Account Security Question

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
AAA
Posts: 1884
Joined: Sat Jan 12, 2008 7:56 am

Account Security Question

Post by AAA »

When I call the entity that handles my company's benefits and the broker that handles my company's 401K, I am asked to enter on the phone keypad the alphanumeric password I use to access their websites. I am wondering what the security experts on this forum think of such a practice.

Thanks.
texasdiver
Posts: 3937
Joined: Thu Jun 25, 2009 12:50 am
Location: Vancouver WA

Re: Account Security Question

Post by texasdiver »

Would you rather they answer questions about your account over the phone from any random person who calls and claims to be you? A PIN number is at least much more secure than the standard nonsense of giving your address and last 4 of your social or account number which is all some banks ask for to verify your identity.

As long as YOU called THEM and not the other way around I think it is OK.
User avatar
Topic Author
AAA
Posts: 1884
Joined: Sat Jan 12, 2008 7:56 am

Re: Account Security Question

Post by AAA »

I guess a broader question is how secure is the phone compared to the internet where at least the information is encrypted? Some places ask you to enter your social security number etc. on the phone. How does that compare to entering on a secure web site?
User avatar
Topic Author
AAA
Posts: 1884
Joined: Sat Jan 12, 2008 7:56 am

Re: Account Security Question

Post by AAA »

texasdiver wrote:Would you rather they answer questions about your account over the phone from any random person who calls and claims to be you? A PIN number is at least much more secure than the standard nonsense of giving your address and last 4 of your social or account number which is all some banks ask for to verify your identity.

As long as YOU called THEM and not the other way around I think it is OK.
To answer your first question - of course not. But maybe a different password for phone and internet. It just seemed to me that my online password should be used only for that purpose.
JW-Retired
Posts: 7189
Joined: Sun Dec 16, 2007 11:25 am

Re: Account Security Question

Post by JW-Retired »

AAA wrote:
To answer your first question - of course not. But maybe a different password for phone and internet. It just seemed to me that my online password should be used only for that purpose.
You have the option of changing your online password after such a phone call. I've been doing that on the very rare occasions I need to phone in.
JW
Retired at Last
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Account Security Question

Post by Mudpuppy »

This could indicate that they store all passwords as the numeric equivalent on the back-end (e.g. only store the hash of the numeric equivalent) or that they store two hashes on the back-end (e.g. the alphanumeric password and the numeric equivalent). In any event, either scenario is only a concern if the attackers gain access to the hashes. Numeric hashes are easier to crack. But that the attackers have gained access to the hashes for financial accounts in the first place would be of greater concern than their ability to crack them.
Post Reply