Monday, June 14, 2004

Not Quite Getting It

My bank, like many nowadays, offers its customers the opportunity to perform certain basic functions online -- checking balances and recent activity, transferring money between accounts, etc.

Ever since we opened the account, they have committed a basic security flaw by using our social security number as the authenticator for these services (combined with our ATM card PIN). Now this isn't really a good thing, but I've got used to it.

Today I logged on and was invited to select a new User ID & password combination. Ah-ha, thought I to myself, this seems to be a step forward in security. Unfortunately, despite exhortations to Enter a user ID that is easy to remember the first requirement is that the ID be numeric, 8 to 20 digits. Despite a mathematical background, there is a limited selection of 8-20 digit numbers that I have committed to memory. I only keep pi & e to about 6 places in memory. Assuming that other basic ids like 01234567 have been taken, that pretty much leaves me needing to use either my SSN or my telephone number as an ID. Unfortunately, if I use the telephone number then it is easy to figure out (being published and all) and I have blocked other users of this number (like Valerie, or in time our sons) from using it for their own access. Thus they will be more likely to use their SSNs and we are back in the same boat.

I had an alphanumeric account name on the PDP-11 that I learned FORTRAN on back in 1979. Why in the 21st century is a commercial organization inisting on a numeric access code? (I haven't got far enough yet to find out if the password is also numeric, but I'm betting that it is...)