As you are no doubt aware, I am for technology making our lives easier and more efficient; getting the mundane out of the way as quickly as possible so the good and enjoyable can be experienced. This means that a simple and short e-mail such as "You owe $200 on your credit card due on September 5" is a good thing, where as "You have received a notice in your online banking site, please click this link to view it" which is followed by username, password, confirmation of first girldfriend, mother's maiden name, and 6 more clicks past ads for mutual funds and CDs is a Very Bad Thing. What is worse, this adds no security that I can see.
The following is what I sent to my credit card company, but banks do this too.
I recently received an e-mail from Discover which contained the following information:
All messages with this type of important account
information will now be housed securely at Discover.com
starting in September 2008.
Here's what you can expect:
- An e-mail notification when you have a message
- Directions on how to access the message
- Password protected security allowing you to control who
sees your account information
and I would like to take this chance to explain why this solution fails in its goals.
First, when I received an e-mail from Discover in the past, it was short and to the point. For example, it might indicate how much the minimum I owed on my account for the upcoming payment. Now, I will receive an e-mail that informs me I have an e-mail waiting for me? I have my e-mail open for the better part of every day, and it takes me about five seconds to read an e-mail from Discover and glean the pertinent information from it. If it required banking action, I could either take care of that right away or move the e-mail to a to-do folder for action later, preferably when I had other banking tasks to accomplish. An e-mail forcing me to login to the Discover site to -pardon me- discover what information I have received adds at least 90 seconds to this entire process, and sidetracks me from whatever I am currently working on. A complete waste of time.
Second, and equally important, this does absolutely nothing to enhance security. There is nothing Discover sends me in e-mail that could compromise my account. The only thing in an e-mail tends to be ``your account ending in 1234'', which, because I have separate accounts with Discover requiring separate logins, will still have to be in the new e-mail notifications.
In fact, the only goal I can see where this succeeds is in driving more traffic to the discovercard.com website, which would be beneficial for Discover (and not Discover's customers) because it will add to Discover's advertisement revenue. (I define revenue here as being either direct revenue, should Discover choose to advertise for other sites on its website, or in an increase in additional services sold by Discover to its existing customers. Either way, it is shameful to disguise ``customer security'' this way.
At the very least, Discover ought to allow its customers to opt-out of this program and continue receiving informative e-mails regarding their accounts. An easy solution, should you continue to claim that this is insecure, would be to offer the chance for your customers to receive encrypted e-mail. There are many easy and readily-available solutions for this, such as PGP (and the free, compatible product, GPG) or S/MIME encrypted e-mail. Implementing either of these is as easy as setting up the online account with Discover in the first place.
Posts
0 comments:
Post a Comment