Password Fail! Lessons from LI's epic fail!

Just imagine what our customers are using as their "secure" passwords to access their online banking accounts.

IMO- We as an industry need to be pushing our service providers harder for better control over acceptable passwords... the FFIEC guidance doesn't address a few fundamental problems with many online banking systems...

1) Many are not true "Multi-Factor"...
2) Password strength comes only in the form of alphanumerics and special characters

Curious to see what thoughts people have on this issue? If customers don't seem to want to take the initiative, should we be taking in for them?

Should we be requiring better, stronger, more dynamic passwords? Should we be pushing our online banking providers to adopt better password technology tools??

Cheers!

27 character logarithmic passwords that change every 30 seconds, coupled with a retina scan IMO.

Digital security will always be a struggle and people will always be out there cracking the latest and greatest secure methods as soon as they come out. Unless we treat account passwords the same as the government treats nuclear launch codes, they'll keep being cracked. Because the passwords are most often cracked due to social engineering, spyware, etc., I'd think accounts are most often compromised by mis-steps of the account holder and it's less the fault of insufficient passwords.

I complete concur with the retina scans... I read somewhere the contrary to movie plots everywhere, merely cutting out my eyes to access my retinal scan won't work... my eyes need to be alive... whew!

Of course people will be cracking them, I just think we should make it more sporting, give them a challenge at least.

As far as people getting access from social engineering, well, we all know stupidity can't be cured and is not nearly as mortally critical as it should be...

To wit: I looked it up and I am a fan!!

IMO Absolutely we should take intiative to force stronger passwords and controls. Remember, according to the way regulators act, the consumer does not know what is best for them so we should treat them as though they don't. Look around at the current regulatory environment - the responsibility is on the bank to show the consumer and force them to do what is right, now expect the conusmer to know what is right.

Part of the sad truth is that there is a segment of consumers who see password security as an inconvenience. They think password theft/cracking will never happen to them.

Two quick examples:

When my bank implemented stronger password and authentication requirements, some customers complained that it was an inconvenience and this makes their passwords harder to remember.

In reading reviews of a mobile banking app for another bank, some reviewers complained that they had to sign in every time they accessed their accounts on their phones.

Security is inconvenient. By it's very objective security creates inconvenience in order to prevent fraud. However, in the convenience world we live in, like you said, the value of security is not realized. Additionally, consumers could care less about security because they are not on the hook for any losses.

If consumers were not protected from fraud and had to foot the bill for fraudulent activity rather than the bank, you are darn right they would be alot more concerned about security. Lack of consequence creates a culture of lack of caring for security.

I agree Bob- That is sort of where my mind was going. I just had a conversation the other day with our Marketing and IT staff because they are all tech people and made the following argument:

Why don't we treat password security the same way Facebook treats User Interface or the way DHS handles airline screening... just make the change. 90-95% of the people are going to not like it, complain, but ultimately get used to it. In the issue of password security, it isn't exactly as if the customers "created" the current password systems in some negotiated battle... Tech people created a "convenience" focused system (which is better than a system generated password for sure)... So if tech people just make the change and tell us it is to make us safer... ultimately people will just get used to the new hassle. Kind of like TSA screening...

Guitar Dude... I agree there is a (large?) segment of customers who will never care about online security and will care more about convenience. I think Bob is right though (and by the sounds of it your bank is too), the convenience argument is great when you aren't doing something and everything is going well... it is less effective when something goes Pear Shaped and you're being told by a regulator, auditor, angry customer attorney that you "turned off" a security feature for convenience... They never admit the convenience is to the customer, they just say "convenience" and leave it up to a judge or jury of "their peers" not the bank's peers to decide.

Interesting responses so far...

Regarding point #2 - Every time I'm forced to capitalize letters and add special characters to make a password "more complex" I'm reminded of this... http://xkcd.com/936/

Tdogz-

I love that comic. I have seen it before when a friend from RSA (pre-breach) sent that over to me.

I use the philosophy where I can... which is few and far between...

Which when you think about it is probably in direct correlation to the fact that while a username and password is ubiquitous for online anything... what really makes security inconsequential is the fact that if someone steals my "Xbox" live password it doesn't matter all that much, besides being annoying... but my bank password matters... but there is no motivation for Xbox to change their password "standards" because convenience really does matter to them... where security really matters to us.

IMO- we need a password standard for financial and healthcare... and a separate standard for everything else... this would also probably help SM compromises from spilling over into the backyard of us financial types...

Oh Silicon Valley dreamers... stop turning my phone into an out-of-band factor and fix my up front log in problem... while it is undoubtedly hella cool that I can get an automated text with a pin, it doesn't make up for dodgy front end security.

Bingo. The bank will pay them back, so what's the problem?

The issue here is we bankers are preaching to the choir. Get management to listen and act! Educate customers.

I totally agree...customers will not give up convenience in exchange for security unless they suffer consequences because of it.

I try to remind customers that although they are covered financially if there was fraud on their online banking (or in many cases, their debit card) that it is a pain to have to sort all of that out. Most people feel their time is too precious to be wasted. :-)

So Sallaia... does that mean that you have stricter login controls or smarter customers?