
Ask HN: I found a security issue with my bank and they don't care - jason_slack
I found out that when answering my banks security question they allow it to be incorrect by one character.<p>Example: If the answer is: washington
I could type something like: woshington<p>and it works.<p>I contacted my bank and was told that it was a &quot;feature&quot; in case users are typing fast and just fat finger a key.<p>To me this is an issue. None of my other banks and websites allow this &quot;feature&quot;.<p>Can I get thoughts from others? Let it go? Is it not really an issue as far as other people are concerned?
======
DanielStraight
If you're relying the extra protection of an exact match over a match with a
Levenshtein distance of 1, your security question isn't secure to begin with.

Proper management of security questions is pretty straightforward: Set them to
a long random string and keep track of them as if they were another password.

If you do that, the fuzzy matching shouldn't be a problem at all. If you're
using real answers that are easy to obtain from knowing anything about you,
exact matching isn't helping.

~~~
jason_slack
This is a good idea. I'll try this approach.

------
bifrost
I'm going to guess it cut down on their customer service tickets, thats kinda
a weird one though. I could see allowing case insensitivity, but maybe not
spelling...

