THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

The Bit Bucket (Greg Low): IDisposable

Ramblings of Greg Low (SQL Server MVP, MCM and Microsoft RD) - SQL Down Under

OT: Banks, security, IE7/Vista, password policies and CardSpace

I had to go through the signup procedure for direct account access for Bank of America today. It reminded me of how much nonsense gets perpetrated and how it's always done supposedly in the name of security. In the end, it usually achieves the exact opposite of what they are trying to achieve.

First, you need to generate a digital certificate to use. The bank has a sign-up site for this. After entering my details, I was greeted with:

 

I can't imagine anyone that would consider "Error 0x1AD generating certificate request" to be either friendly or helpful. Now I thought, hmm, this might be an IE7/Vista thing so I tried to run IE as an Administrator. No joy. Eventually I gave up and contacted support. So what was their recommended solution? You guessed it: install Firefox and use it instead !

I asked when the bank was going to support IE7 and Vista, given it was 2008 now and that was becoming a pretty common combination. They told me that there was a convoluted process that you had to go through to get it to work and that I might have to involve my IT department to get it to work. I'll take that as a "not real soon now" response.

So I gave in and installed Firefox. It was interesting to notice that my options for doing that included the GoogleToolbar. I suppose all those bundling and anti-trust rules should only apply to evil organisations like Microsoft :-)

After doing that, I could then create the certificate, then back it up to a file and reimport it into IE7. So far so good. Then I needed to create a new password. I was a little surprised by this message:

 

I wonder which Einstein at the bank thinks that is a good idea. It reminded me of the Telstra Bigpond error message that told me my passwords couldn't be longer than 8 characters.

After removing the offending special character, I was then told I must have a number in the password. So I added a number only to be told that my password couldn't end in a number, unless it ended in two numbers. Heaven forbid they could have told me that in the first error message.

And so on and so on. I cannot imagine that policies such as this ensure anything except that I have to write down my new password as there's no chance I'll ever remember it. I'll bet they have a rule that says I can't do that either.

I had a related conversation with the Commonwealth Bank in Australia recently. They have a system where if you get the password wrong on a new online account three times, it *never* resets without you physically going into the bank. Again, this is done for security. I asked "but what if someone wrote a program to just try all the numbers? No new customer would be able to connect at all." They said "ah, no-one would do that surely".

It really is time for a system like CardSpace to become prevalent.

 

Published Wednesday, March 26, 2008 6:35 AM by Greg Low

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

joewebb0 said:

That's great, Greg! Thanks for sharing!

March 26, 2008 10:07 PM
 

Draco TB said:

"I asked when the bank was going to support IE7 and Vista,"

Whereas what you should be doing is asking when MS will start supporting international standards. I must admit that it is nice to know that a major bank is supporting those standards rather than MS rather blase approach to standards.

"...then back it up to a file and reimport it into IE7."

Why would you want to do that?

Firefox is the more secure browser and, as such, is more likely to keep your banking belonging to you.

"It was interesting to notice that my options for doing that included the GoogleToolbar."

The difference of course is that it was an option unlike MS who included it whether you wanted it or not.

April 30, 2008 6:08 PM

Leave a Comment

(required) 
(required) 
Submit

This Blog

Syndication

Tags

No tags have been created or used yet.
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement