Or the bank could just issue a secure password (or better yet, a list of one-time passwords) for the user. No need for silly rules, and probably much more secure than letting sixpack joe pick his own password.
Banks don't optimize for security, they optimize for profits. Picking passwords for users would be more secure, but it would also disincentivize use of the website and cause a huge spike in support requests.
People on the phone are expensive. (I'm unaware of exact numbers for the banking industry, but based on figures for my first-and-only CSR job, I'd guesstimate in the vicinity of $8 to do a password reset in the US and $2 in India. Given that the median retail checking account is only worth about $100 a year this is not very sustainable.)
Web banking is the best thing that ever happened to cost control for retail accounts and one of the highest ROI channels for getting more business.
Any suggestion for increasing security which results in banks losing money is probably a non-starter. (Not uniquely true for banks: many of the "Wouldn't it be grand if the entire world simultaneously adopted $LOGIN_TECHNOLOGY_FOO" thoughts ask businesses to spend money to solve problems that they do not actually have.)
Unfortunately, I left such services due to this. It makes me think their system security is poor and asking to be broken into. No matter what 'security' marketing speak they use, I'll assume they have a similar if not same password policy for their IT department.
Much like how they're trying to save money, it's expensive for me to spend time trying to get my money back. Especially since they want to minimise support costs.
Edit: They should provide an option for power users to give an impression of 'strong secure access' while allowing 'secure convenient access' for other users. I've never seen this option before.
> Banks don't optimize for security, they optimize for profits.
So true, and to them "profits" often means "user convenience" long before "user security". I've talked about it here before so this time I'll just post a link to my story about the time my bank reset all its users' passwords to be equal to their usernames (intentionally!):
Why do you think that bank-issued passwords would either disincentivize use of web banking or cause more support requests than the current convoluted systems?
I believe that substantially less than 5% of Americans with a banking account would either a) recall or b) have recorded that when asked for it two weeks later. I have no citation for this other than "I have spent the last couple of years helping people log into their Googles and they frequently volunteer their passwords to me, often in the form 'My password is either kittens or kittens1 or kittens!' They overwhelmingly care about things in life other than computers, password security, and password security on their computers."
I realised a while ago that the most problematic logins for me were the ones with the most onerous password requirements. OK, I know this isn't great, but I do reuse passwords. The ones I care about least have the least adherence to good security practices, because it so vastly improves the user experience for me. Other solutions have been tried and cause more problems than they solve.
Between news sites like HN, content sites like BBC iPlayer, Facebook / LinkedIn / Twitter, eBay, different financial services websites, multiple email accounts, various topic specialist forums, standard and admin logins for each of the three computers I personally own, database server root passwords...... There's just far, far too many for me to be able to tie a unique password to each that complies with their length and character mix standards (and, in some cases, their re-use policies), particularly when the login page (sensibly) won't remind me what their particular complex requirements are.
I'm not at all convinced the end result of their aggressive requirements is more secure. Several of them I end up using the password reset function waaaay more than 50% of the time because it's enormously easier than memorising their particular onerous code.
I'm willing to be persuaded, but I'm currently using two different machines, each with two different browsers open, and this is a relatively light usage case... It's a remarkably complex problem.
1Password can sync between multiple machines via Dropbox. I'm not sure about other OS, but on a Mac there is a browser plugin for Safari, Firefox and Chrome (and a companion iOS/Android app).
I've been using 1Passw[or]d since 2007, and literally all my passwords are uniquely generated (including server root passwords, database root, etc.) At one point I'm a bit scared if I ever lost the database, I'd lost access to all websites forever (because I don't even "know" my email password).
If you're using this 1Password for everything, how do you log in to your Dropbox?
Assuming you have a passphrase for Dropbox, as well; then, I didn't know it had a web ui, and that ~does~ make things convenient --- assuming SSL or similar for security.
I don't use (no longer use) Dropbox. 1Password database is synced to my phone via Wi-Fi, and I always have my phone with me so it never really a problem. If I ever leave my phone elsewhere, then I've got a bigger problem anyway.
Dropbox Web UI is just a HTML implementation of 1Password (read-only) sitting in your disk, so its HTTP security depends onto Dropbox (or whatever sync service you use) rather than 1Password itself.
If banks would supply the password on paper, then that issue would go away for most people. And if the bank would use OTP then supplying passwords on paper slip is a natural solution. I know that that kind of solution works even for computer illiterate people, as most, if not all web banks around here use OTP.
> If banks would supply the password on paper, then that issue would go away for most people. And if the bank would use OTP then supplying passwords on paper slip is a natural solution.
So you have to get a new paper slip every time you log in? How would the logistics of this work? If you have to go to your bank / wait for physical mail on every login, then the convenience of online banking goes away, doesn't it? (Or would you get a collection of them? Then, if you're like me, you'd lose that; and you'd be right back at the inconvenience, while someone else has temporarily unfettered access to your account.)
My bank gives a three times folded, credit-card sized password-card, and mail automatically a new one when you are about 2/3 through it. As it is credit-card sized, it can conveniently be stored in wallet, and thus losing it isn't much of an issue.
Deutsche Bank does this for online transactions. All your purchases and, if I remember correctly, bank to bank transfers require you to refer to a sheet of TAN numbers that is mailed to you when you open an account. It was surprisingly annoying at first but I got used to it.
These lists of TAN [1] numbers are phased out everywhere around me. They usually were hard to carry with you (just as a token, but more easy to destroy), had usability problems:
- Ordered lists: You could only use a number that followed the last used one. So if you had 10 numbers and used the 9th by accident, all previous were void. Forgetting to cross out the used numbers lead to annoyance and the 'dammit, guess I used that number already' factor decreased security (someone could've used the next TAN on your list and you'd ignore the error and think it was your fault)
- A list with columns/rows: The server would know about your 'state' and ask you for a TAN in a specific location. Think of copy protection around the time of Monkey Island.. Progress in a couple of ways, but finicky.
- You had to manage the list to make sure that you don't run out of numbers (the second 'solution' above could help a little, but if you planned to do 10 transaction a day and had only 9 digits left: Bad luck).
Right now, as others said already, you're using your direct debit card with a chip inside combined with a tiny TAN generator that looks like one of these crappy currency calculators. You enter your transaction (you already logged in before, with or without a TAN), the server tells you to enter a checksum (parts of it are clearly identifiable as information that you just entered) into your device w/ the direct debit card inserted to receive a one-time only TAN. Done.
A mobile option is usually present (my bank asks me everytime I log in if I want to use TANs generated by that gadget or being sent to my mobile number), but I actually prefer the other option.
