Banks get it
1 March 2008
I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed – and advising me that I ought to get in touch with them if I had not done the changing. Here’s the email I got from RBC:
What they get right
They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)
Second, they assure me in the email that “RBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.†That’s super. If I ever get an email asking me to confirm confidential information, I’ll know it’s fake.
What they get wrong
I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisher’s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.
On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.
Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (“Dear Customer” or the like), be wary.
Comment by EZ — 29 March 2008 @ 6:56 pm
Ian,
I’ve just spent a good deal of time reading your posts on internet security. As always your advice on the matter has been helpful. I do have quite a few questions touching on many subjects that go beyond the scope of the above post.
Passwords:
1) You mention that you change your online banking passwords every three months. What is your reasoning for doing this? If you have a high security password, is their an increased risk in it being broken the longer you keep using it?
2) Do you recommend having a different password for every different type of account you have? What are the risks in using the same password for multiple things?
3) I see the security threat in forgetting to logout of a email account, bank account, etc. at a public computer; someone could come on the computer after you and breach your privacy. Is there a threat of keeping accounts open for an extended period of time on a private computer?
Internet Browsers:
1) You have mentioned a couple times data about Firefox and IE’s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?
Anti-spyware/Anti-virus:
1) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?
Other:
If I could make a suggestion for future post’s topic, I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. I’ve heard in conversation with friends that quite a bit of private data can be gleamed off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?
I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?
Hope your not overwhelmed with my bombardment of questions. It’s just your website got me so riled up in thinking about these things.
EZ
Pingback by Questions from a reader | Defending The Kingdom: Security and Privacy in Your Digital Life — 30 March 2008 @ 11:31 am
[…] A friend and reader left some great questions in the comments section to a recent post. I’ve answered three of them today, and will answer the rest in a future post. […]