I was just reading A Two-Step Plan to Stop Hackers at the NYT in the aftermath of 1.2 billion username-password combinations possibly stolen by Russian hackers. The article covers strategies in place by major financial institutions and suggestions we’ve all heard. The literal bottom line: change your password frequently. Good advice, but not enough.
Here’s something I’d like to see: Financial institutions granting us two sets of credentials. One would grant read-only access to information like account balances. The output would be masked enough to shield my full account numbers and name while letting me see my balances. Using these credentials I would not be able to make any changes to my accounts or transfer funds. I started thinking about this when I was considering using Intuit-owned mint.com. Mint is an incredibly convenient tool with one giant drawback: You have to trust Intuit with the usernames and passwords to all your financial accounts. As a Mint user you have to rely on both your bank and Mint to protect your information. Once you’ve shared your sacred information with Mint you can get your entire financial picture on one website.
I’m frequently asked about various services and how secure they are. My stock answer is that they’re all using similar security technology. The problem is that the systems are complex and subject to errors committed by the human administrators. This is true with any sort of password protected account you have on the Internet.
I trust that Mint has a plan to keep my information secure, just as the big banks, gmail, and Dropbox do. But they’re susceptible to mistakes, and any of them could be the next headline detailing a mainstream cloud provider that’s been hacked.
So banks, if you’re listening, how about some read-only credentials that I’d probably be able to use 80% of the time? And a full-access credential set for when I need to shift some money around? I’ll give the read-only credentials to Mint and worry less. I’ll be very careful with my full-access credentials, and employ the tools covered by the NYT.| Permalink