Wow so here comes a rant (and somebody call me on this if I’m way off) but I gotta throw a penalty flag on BofA. They just mailed my PIN number to the mailing address where my replacement debit card was sent. Does that seem hugely flawed to anyone else? They should perhaps consider changing their name because this security practice has more holes in it than a block of baby swiss. Let’s count them:
- I know what my PIN is, I’m the one who set it.
- The fact that they can even output my PIN number (which I don’t need because I already know) is not good. That means it exists in cleartext somewhere. Unless different password physics apply in the world of ATM’s and banking vs. web sites, it’s never a good idea to store a password in a form where it can be read by a human. You should only ever store a derivation and compare the hashes to one another.
- The fact they would then print this number (which they shouldn’t see and which I didn’t ask for) and put it in the postal mail seems pretty silly. They have no less than three alternate truly secure channels via which to send me this type sensitive info (voice, fax & inbox on the https site). You could argue they need a lowest common denominator means by which to reach everyone but in that case why not mail a note saying “stop by a branch store to set your PIN” instead?
- And here’s the final clincher: not only do they send a number they shouldn’t see and that I don’t need via a decidedly less-secure medium but they send it to the same destination where the asset that it unlocks is headed… really BofA?? That’s like mailing house keys to the street address of the house they unlock. What the heck are they thinking? I suppose they get a D- instead of a flat-out F for at least separating them into individual envelopes.
I would try calling and offering this input to their IT security folks but but frankly after navigating their hamstermaze of an IVR tree to cancel the stolen card, it takes less time for me to write this blog post and will probably reach that person faster.
BofA- not that I had a great deal of confidence in you before today but this practice is asinine. If you were an important web publishing company like Gizmodo with access to sensitive info like say… emails, you’d be no doubt skewered publicly over this. But alas you’re merely one of the largest financial institutions securing trillions of dollars of people’s money so this level of security is acceptable. Jeesh.
Can someone with a better security background chime in and critique this practice? Is it as flawed as it seems or am I overreacting here?