As of December 3rd, I am now a fully responsible, contributing member of society, also known as an adult. With great responsibility comes great power, therefore it is with (great) pleasure that I am able to announce that I can now bank online. Yes, the powers that be (also known as The Man) have determined that I am now in possession of some required intellectual capability and must no longer make the trudge down the street to my local TD branch in order to determine the state of my material possessions. There are not words to describe the intense joy I am experience inside.
However, this is simply the prelude. Today's topic stems from the newly created Canadian Tire Financial Services. The chain that previously wanted most of your money now wants all your money. Well, at least it's Canadian! Full speed ahead! What's that? Until December 31st, normal 4% interest is actually 5.5% interest? Where can I sign?
That was the idea, at least. Having now created an account, I am feeling significantly less comfortable with the arrangement. Here's the deal: after Canadian Tire approves your account creation and the initial deposit, you have to phone them up to receive a temporary password for web banking. That sounds perfectly reasonable to me. When I asked to speak to a customer service representative, I had to verify my identity by reciting the usual personal information - name, address, postal code.
'That's good,' I thought to myself. 'I'm glad they're concerned about these sorts of things.'
However, once I let the representative know that I wished to obtain a temporary password, suddenly we went on a trip to Bizarro-land. I was informed that my identity had to be verified via three random questions from a third-party... identity provider? I was never quite sure exactly what this third party's role was. The three questions were similar to these:
- What is your home phone number? (Ho-hum, pretty basic)
- Which of following is the address of the National Banking branch that you bank with: 123 Dufferin Street, 457 Sunshine Ave, or none of the above? (Hold up, I don't bank with NB. What gives here?)
- Which of the following is the address of a cooperative that you have lived in during the past 10 years: 24 Park Lane, 714 Reno Street, or none of the above? (Wait what? I've never lived in a cooperative.)
So, with that formality out of the way, and my identity confirmed twice (double the security!), the representative was now authorized to give me my temporary password. After warning me that it would expire in two hours, she then proceeded to inform me that the password I changed it to would have to be between 6 and 8 characters long.
"And that's numbers only," she continued. "We don't accept letters in your password."
Ding ding ding ding. Warning bells. Not very loud ones, but bells nonetheless. What kind of system restricts you to numbers, but requires the same length as a normal passphrase? Note the irony in calling it a password, but not accepting anything to constitute a word.
I dutifully finished the conversation and went to myCTFS.com, and promptly noted another alarming feature. Underneath the login box is a checkbox labelled "Using a shared computer." This checkbox defaults to off. This is the opposite behaviour of the majority of other
So, I logged in and was presented with the required password change (after being instructed to input my current password in order to agree to the terms of service. What?) And the representative was right, they only accept 6-8 numbers. And the explicitly state that you should avoid anything like phone numbers, birthdays, sequences, and other similarly easily-deduced strings of numbers. However, that's not leaving me much to go by, is it? How many other password-length numbers that are "unique and easily memorizable" can you think up? That's what I thought.
So that's it. I can't fathom the thought process behind these decisions. On one hand, limiting a password to numbers would seem to provide additional security by removing the ability to choose easily-guessed words ("password1", anybody?) However, it seems to me that people would be far more likely to choose a phone number or birthdate simply because the alternative is a meaningless string of digits. And if customers can't remember their passwords, I would assume that they could call up the service representative in order to be issued a temporary one. But if all this requires is validating your identity by what you're not, that doesn't seem like a completely secure system. I'm going to be contacting CTFS with my concerns later tonight, but I wanted to put my thoughts down coherently first.
Am I right to be this wary? Do you get the same alarm bells in your heads? Internet, talk to me.