Earlier this week my wife got a call from SunTrust’s fraud center saying that her Internet Banking account had been compromised. There hadn’t yet been any money movement, but they were able to tell that someone had been able to login to the account and that the someone wasn’t either of us. They recommended that we close the account and reopen another one. We took some time off o work to go do exactly that, and the lady at the bank was very nice and efficient about the whole thing.
Annoying, but so far so good, right?
Unfortunately, their branch personnel can’t modify Internet Banking information on the accounts beyond turning access on and off—it has to be done with another phone call to Internet Banking support. With my wife having gone back to work and me being the web programmer, which of us do you think made the call? Yeah, that would be me.
Long support call story short, they won’t disable the old login because it is in her name instead of mine, but they will create a new login in my name.
Strike 1: Why is my login associated with my person instead of my account? If a login is compromised, the attacker then has access to every account I have, instead of just the one. This leads directly into …
Strike 2: Why are login names just social security numbers? What idiot thought that was secure? And if a login is compromised, it’s not like I can just go and get a new SSN.
Let me put that aside for now.
This morning I got my confirmation emails saying that I could now go and register for Internet Banking. No problem. I type the URL from the email into my web browser, and see that it’s a simple form: an authorization key (pasted from the email), my SSN, and a shared secret. Hit submit … bam! Firefox tells me it can’t find the server. Arf? Go back, try again, still no joy. Call Internet Banking support. After a while on hold, they tell me what I already know that I will hear …
Strike 3: Why does the registration require MS Internet Explorer?
I poked around and found a machine that still had MSIE on it. Tried again.
Really? Seriously? I called Internet Banking support a second time and got the same guy from before. Now he tells me that it’s not just MSIE that I need, but actually MSIE 7, preferably on Windows Vista. I am unable to extract from him exactly why this is the case.
Do I really want to continue banking at an establishment that does this kind of heinously dumb stuff? That brings me around to another realization: how did the mysterious hackers get into the account in the first place? I did a full spyware and virus sweep of our computers and came up with nada. Better yet, the password on the login was a good password—not something easily-guessable.
If I were something like a web programmer, I’d be of the opinion either that there’s a hole that lets attackers into any login they want, or SunTrust managed to lose our information and never bothered to tell us about it. Gee, it’s a good thing I don’t know anything about the Internets.
I’m at an impasse, and back to my question: do I continue banking with people that have taken very large steps toward showing how inept they are at protecting my personal information and my money?