When I call the entity that handles my company's benefits and the broker that handles my company's 401K, I am asked to enter on the phone keypad the alphanumeric password I use to access their websites. I am wondering what the security experts on this forum think of such a practice.
Thanks.
Account Security Question
-
- Posts: 3937
- Joined: Thu Jun 25, 2009 12:50 am
- Location: Vancouver WA
Re: Account Security Question
Would you rather they answer questions about your account over the phone from any random person who calls and claims to be you? A PIN number is at least much more secure than the standard nonsense of giving your address and last 4 of your social or account number which is all some banks ask for to verify your identity.
As long as YOU called THEM and not the other way around I think it is OK.
As long as YOU called THEM and not the other way around I think it is OK.
Re: Account Security Question
I guess a broader question is how secure is the phone compared to the internet where at least the information is encrypted? Some places ask you to enter your social security number etc. on the phone. How does that compare to entering on a secure web site?
Re: Account Security Question
To answer your first question - of course not. But maybe a different password for phone and internet. It just seemed to me that my online password should be used only for that purpose.texasdiver wrote:Would you rather they answer questions about your account over the phone from any random person who calls and claims to be you? A PIN number is at least much more secure than the standard nonsense of giving your address and last 4 of your social or account number which is all some banks ask for to verify your identity.
As long as YOU called THEM and not the other way around I think it is OK.
-
- Posts: 7189
- Joined: Sun Dec 16, 2007 11:25 am
Re: Account Security Question
You have the option of changing your online password after such a phone call. I've been doing that on the very rare occasions I need to phone in.AAA wrote:
To answer your first question - of course not. But maybe a different password for phone and internet. It just seemed to me that my online password should be used only for that purpose.
JW
Retired at Last
Re: Account Security Question
This could indicate that they store all passwords as the numeric equivalent on the back-end (e.g. only store the hash of the numeric equivalent) or that they store two hashes on the back-end (e.g. the alphanumeric password and the numeric equivalent). In any event, either scenario is only a concern if the attackers gain access to the hashes. Numeric hashes are easier to crack. But that the attackers have gained access to the hashes for financial accounts in the first place would be of greater concern than their ability to crack them.