Anyone who has been around computers a few years knows that there is an inherent tension between security and usability. The more secure a system is, the harder it is to use. The more convenient access is, the greater the security risk. Of course, this inherent tradeoff does not eliminate the possibility of less efficient implementations making a system both hard to use and insecure.In their efforts to increase security (or at least the appearance of security), both ING and Emigrant are getting to where I'm a bit disgusted with the usability barriers.It started with ING. Perhaps 30% to 40% of the time, misread which portion of my SSN they want or fail to register the correct click with my mouse and have to try more than once to log in. I have yet to set up the newer, more secure login process. When I try to log in this morning to get that set up, the site tells me, "We're sorry for the inconvenience. This function is currently not available." Well, that's pretty secure.For all the nuisance of the long password and the multiple questions, at least Emigrant let me use the keyboard to log in. But wait a minute! There's the long password, plus the personal information question, plus the security question. All the answers are *'d out so I can't see typos. Okay, first time it says I'm wrong. Check my typing very carefully the second time. Strike two. Do one-finger typing (plus shift key as appropriate) to verify absolutely correct responses on the third try. Strike three! Your account has been locked, please call Customer Service.This is getting very frustrating. Just when I thought Emigrant was really getting its act together on the interface, it becomes so secure that I can't see it.As I'm typing this, I get through the hold and get Emigrant customer service on the line. Go through the standard list of security quesitons. Okay, she can set up a temporary new password and give me half over the phone plus email the other half. Small problem. No access to home email from work. Okay, she takes my work email from me and sends it there. Now, that's secure! I hope she has caller ID and could match the number I called from to the work number I had on file with them.Log out. Log in again. Get the same questions that locked me out. Type in the same responses. It logs me in this time. Go figure.Go back to ING. That feature is still not available. Hmm. Have to try that again from home, where I have all the email that ING has sent me about the security changes.I wonder if HSBC is going to get more annoying than simply the recent change to entering ID first then password on the next screen? Even with all its clumsiness and slow transfers, if I can get into HSBC at least I can get money out of Emigrant when Emigrant locks me out.I hope the industry in general gets to a balance with a bit more usability than the current system. For contigency . . . I guess I need to think about doing all custom challenge questions and making the answers easy to type. Hmm. I need to look at recurring transfers and put time limits on all of them, too. I can't afford recurring transfers indefinitely if the system might lock me out at any time.Patzer
That's the exact reason I stopped using ING about 3-4 years ago. I'm all for security, but it was a huge hassel just to use it.
It has occurred to me that we're getting close to going full circle. The time involved to get a bill paid online will soon not be worth saving the .39 stamp.rad
I hope the industry in general gets to a balance with a bit more usability than the current system.Not likely given the current regulatory and marketing climate, where banks are rewarded for having the appearance of security, without regard for whether they have actual security. Making it difficult to get into the website is a great way to LOOK like you're secure, but this has little or no impact on actual security. E.g. *'ing out the password is useless -- crooks don't make typing mistakes, someone shoulder-surfing can easily look at what you're typing, and someone who is remotely viewing your screen could easily be viewing your keyboard.I'm not at all impressed with the security questions, because the answers don't change. Someone just has to spot you entering them once (or keylogger), and then they're home free.
In my experience as a web based business sytems architect and developer, I find myself always walking a fine line between balancing the need for security vs. usability and system performance. Just like in investing where you diversify to minimize risks without over-diversifying, the rule of diminishing returns always serve as a guideline.Given web applications, you eliminate most of your security risks my using SSL and a combination of UserId/password enforced with strict rules such as long passwords (at least 8 characters) and account lockout for failed login attempts. Any additional requirements will impact system performance and usability for minimal gains in security.A rule of thumb is that a system is only as secure as the users of that system. If you implement security features that starts to intrude upon or hinders the users, the users will, by nature, adopt riskier behaviors such as selecting less safe security keys or even writing down the keys. For example, with EmigrantDirect, a user may select their 5 security questions as follow,1. What comes after "A"?2. What comes after "B"?3. What comes after "C"?4. Waht comes after "D"?5. What comes after "E"?This behavior will make it easier to remember and type the answers just to login! Also, the more intrusive and less usable the system, the higher your customer service costs. I have a feeling that EmigrantDirect will now spend more to address lockout accounts or forgotten security keys than before.I read in a previous post that the implementation of entering your user id on a separate page by EmigrantDirect and ING is a result of some new FDIC/Fderal Reserve banking law that is to be implemented in the near future. IMHO, this is less secure since a hacker now only has to hack the ID first to know that it is a valid ID. With a UserId/Password combination, if designed properly, a hacker would need to guess correctly both the user id and password simultaneously, a much more difficult task.I have successfully used the new login process for both EmigrantDirect and ING. Personally, my user id and password have always been of random characters and so the additional security features are nuisances. I do however like ING's implementation much better since they allow you to by-pass the questions and personalize the login page with a picture and phrase to ensure that you are at ING's web site. Too bad ING's rates are lagging and not so competitive that I have most of my funds at EmigrantDirect. I guess I am content earning the higher rates at EmigrantDirect that I can live with the security nuisances.Good luck.P.S. And no, those are not my security questions.
>>IMHO, this is less secure since a hacker now only has to hack the ID first to know that it is a valid ID. With a UserId/Password combination, if designed properly, a hacker would need to guess correctly both the user id and password simultaneously, a much more difficult task.<<-Hi, beanmeisterI agree.
IMHO, this is less secure since a hacker now only has to hack the ID first to know that it is a valid ID. With a UserId/Password combination, if designed properly, a hacker would need to guess correctly both the user id and password simultaneously, a much more difficult task.I'm not sure that's true. As a test, I tried to log in with account id 11111111. I was asked for security questions in a similar manner as with a known-good account. Now, it's possible that this is a valid account number, but that somehow seems unlikely to me.
In their efforts to increase security (or at least the appearance of security), both ING and Emigrant are getting to where I'm a bit disgusted with the usability barriers.Fidelity made some changes about a year ago, and Vanguard just did the same, so this isn't confined to ING and Emigrant.I do agree with you however that some of the stuff seems just plain ridiculous! I was unable to log into Emigrant for about 3 days because their server kept going down due to high traffic. DUH, doncha' think they could have anticipated that asking all their customers to engage in a lengthy log-in verification change, plus view and comfirm agreement with all their legal 'notices' simultaneously on the same day would result in 'high traffic'? I wrote a scathing email to them about this, to which I received no response.At least Emigrant allowed you to create your own questions and answers. This was great because after 40 years I can't quite remember who I perceived my 'best friend' in high school to be. I also went to 3 different high schools, so trying to remember which name I used in response to that question was similarly futile. The same difficulties hold true of "What was your first job?" Let's see...did I respond with my first full-time job or part-time job? Or did I just answer 'babysitting'? At least Emigrant allowed me the option of creating more clear-cut questions and answers.I guess I need to think about doing all custom challenge questions and making the answers easy to type.I use questions with only one-word responses that are factual, but only to me--and you might also want to determine in advance that every character in all your answers everywhere will be either uppercase or lower, rather than mixing the two.2old
Best Of |
Favorites & Replies |
Start a New Board |
My Fool |