Why is the account setup and password recovery flows for the sites of financial companies so utterly terrible? And so insecure? "Please fill in the following badly structured form with your personally identifying information that is easy to research from public records" and then emailing a new password in the clear, instead of a reset link, seems to be standard practice.
Account setup for financial, insurance, employment, medical, legal, regulated utilities, and government services should go through registered postal mail, and/or in person. And if I were king, that would be black letter law, with no wiggle room, and draconian penalties, plus private rights of action with statutory damages.
No comments:
Post a Comment