The answer to "I don't know my password and I don't know my security question/answer" is, "Sorry, for security reasons we can't help you access this account, you'll need to create a new account." This isn't a problem for banks, why is it a problem for tech companies?
> This isn't a problem for banks, why is it a problem for tech companies?
Banks have the option of you physically going into the branch and identifying yourself with relevant legally backed forms of ID. That would not really work for most online companies.
Other methods which involve sending in copies of ID and/or letters signed by appropriate notaries would fail due to human engineering too because your average tech company isn't going to have people sat ready who are capable of accurately verifying this information.
The other problem is PR: due to the lack of another option the average person who is locked out of their account will instantly turn to twitter/facebook/any-where-else-they-can-post and scream as loud as they can that they've been mistreated by company X. Many other average persons will take this at face value without checking the fats and start avoiding company X, or worse bombarding them with communication in support of the inconvenienced user.
> Banks have the option of you physically going into the branch and identifying yourself with relevant legally backed forms of ID.
Not always true! Less than a month ago I needed to login to my Wells Fargo account. Unbeknownst to me, they had been doing some 'upgrades' and there were some glitches. After a frustrating period, I decide I'd just go to the physical branch 1/4 mile from my house and get this fixed!
On site, the bank personnel have access to exactly the same system that I did. (At least they knew there were glitches and sorta how to work around them.) I had two accounts, one for a credit card that I rarely used and my mortgage. Turns out, if you have a credit card then the new system requires a piece of information only found on the physical card - the onsite employees couldn't get around and neither could their call-in tech support!!!!
Point is - for log-in purposes - don't assume going to a physical branch will be any more helpful!
Since I didn't have the credit card with me ('cause rarely used) I canceled the rarely used credit card and was able to login shortly thereafter.
Banks don't try that hard. One of my bank is happy to resend me a password by snail mail with an account ID reset by phone.
Also, rechecking the ID of a user can be as simple as asking for a new token payment by the same credit card as used by the account. It's not infailable, the CC can be compromised as well, but it should be way better than what we have now.
Actually, this could be an interesting and lucrative side business for banks, identity verification. You could have varying levels of verification, requiring varying levels of authenticating documentation and numbers of employees to review and vouch that could then be used to provide a certificate of verification for a service.
E.g. namecheap.com generates verification ticket item requiring valid identification and SSN that Bank of America then uses to verify your identity for $30, and vouched for the identity. Meanwhile Goldman Sachs generates a verification ticket requiring much more strenuous authentication, and the bank charges $200 for (with increased insurance, etc), which satisfies the much higher validation standard the Goldman Sachs requires to authenticate you for your ritrement account with over $X in it, etc.
With MTGO above I had maybe $500 in virtual stuff on my account. As the gatekeeper I'm not sure that would go over well.
With servers a similar thing. Say my only copy of a database is on my VPS. May have a business value of $50k. Can't really just say no unconditionally. Need some process to unlock..
There are at least two such services in Germany WebID[1] and PostID[1] (not to be confused with the older PostIdent that requires identification at a post office).
I haven't used PostID yet but with WebID you basically have a Skype video call where you show them your ID.
I have a few bank accounts with banks that don't have branches. To "verify" your Id they ask you questions from your credit report - which can be problematic. "What was the payment and term on a loan you had 5 years ago?" Fuck if I ever knew what the payment or term was, I didn't care when I took out the loan, I had my own payment schedule (I think if you can't pay back a loan [with the exception of a mortgage] in a year or two you really can't afford the loan...). Some of the stuff I just plain can't remember!
The best was when they asked me which model of car I had owned... and listed two cars that I had owned... I could only select one.
These records can be flat out wrong too. The DMV associates a car with my address that I don't own, for example. I think this happened because the owner never changed their address with the DMV. Or someone could have just fat fingered something which gets populated to other databases with data sharing.
I agree. With banks, if you need to prove identity remotely, you need to get a medallion signature and a notary. Takes time and money. I assume that web businesses would be happy to have to do that in return for robust security not easily broke via social engineering. I think it would even be a competitive advantage. If you want cheap and easy (and insecure) then you can use a competitors offering.
Well you can go to the bank with your ID if everything else fails
Of course that might not be even necessary as there have been reports of people withdrawing money or wiring it somewhere with not even that (but the bank has legal responsibility)
