Sunday, November 01, 2015

Security - Verification of Change

Many web sites will now notify you if a change is made to various aspects of your account, say you change your address or email or phone... Every one I have ever received says if you made the change do nothing, if you didn't then call us.

My guess is this is because it provides some security and is super easy for them. But if security were the priority I think you would do more. Why not require them to affirmatively agree to the change? The main reason I can see is that it would create more work. You would need a process for the case where they failed to affirmatively agree to the change.

Still for very important matters it seems like this would be wise. Yet I have never seen anyplace do this.

One thing I can think of does has this process in place. For a long time (15 years?) if you get a new credit card you have to call and activate it (usually they use caller ID to auto approve if you call from the phone number on file, if the call isn't made from such a number you are asked other details to verify who you are).

Such a system could be opt-in, so only people concerned about security could participate and someone that didn't want to bother could continue as things are today.

Related: Protecting Your Privacy and Security (Curious Cat Investing blog) - Protect Yourself from Credit Card Fraud - Governments Shouldn't Prevent Citizens from Having Secure Software Solutions - Making Credit Cards More Secure and Useful (2014) - Bad Security on Government Required RFID e-passports

No comments: