Monday, October 9, 2006

ING Direct's Anti-Phishing Measure Backfires?

Another funny observation I had was about ING's anti-phishing security
mechanisms and usability. They make you use an annoying, long numeric ID
as your login ID (you can't change it to an easily-rememberable one) which
you can't likely remember so you have to write it down or use Password
Safe to recall it. By making account IDs a secret, they are hoping to buy
additional security from the obscurity.

However, they recently added a feature on the site (likely because of the
usability problems with people not knowing or remembering their login ID)
where you can enter some static identifying information (SSN, zip code,
birthdate) and they will then pre-populate your customer login ID. I use
this often because although you have to type in more information, the
usability is better because it is faster to do this than to look up what
my login ID is. But, they have now created a great target for phishers
that can undo all the benefits of the hidden login ID and the additional
measures on the site because this feature is not protected with their
RSA/Cyota eStamp as their login dialog is.

No comments:

Post a Comment