OT: Banks, security, IE7/Vista, password policies and CardSpace

I had to go through the signup procedure for direct account access for Bank of America today. It reminded me of how much nonsense gets perpetrated and how it’s always done supposedly in the name of security. In the end, it usually achieves the exact opposite of what they are trying to achieve.

First, you need to generate a digital certificate to use. The bank has a sign-up site for this. After entering my details, I was greeted with:

 

I can’t imagine anyone that would consider “Error 0x1AD generating certificate request” to be either friendly or helpful. Now I thought, hmm, this might be an IE7/Vista thing so I tried to run IE as an Administrator. No joy. Eventually I gave up and contacted support. So what was their recommended solution? You guessed it: install Firefox and use it instead !

I asked when the bank was going to support IE7 and Vista, given it was 2008 now and that was becoming a pretty common combination. They told me that there was a convoluted process that you had to go through to get it to work and that I might have to involve my IT department to get it to work. I’ll take that as a “not real soon now” response.

So I gave in and installed Firefox. It was interesting to notice that my options for doing that included the GoogleToolbar. I suppose all those bundling and anti-trust rules should only apply to evil organisations like Microsoft :-)

After doing that, I could then create the certificate, then back it up to a file and reimport it into IE7. So far so good. Then I needed to create a new password. I was a little surprised by this message:

 

I wonder which Einstein at the bank thinks that is a good idea. It reminded me of the Telstra Bigpond error message that told me my passwords couldn’t be longer than 8 characters.

After removing the offending special character, I was then told I must have a number in the password. So I added a number only to be told that my password couldn’t end in a number, unless it ended in two numbers. Heaven forbid they could have told me that in the first error message.

And so on and so on. I cannot imagine that policies such as this ensure anything except that I have to write down my new password as there’s no chance I’ll ever remember it. I’ll bet they have a rule that says I can’t do that either.

I had a related conversation with the Commonwealth Bank in Australia recently. They have a system where if you get the password wrong on a new online account three times, it never resets without you physically going into the bank. Again, this is done for security. I asked “but what if someone wrote a program to just try all the numbers? No new customer would be able to connect at all.” They said “ah, no-one would do that surely”.

It really is time for a system like CardSpace to become prevalent.

2008-03-26