I was recently stupefied to find out it’s extremely easy to get into my (former) bank accounts. All you needed to do was call up customer service and verify very basic information. One bank even reset my security questions when I said I didn’t remember them. This is unacceptable; here’s how to make sure it doesn’t happen to you.
Most banks have pretty good online security measures, such as two-factor authentication, which requires you to log in only from approved computers or devices. But as my phone calls proved, the human element is often the weakest link of any security system (remember the Apple and Amazon exploit that wiped tech writer Mat Honan’s accounts?). The easiest way to hack an account is often by manipulating the front line of defense—the people stewarding that data.
One bank I called asked for my social security number and name before resetting the password to “password.” The other asked for my username and email before resetting the password to the last four digits of my social security number. Social Security numbers are not difficult to guess or steal, as Science Magazine points out, and because most people use the same username everywhere, that’s not a great means of authentication. (It’s why you might want to use a unique username and separate, dedicated email address just for password recovery.)
I definitely sounded earnest and trustworthy over the phone—even when I said I didn’t remember the security question answers (at that point I was testing them)—but so, too, could any persuasive hacker.
Call your bank now to see how they handle password resets. Don’t ask them how they do it or try to reset on the website (those seem to be more secure), but try to get your account login reset over the phone, as if you’re socially engineering your own account, to find out the criteria and see how easy or hard it is to get your bank login handed over.
After finding these weaknesses, I switched my accounts to banks that not only have stronger online protections, but those that have improved measures over the phone or at least extra guarantees in case of unauthorized access. Charles Schwab, SunTrust, First Tennessee Bank, HSBC, Ally Bank, and others (you’ll have to check for those near you) guarantee your accounts in case of unauthorized access. For comparison’s sake, the standard guarantee for most banks, from the FDIC, doesn’t cover that.
Also, these and other banks (such as ING Direct) might ask you to verify basic information (such as date of birth and address), but they also may have several other additional authentication steps over the phone, including PIN #s or Security Keys that the customer service agent can’t/doesn’t know; if you forget one of those, you can only get it reset in a few days via snail mail. That may sound like a hassle, but it’s well worth it for the extra security.
In this age where strong passwords aren’t enough, make sure your most important accounts are as secure as the system currently allows. If you do end up looking for a new bank, ask prospective banks about the measures above. Get Rich Slowly asked readers last year which bank was best for both service and security, and the comments on that article are worth a read. My Bank Tracker also features user reviews of banks. But most of all, for your new bank, test out the account reset system yourself over the phone. If you have a bank you particularly trust, please share them with us in the comments and let us know why.