On Tue, 6 Feb 2024 23:47:35 +0000
Bruce Horrocks <07.013@scorecrow.com> wrote:

> On 30/01/2024 10:57, Sylvia Else wrote:
> > On 30-Jan-24 9:39 pm, Dan Purgert wrote:
> >> On 2024-01-30, Sylvia Else wrote:
> >>> This is really a rant - venting to release some of the frustration.
> >>>
> >>> I'm in the process of selling my house, and I need somewhere secure to
> >>> hold the proceeds. I decided I'd create a account with a bank I don't
> >>> otherwise bank with, and interact online with it using a live-DVD on a
> >>> system that has no storage. So no risk of key loggers or other hacks.
> >>> I'd remember the strong password, and not have it written down anywhere.
> >>
> >> Until you don't remember it, then what?
> >>
> >> Because let's face it, eventually we all forget the password.
> >>
> >
> > If I say I won't forget, you've no real reason to doubt me. There are
> > many things that I've remembered for decades.
>
> I don't doubt you, but your ability to remember a password that isn't
> easily guessable and isn't re-used on multiple sites puts you in the top
> 0.1% of the population. Banks, however, have to deal with the remaining
> 99.9% as well.
>
> > In the event that I really did forget, then I'd have to show up at one
> > of the bank's offices with physical identity documents.
>
> That's the last thing they want people doing. Imagine going into the
> bank to find that there are 15 people ahead of you in the queue, all
> waiting to go through a 5 minute process of showing documents to prove
> their identity to get their password changed.
>
> The banks don't want to pay their staff to change passwords, they want
> to pay them to sell you a new savings account or to take out a loan.
>
> FWIW my bank in the UK gives out a free card reader device, a bit like a
> pocket calculator, for their 2FA system. To use it you insert your bank
> card, enter your card pin, which it validates using the chip in the chip
> & pin card and then displays an 8 digit number to enter into the website.
>
> You use this to log in initially (so no password to remember) and then
> to re-authenticate prior to carrying out any sensitive actions such as
> making a payment or changing personal details.
>
These are being deprecated by my bank; they much prefer to sms a
code to your phone.

--
Bah, and indeed Humbug.

Bruce Horrocks wrote:

> On 30/01/2024 10:57, Sylvia Else wrote:
>> On 30-Jan-24 9:39 pm, Dan Purgert wrote:
>>> On 2024-01-30, Sylvia Else wrote:
>>>> This is really a rant - venting to release some of the frustration.
>>>>
>>>> I'm in the process of selling my house, and I need somewhere secure
>>>> to hold the proceeds. I decided I'd create a account with a bank I
>>>> don't otherwise bank with, and interact online with it using a
>>>> live-DVD on a system that has no storage. So no risk of key loggers
>>>> or other hacks. I'd remember the strong password, and not have it
>>>> written down anywhere.
>>>
>>> Until you don't remember it, then what?
>>>
>>> Because let's face it, eventually we all forget the password.
>>>
>>
>> If I say I won't forget, you've no real reason to doubt me. There are
>> many things that I've remembered for decades.
>
> I don't doubt you, but your ability to remember a password that isn't
> easily guessable and isn't re-used on multiple sites puts you in the
> top 0.1% of the population. Banks, however, have to deal with the
> remaining 99.9% as well.
>
>> In the event that I really did forget, then I'd have to show up at
>> one of the bank's offices with physical identity documents.
>
> That's the last thing they want people doing. Imagine going into the
> bank to find that there are 15 people ahead of you in the queue, all
> waiting to go through a 5 minute process of showing documents to prove
> their identity to get their password changed.
>
> The banks don't want to pay their staff to change passwords, they want
> to pay them to sell you a new savings account or to take out a loan.
>
> FWIW my bank in the UK gives out a free card reader device, a bit like
> a pocket calculator, for their 2FA system. To use it you insert your
> bank card, enter your card pin, which it validates using the chip in
> the chip & pin card and then displays an 8 digit number to enter into
> the website.
>
> You use this to log in initially (so no password to remember) and then
> to re-authenticate prior to carrying out any sensitive actions such as
> making a payment or changing personal details.
>

Would that be the same bank that asks you for, e.g. the 3rd character of
your pin and the 5th character of your password? This seems to mean
that they must have plaintext of your pin and password on line. Doesn't
seem very secure...
--
*********** To reply by e-mail, make w single in address **************