Banks & regulators: needlessly making things hard on users and then claiming it is for security.
My bank, Swedbank, has a two-factor authentication system – like many others – using a VASCO DIGIPASS. But apparently that’s not enough security.
Urged on by Finansinspektionen (a central banking regulator) they have ‘increased security’ even further when a customer wants to enable a service. Say the international payments service that I mysteriously lost access to.
This can no longer be done on a secure HTTPS website using two-factor authentication. Instead you have to call a public phone number (+46 771 22 11 22), enter a public state personal ID number (911023etc), and a 5 digit PIN.
How is a 5 digit PIN more secure than requiring the VASCO DIGIPASS? Especially seeing as the VASCO DIGIPASS is also PIN protected? And is stored in my house?
If you were able to break into my house and steal the VASCO DIGIPASS, as well as crack the 4 digit PIN used to lock it, you gain the ability to reset the 5 digit PIN needed to make the phone call. So if my bank login really has been compromised none of this is going to help me.