I'm no fan of palliative security measures.



My online bank has "boosted" its security over the past year, resulting in an effective decrease in actual security, and a more unpleasant user experience to boot. They now require a password change every 180 days, with the new password not being allowed to bear any similarity to any previous password you have ever used. This asinine requirement quickly leads to the running out of easy-to-remember, familiar tried-and-true password combinations, which results in either the password having to be written down somewhere (usually near the computer), or else being unable to access the online account.



The one leads to severely compromised security, the other defeats the whole purpose altogether.



Now, I'm tired of my having to switch from online bank to online bank, trying to find one that gets it right. I've been through five or six, abandoning some, having some abandon me (through mergers or corporate parents deciding they aren't profitable enough). I've been with this current one a number of years, during which they weren't terrible, and so I have really not wanted to have to start up all over again with a new bank.



And so I have been honestly trying to improve this one through detailed customer feedback, and not only in this matter. I have time and again taken the time and tried to give detailed, constructive criticism, not only to customer support representatives on the phone, but also in writing. Up to recently this has lead to exactly nothing, a feeling of shouting into the wind. But now they have escalated in their obvious indifference to customer concerns to the level of trying to quell dissatisfaction through glib little stories of a mendacious nature.



In response to my latest renewed complaint against the overly aggressive forced password changes, which I submitted in writing after the usual unfruitful session with customer service on the phone, I received the following reply:

Dear Mr Wagenfuehr,



Thank you for your message. I do understand your frustration and I am sorry. However, the government agency that we are under is the OTS (the Office of Thrift Supervision) they are requiring that we require our customers to change passwords every 180 days. We really have no control over this part of the system. They are the agency that we report to and if we do not abide by their rules and regulations we could be fined.



Again I do understand how upset you are though we must abide by the rules and regulation the OTS imposes on us.



Should you have any further questions, please feel free to contact our Customer Care Center 24 hours a day, 7 days a week toll-free at 888.xxx.XXXX (xxxx) or if you prefer, email us at service@[redacted].com.



Happy [redacted]Banking!



[redacted],

AVP Customer Care

************************************

[redacted] Customer Care Center

[redacted]

[redacted]

P: 888.xxx.XXXX (xxxx)

F: 888.xxx.xxxx

E: service@[redacted].com

************************************

[redacted]Bank, the only bank you'll ever love

Dear Mr Wagenfuehr,



Thank you for your message. I do not have the regulation, if you need to have this information please contact the OTS.



Should you have any further questions, please feel free to contact our Customer Care Center 24 hours a day, 7 days a week toll-free at 888.xxx.XXXX (xxxx) or if you prefer, email us at service@[redacted].com.



Happy [redacted]Banking!



[redacted],

AVP Customer Care

************************************

[redacted] Customer Care Center

[redacted]

[redacted]

P: 888.xxx.XXXX (xxxx)

F: 888.xxx.xxxx

E: service@[redacted].com

************************************

[redacted]Bank, the only bank you'll ever love

If you use electronic means and facilities under this subpart, your management must:

(a) Identify, assess, and mitigate potential risks and establish prudent internal controls; and

(b) Implement security measures designed to ensure secure operations. Such measures must be adequate to:

(1) Prevent unauthorized access to your records and your customers' records;

(2) Prevent financial fraud through the use of electronic means or facilities; and

(3) Comply with applicable security devices requirements of part 568 of this chapter.

Savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) must comply with the Interagency Guidelines Establishing Information Security Standards set forth in appendix B to part 570 of this chapter. Supplement A to appendix B to part 570 of this chapter provides interpretive guidance.

Appendix B to Part 570 II. A.

You shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to your size and complexity and the nature and scope of your activities. While all parts of your organization are not required to implement a uniform set of policies, all elements of your information security program must be coordinated.

Appendix B to Part 570 III. C. 1.

Design your information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of your activities. You must consider whether the following security measures are appropriate for you and, if so, adopt those measures you conclude are appropriate:



a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.