2016-12-16

How not to do 2FA?

We have purchasing cards with Barclays and the statements come in on a web portal.

The site has a secondary question, which I think they pick from various questions that were asked when originally set up.

So, I logged in, and was asked the extra security question, and got it wrong. The problem is that it was "What is your mother's middle name?". This is a horrid question! (a) not everyone has a middle name, and (b) she has two of them. So I forgot what I had put originally and got it wrong.

So, locked out. Great.

I have spent literally a month trying to get it sorted, with email replies taking a week, and eventually a lot of phoning and getting our business relationship manager to chase, finally, the login was reactivated. Not a good user experience at all.

Same question, same mistake, locked out again, arrrrg!

OK, one more time with the shouting and chasing, and what do I get.

Seriously?


Yes, an unsigned, unencrypted, plain text email with a plain text password quoted that is valid for 2 months! (Yes, I have changed it).

Anyway, this time I guessed the right answer to the question.

To be fair, a password reset process is tricky, we send a link valid for a few hours, but that too is as good as plain text in a way as someone could use it. Just seems so very wrong sending a plain text password by email somehow. I am glad we are setting up the proper 2FA stuff on our systems.

Even so, this looked so much like some sort of spam I nearly deleted it.
at
Labels: ,

2 comments:

  1. Cecil WardWednesday, 21 December 2016 at 03:34:00 GMT

    I always make up total lies now to the kind of questions like your mother's maiden name - don't want that to be leaked to staff who I don't trust - and to annoying questions that don't even have answers, especially if you're not american (all people are) and if you were not brought up in a city (people only live in "cities"). I of course write down the questions and answers and store them somewhere secure.

    I've started using a couple of apps on my iPad, the standard Apple Notes app and also a third-party password management app which is very flexible and good for storing all kinds of details not just passwords and which integrates with Safari well.

    ReplyDelete
  2. Steve HillFriday, 23 December 2016 at 07:57:00 GMT

    And yet some places go to the polar opposite - one bank I've dealt with have password reset emails that are only valid for a couple of minutes. Completely bonkers that they seem to be under the impression that emails are always delivered instantly (makes it impossible to reset my password without first sshing into my mail server and turning off greylisting!)

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Subscribe to: Post Comments (Atom)

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...

  • It's official, ADSL works over wet string
    Broadband services are a wonderful innovation of our time, using multiple frequency  bands  (hence the name) to carry signals over wires (us...
  • Air conditioning at home (planning permission!)
    For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
  • EICAR test QR
    It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...