One of the things that those of us in the security field wish that financial institutions would do is institute better security, such as two factor authentication instead of one factor authentication (e.g., username and password). I hadn’t really given much thought to this or even devoted many electrons to it on this blog, but two factor authentication when the stakes are higher is a good idea. In real life, I use a couple of institutions that use two factor authentication. One of them does a good job, and one of them does a bad job.
The one that does a good job is Everbank. Everbank is an institution that allows you to get a bit more creative with your finances. Originally, I bought a foreign currency CD (certificate of deposit) with a yield of 6%, with a 6 month expiration (so, 3% yield). I bought New Zealand currency. At the time, the idea was that the US dollar was losing value for a number of years and so I could buy $10,000 (or however) of New Zealand currency and six months later since the dollar would continue to depreciate, it would be worth say $10,800. That’s an 8% capital gain which wasn’t unreasonable. Plus, I get the 6% interest. Not a bad deal, huh? New Zealand is a commodity-based economy with a stable population and political environment so it seemed like a low risk investment. Unfortunately, this was before the 2008 market swoon when the stock market fell into the toilet and flushed itself. As a result, everybody flocked back into the US dollar and my great plan absolutely backfired on me knocking me out with a huge loss (thus demonstrating the fact that the entire investment community is out to get me).
However, Everbank is still a good bank. It’s interest rates on checking accounts is the highest I have seen, and it still has very safe investments. Its yields are better than anyone else’s (disclosure: I have no affiliation with Everbank, they’re just the best I have seen for certain types of investments for the average Joe). I don’t use its website very much, but it has a nice dual factor authentication mechanism. First, on the home page, you enter in your username. Next, you click the button and it shows you an image that you pre-selected ahead of time. You then have to answer a couple of challenge questions that you set up earlier and click Next. Finally, you enter your password. It’s a nice process that is slightly more cumbersome than any other bank I use but I appreciate how they are protecting me and my money (from phishers and from me making more bad financial decisions).
Allow me to contrast that with another bank I use, UMB Bank. This is a bank that I have to use because it contains my employer sponsored Health Savings Account (HSA). Even though I have company health insurance, there is a $1500 deductible that I have to pay (after that, I have a co-pay of 10% up to $1000). Because I signed up early for the HSA, my employer deposits $1500 into my HSA. I can then use that amount to pay for whatever health expenses I have. I’m still out of pocket $1000 if I need $1500 + $10,000 = $11,500 of health costs (which is easy for me because of my stupid left hip), but $1000 isn’t too bad.
Anyhow, UMB Bank is the bank account where my HSA is located. I have only ever accessed that bank account once because the two form authentication there is broken. I originally signed up for the account, entered in my username, set up 4 secret questions out of a choice of approximately 20, and then set up my password. When I go to the page a couple of weeks later, I enter in my username and then it authenticates against that. I then get to answer my secret questions. Unfortunately, in all of their brilliance, UMB doesn’t present me with a secret question that I previously answered. Remember, there was a list of 20 and I only answered 4. For some reason, UMB asks me a question of which I did not previously answer! For example, suppose it asked me “Where is your vacation home located?” Well, I don’t have a vacation home so I would never have answered that question. Yet when I try to login, it gives me that question! WTF! I close the session and retry and it presents me with yet another question I don’t have the answer to. Thus, I have no way to log in to access my account and view my funds.
I guess that’s one way to do security, make sure that nobody can get into my account – neither me nor phishers. Of course, it completely destroys the usability of the website and makes me wish that I could go somewhere else. Mark my words, if I could take my funds elsewhere… I would.
PS – the design of UMB is not very good, in Firefox the fonts are too small.