interagency Guidelines Establishing Information Security Standards set forth in appendix B to part 570 of this chapter. Supplement A to appendix B to part 570 of this chapter provides interpretive guidance.
The Office of Thrift Supervision is empowered through United States Code, Title 12, Chapter 16, § 1831p–1, to, among other things, prescribe standards relating to information systems and such other operational and managerial standards as the agency determines to be appropriate for all insured depository institutions. The standards they set for Information Security Standards are codified in the Code of Federal Regulations, Title 12, part 570, Appendix B. These standards are in the form of a guideline, which does not outline specific measures to be taken, but instead describe in broader terms what is to be done, e.g:
Appendix B to Part 570 II. A.
You shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to your size and complexity and the nature and scope of your activities. While all parts of your organization are not required to implement a uniform set of policies, all elements of your information security program must be coordinated.
and
Appendix B to Part 570 III. C. 1.
Design your information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of your activities. You must consider whether the following security measures are appropriate for you and, if so, adopt those measures you conclude are appropriate:
a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
Please note the lack of any language with the specificity of, "you must compel your customers to change their password every 180 days". Indeed, it was the express purpose to "not propose to codify static risk or security requirements" when these rules were written. (See notice of proposed rulemaking and Final Rule: Electronic Operations Order No.: 98-119 for discussion.)
Instead, the modus operandi of the Office of Thrift Supervision is the issuance of Guidance, as for example this latest Guidance regarding Authentication in an Internet Banking Environment, which uses language such as "Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers," and "The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services." --Not "you must make users change their passwords every 180 days"! In fact, the one big thing this Guidance stresses strongly is that single-factor authentication is inadequate -- regardless of how often you change it, a username/password combination is still only a single-factor authentication. So really, my bank is out of compliance with the latest Guidance of the Office of Thrift Supervision.
I get so sick of foolish, counter-productive security stupidity.
I get even more sick of snow-jobs appealing to some three letter government agency as justification for said stupidity.
Don't meekly accept asinine, burdensome "security"!
|