"IDROVEAPICKUPTRUCK" (idroveapickuptruck)
09/09/2014 at 12:43 • Filed to: None
2
8|
"IDROVEAPICKUPTRUCK" (idroveapickuptruck)
09/09/2014 at 12:43 • Filed to: None | 2
| 8 |
I forgot the password for the brokerage account associated with my 401k, so I called the number on the website to get a new password. The only verification to get a new password they needed was my DOB, the last 4 digits of my SSN and my address. Then they just gave me a new password orally instead of emailing it to me.
What's scary about this is that there are probably dozens of companies that have these three of my pieces of information, every financial institution I have an account with, every doctors office I've been to and others. It would be incredibly easy for someone who had access to any one of these companies databases to have gotten into my account and transferred all my money somewhere.
Not something I feel all that comfortable with...
Manuél Ferrari
> IDROVEAPICKUPTRUCK
09/09/2014 at 12:46 |
|
Data security is broken. Now Home Depot had a breach.
The whole system needs an overhaul. But there is no willingness for companies and government to work together to come up with new standards to be adopted.
zeontestpilot
> IDROVEAPICKUPTRUCK
09/09/2014 at 12:49 |
|
Did you complain to them about it? I would of.
|
IDROVEAPICKUPTRUCK
> zeontestpilot
09/09/2014 at 12:51 |
|
It's Hewitt financial services, one of the largest pension/401k companies in the world. They are not going to change their policies because I complain, wasn't worth the effort.
JGrabowMSt
> IDROVEAPICKUPTRUCK
09/09/2014 at 13:05 |
|
I don't deal with data security myself, but I do work in the computer industry. The biggest problem that I see is that the viewpoints of how to actually secure data is antiquated. It's extremely difficult to truly make data secure, because for many, many people, a simple google or even facebook search will reveal probably 5 out of the 10 basic security questions required by major financial institutions to do exactly what you did. The rest, to be perfectly honest, can be guessed in many many cases.
I have a couple of clients who have had their identities stolen, and it's serious business, but most notably, when I first worked with those clients, in my opinion, they did many things wrong, and it wasn't hard to see why it did happen.
Along with the general antiquated view of security, there's just a big heap of misinformation about computers that goes around, and that misinformation will never go away, because the people simply aren't willing to learn. Unfortunately, there's nothing that can be done about that.
A few days ago my dad was asking me about how big companies like Home Depot or banks can have such big security holes, so I explained to him that there is a fine line between what can be secured, because the IT managers need to leave certain access open to themselves in order to allow for internal emails and other things to work correctly for the company. Because there are so many things that need to work correctly, no company is immune to keeping up on all of the security holes that can/will be found. In many cases, I would like to believe that these companies are doing their best to keep up with staying secure, but in all honesty, with some of the bigger and bigger data leaks that occur, my faith is challenged severely. Really not good because I work in the industry, but I understand that nothing is safe. On occasion I need to help customers who have forgotten their passwords. This is the worst thing in the world to me.
One specific instance comes to mind, actually. An older woman with a Mac laptop. In about an hour, I was able to help her find all of her passwords, and all she had to do was enter her login password. I had her type the passwords and double check everything because I can't (how could I know her information), but it showed her how poor computer security was. I had physical access to her machine, and I was showing her passwords to her email, her bank account, and anything else she couldn't remember. That isn't even the worst part. If I had malicious intent, and physical access to any machine, consider it compromised. If I had stolen a Mac, it would take me about 5 minutes to get to every password ever stored on the machine. If I had a Windows machine, about 10 minutes.
Half the issue about security is that the standards only exist on the company side. Until clients accept responsibility for their security to an equal extent as the companies they're dealing with, the problems will never go away, never change, and continue to get worse and worse.
|
IDROVEAPICKUPTRUCK
> JGrabowMSt
09/09/2014 at 13:10 |
|
It obviously won't fix everything but two-step verification would make such a huge difference on all sorts of things, probably the easiest way to improve security on any system.
Tohru
> IDROVEAPICKUPTRUCK
09/09/2014 at 13:10 |
|
I see where you're coming from. I called them up to check this and with the same info they verbally gave me a new password to your account too.
|
JGrabowMSt
> IDROVEAPICKUPTRUCK
09/09/2014 at 13:20 |
|
Yes, I think that you've put it very well. Two-step verification can improve most systems. The important factor to keep in mind is that the end user has to not lose their phone, and be prepared to react if they do. Many smartphones have very good backup systems in place if you had to remotely wipe the phone, so that's where the client has to pick up their responsibility. Failing to wipe your phone if lost/stolen is just throwing the entire security of two-step out the window.
|
zeontestpilot
> IDROVEAPICKUPTRUCK
09/09/2014 at 13:25 |
|
That ain't good. -_-.