Bank Transfer Day

Today is being touted as "Bank Transfer Day" or "Move Your Money Day" in the US. The name is overly simple for most people in America. The process of moving accounts is multi-step (open new accounts, wait for new debit card to arrive, test debit card, change direct deposits, confirm change took, change automatic bill payments, confirm those took) which will take a month or more. However, today could be the beginning of the process.

Credit Unions, investor owned institutions with members not victims customers, have seen more new accounts opened in the last month than in all of 2010. Local banks are seeing an increase in account openings as well. Did you realize, in the US there are two types of banks: state and federal? State chartered banks are subject to state regulation and generally can't open branches in other states. This generally keeps them from being merged into the giant banks.

I will not be participating in Bank transfer Day because I can't. I completed the process long ago in response to the policies of large financial institutions. My accounts are now in a small local bank and a credit union.

But those of you who have money in a large institution that is too big to fail, please consider taking the time to make that large institution small enough to fail.

What do memes and facebook have in common?

This is something that occurs to me occasionally, but I don't think I've ever written about it before.

What do memes and facebook have in common? They can both be used to the benefit of identity thieves as a method of social engineering.

Security questions are now commonly used in addition to passwords or as triggers to unlock an account or email a new password, challenge questions. The security questions are repeated among systems and most often historical: First pet, high school mascot, etc. The challenge is to pick a questions that the real person won't forget, will not type differently ("The Trouble with Tribbles" is not "trouble with tribbles"), and won't be easily discovered. The first criteria is often best met with historical information. You don't ask "favorite band" because in two years when the question needs to be answered, the answer may have changed. In order to address the second criteria you need something definitive and short. Names and numbers work well for this. As the answer gets more complex, it's more likely that it will not be repeated by the legitimate user. Then we come to the third criteria. Security questions tend to skew old (first ... ) with the naive thought that anyone who encounters the legitimate user today won't have easy access to that old information.

Enter the information age, the Internet, memes and facebook. Facebook, by its very nature is a social engineering treasure trove. You get all kinds of school and location information together with relatives. If you start linking these items to journal entries, you can develop quite a lovely dossier on someone. I've seen memes that cover the vast majority of security questions, some subtly, some not. Do you remember the Porn Star Name meme? That gets a couple of ones that might not get covered on facebook: first pet, middle name, street you grew up on. Mother's maiden name? That is the classic key for credit card phone verification. But take a browse around facebook, find the relatives, find the mom, then look at her relatives. Done.

There are a lot more examples, but hopefully this gives you a little different perspective on innocent information. Information may be innocent, but often people are not.

A financial institution that I interact with forced me to set security questions. I looked at the questions and all of them were meme/facebook resolvable. There wasn't one that I could choose that wouldn't expose my account to attack based on reasonable research. What did I do? I answered randomly. I won't be able to use the challenge to reset my account, but neither will anyone else.