Adam Shostack (2003-06-16 15:50Z) wrote:
I just called Diner's Club, and was suprised to be asked for a password to (replace? supplement?) my mother's maiden name.
Is this something that Citibank in general is doing? How long before this becomes a standard of due care? Also, I'm curious what the forgot-my-password recovery mechanisms will be...
Never fear; if you forget your password and the secret token used for authentication if you forget your password, they will still auth you. All they need is your account info, birthdate, and the last 4 digits of your SSN. Secure, indeed. Even after most people realize the utility of relatively strong _required_ passwords being used, as they often are in movies, to deal with banks, they are satisfied when real banks use two publicly available pieces of information and 13 bits of your maybe-or-maybe-not-so-secure SSN is good enough. Imagine the panic if Americans were required to use passwords like "b2\9690d" to access their bank accounts. I suppose the objection would be that we're not all as smart as Michael Douglas. (That's the password for one of his accounts in "The Game.") -- Freedom's untidy, and free people are free to make mistakes and commit crimes and do bad things. They're also free to live their lives and do wonderful things. --Rumsfeld, 2003-04-11