I\'ve been dealing with two separate banks for completing a 401k rollover (I do

Question

I've been dealing with two separate banks for completing a 401k rollover (I do not have any other accounts with either of the two banks), and I've encountered something with both that I've never seen at any of the banks I usually work with. Both banks have asked for my website password over the phone, when requesting to speak with a customer service representative. Every time, I insist that I won't divulge that, because it's not secure, and that I'd like to verify myself in other ways, to which they usually just ask for date of birth, home address, and usually social security number.

My question is: is there anything more or less secure about using my website password (as opposed to address, date of birth, SSN) for account verification over the phone with a customer service representative?

My intuition says that it's less secure because I believe that my password should never be readable by anyone other than myself - as it should be transmitted via SSL, properly hashed/salted/etc, and stored. Once I divulge the plaintext password to the rep, it's compromised. Is this accurate? (Sidenote: These banks almost certainly do not properly encrypt passwords for storage, but that's a separate issue, I think).

Explanation / Answer

As an authentication mechanism, passwords are not bad -- in fact, passwords are meant for authentication. Historically, phone lines have been prone to spying, but that was in days before the Internet. I don't claim that phone lines are more secure now; rather, that people who want to spy on bank passwords concentrate on computer attacks, mainly because they can perpetrate them from the comfort of their home (or basement or den), whereas classical interception often involves some physical operations on outdoor equipments, implying exposure to meteorological elements, night-time fumbling with wires, crouching under dumpsters, and other activities which have little appeal to the young generations that we get nowadays.

The problem with password-over-phone is that banks train their customer never to give away their passwords. At least all my banks do. They point out that the password secrecy is my responsibility. Disclosing my password over the phone would be a gross misbehaviour on my part. They swear that their representative will never ask for my password, whether over the phone or even if I meet them physically.

There are good reasons for such training: it makes customers much more resilient to con-artists (that kind of attack is much older than computers, but somehow people felt the need to forge an ugly neologism -- "phishing" -- for the case of computers). Now if the bank employees begin to ask for the customer's password, then all that training goes down the drain.

Security requires the cooperation of users. Cooperation is achieved through education. Education relies on coherence. The employee behaviour you describe contradicts that coherence.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.