One small step forward, one giant leap back

Credit to Author: Sharky| Date: Fri, 14 Sep 2018 03:00:00 -0700

This pilot fish is paying his monthly bills online when he discovers one of his utilities has changed the payment part of its website — a lot.

“I clicked on the ‘Payment’ button, and saw that I now had the option of paying with or without logging in,” says fish.

“OK, the no-login option could be handy, but I’ve been paying this bill online for years, so I clicked on the login option. It asked me for my user name and eight-digit PIN. What PIN? I have a long, secure password. I tried that. It didn’t work.”

And after several unsuccessful attempts, fish tries the no-login version — which just takes him to the same screen asking his PIN.

He finally hunts down the customer service number, calls and explains that he wants to make a payment but nobody sent him a PIN. Customer service rep says he can give fish the PIN — he just has to answer the security question he’d selected.

Fish looks in his list of security answers and finds the one he used when he set up this account. What’s the question? he asks rep. “What was your childhood nickname?” rep says. That’s not the security question I answered, fish says.

“The rep texted the security answer to the mobile number they already had on file for me,” says fish. “It turned out to be my first name, exactly as it appears on my account. What kind of security answer is that?

“But since I obviously had the right phone, he was willing to give me the PIN — which turned out to be the house number from my address, followed by ‘1234.’ It looked like they migrated the existing online-payment accounts by just grabbing pieces of customer data and putting it into the security fields.”

The rep lets fish choose a new, harder-to-guess PIN, and he tries logging in again. But the system still won’t let him in — its new two-factor authentication scheme involves sending the customer an additional short-term, six-digit PIN, and the text never arrives.

Well, the new website is still undergoing “maintenance,” rep says — that might be the problem.

After clicking repeatedly on the “Resend text” button, fish gives up and rep walks him through the no-login process, which finally works after fish has cleared his browser cache.

“Just before I hung up, I joked that I would probably get half a dozen texts with PINs in an hour or two. He just laughed. At least I got the bill paid,” fish says.

“An hour later, my phone beeped — and beeped again and again. When it was done, I found six new texts, each with a different six-digit PIN.”

Sharky doesn’t require passwords or PINs — just your true tale of IT life. Send it to me at sharky@computerworld.com. You can also comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss