Tuesday, July 26, 2005
Ass-backwards security, part 3
So I was worried about how cavalier RBC was with my password (recall my previous experience) and I decided to call them on it.
Never worry, an RBC agent assures me that:
Ay carumba. An excerpt from my response to that gem:
I also asked them why they felt it was necessary to store passwords in clear-text, which (pardon the pun) clearly goes against industry best practices.
Never worry, an RBC agent assures me that:
Since your password had to be changed over the phone with our agent, the fact that he revealed what you previous password was is meaningless. It does not affect the safety of your account and personal information.
Ay carumba. An excerpt from my response to that gem:
What if the person on the phone was not me, but an impostor? What if I was phoning from an insecure device such as a cell phone or a cordless phone, and someone was eavesdropping? Although I would be able to change my new identification word securely through your online system, the impostor/eavesdropper now knows one more password that I use and can use that to compromise other accounts of mine.
Would it surprise you if I told you that a recent survey of British businesspeople found that 67% of them use the same password for multiple sensitive systems (office intranets, online banking, etc) and 57% of them believe it is the responsibility of the corporation who maintains the account to ensure the secrecy of their passwords? This survey also found that the these people subscribed to 20 services on average, each encouraging the user to use a unique password. Unfortunately, that sort of mental prowess just isn't in the cards for a lot of us -- turns out the average person has 4 passwords that they spread out amongst online services.
I also asked them why they felt it was necessary to store passwords in clear-text, which (pardon the pun) clearly goes against industry best practices.
