What with things like HeartBleed, keyloggers and other exploits that are possible on your machine, web browsing is inherently risk prone. When you choose to do something like “Online Banking”, you just brought these risks very close to your money. So you had things like passwords to keep you safe.

So here’s where I think Banks are going stupid, or they are being advised by imbeciles.

My bank:

  • requires me to login with my account number
  • and provide a password, which they never require me to change
  • and if they find a cookie on my machine, they log me right in!
  • and if they don’t find a cookie, I must answer three questions correctly before being allowed to login.

They are changing this as follows:

  • requires me to login with my account number
  • and provide a password, which they never require me to change
  • and if they find a cookie on my machine, they log me right in!
  • and if they don’t, they will send me an email, an SMS or a phone call and give me a one time use passcode.

In the old way of doing things, I effectively had four passwords and someone would have to compromise all four before he or she could login. And my browser deleted all cookies on exit, and only retained cookies for the session. With the new mechanism, someone who wanted to hack my account only need access to one password and either my telephone or the password to my email account.

How, pray, is this more secure?