How much is too much security-wise?

[Deleted]

I certainly understand the extent of online hacking but at some point security precautions start to be annoying and time-consuming.  My healthcare provider has doubled up on online access so I have to go through separate two log-ins with separate I.D. and password, and answer security questions to refill one prescription.  My bank went through a spasm of requiring new I.D./password combos every quarter until they lost a ton of customers.  Fewer than half of local merchants have set up chip-enabled credit card readers.  

Where is the intersection of security and convenience?  Discuss, please.

[tallguy]

I think it has become far more of a hassle than it is worth in some ways.  If you want to check your Social Security record, you have new security measures to contend with.  Go to the website, log in with your username and password, receive a text message on your phone with a security code, enter the security code at the website, and only then be allowed to view your record.  Every time you log in.  In addition, you have to change your password every six months.  If you do not have a cell phone, you cannot log in to MySSA.  If you cannot receive texts, you cannot log in to MySSA.  If you don't want to give them your cell number, you cannot log in to MySSA.  And that is all in addition to the security questions if you have trouble with your account or want (need) to change your password.  Seems a bit much.              

[alabamagal]

Aug 7, 2016 18:29:53 GMT -5 tallguy said:

I think it has become far more of a hassle than it is worth in some ways.  If you want to check your Social Security record, you have new security measures to contend with.  Go to the website, log in with your username and password, receive a text message on your phone with a security code, enter the security code at the website, and only then be allowed to view your record.  Every time you log in.  In addition, you have to change your password every six months.  If you do not have a cell phone, you cannot log in to MySSA.  If you cannot receive texts, you cannot log in to MySSA.  If you don't want to give them your cell number, you cannot log in to MySSA.  And that is all in addition to the security questions if you have trouble with your account or want (need) to change your password.  Seems a bit much.              

I saw an email about the social security new security features. Looks like a pita I only log in once a year or so

The financial aid websites are now just as bad. Thankfully this was my last year for that.

I have one credit card that has an extra security feature when you PAY your bill, it now requires to enter last 4 of ss number. I'm just not sure why the extra security is on making payments.

[midjd]

If there's a website or app that requires more than three separate password characteristics, there's a very high chance my password for that site is F*ck[companyname]1.  

[Deleted]

Aug 7, 2016 20:30:25 GMT -5 alabamagal said:

Aug 7, 2016 18:29:53 GMT -5 tallguy said:

I think it has become far more of a hassle than it is worth in some ways.  If you want to check your Social Security record, you have new security measures to contend with.  Go to the website, log in with your username and password, receive a text message on your phone with a security code, enter the security code at the website, and only then be allowed to view your record.  Every time you log in.  In addition, you have to change your password every six months.  If you do not have a cell phone, you cannot log in to MySSA.  If you cannot receive texts, you cannot log in to MySSA.  If you don't want to give them your cell number, you cannot log in to MySSA.  And that is all in addition to the security questions if you have trouble with your account or want (need) to change your password.  Seems a bit much.              

I saw an email about the social security new security features. Looks like a pita I only log in once a year or so

The financial aid websites are now just as bad. Thankfully this was my last year for that.

I have one credit card that has an extra security feature when you PAY your bill, it now requires to enter last 4 of ss number. I'm just not sure why the extra security is on making payments.

Yeah, I am just not having a problem with folks paying my bill for me.  Our municipal water bill site has added a bunch of new security things and I get that it's to keep folks from switching the bill to their ex-whatever or some non-existent person but for payments?

[Deleted]

Aug 8, 2016 9:57:01 GMT -5 midjd said:

If there's a website or app that requires more than three separate password characteristics, there's a very high chance my password for that site is F*ck[companyname]1.  

Yes, I have several passwords involving profanity.  It's fun to chat up the customer service folks when they say I can't use a certain password by asking them to say exactly which word I can't use.  Merrill Lynch actually backed down on bovine excrement when I asked them to explain why.  My Merrill Lynch advisor says I am a troublemaker-he may be right.

[Deleted]

Signs that, for me, they've gone too far:

1. Definitely the new SSA requirements. I'm selective about giving out my mobile number. In addition, my Ting bill charges $3 for the first 100 texts and in most months I have zero. I get very annoyed when I get the first text message of the billing cycle because then my bill just went up $3.

2. The "forgot password" function almost NEVER tells you what your password was. Even after you give correct answers to their questions, it forces you to reset it. I understand it for banks and brokerages, but for mycokerewards and Starbucks? Really?

3. Many times I click on "keep me signed in" for the low-stakes sites but frequently I need to log in all over again. I'm sure that has something to do with cookies since this varies by browser, but I haven't researched it.

[milee]

I'm not sure if it's a state level issue or if it's federal as well, but it drives me nuts to do business with our state (Florida) online because the email address you have to use as part of the registration and login process is then "public records".  So anyone can request lists of these email addresses and use those addresses for spam, phishing or worse.  It's to the state's benefit to have people do transactions online - saves the state tons of money and is much more accurate - so why make it so unappealing?

Hopefully the mobile phone numbers you're having to give SSA are not public records.  

[spartan7886]

Aug 9, 2016 12:22:27 GMT -5 @athena53 said:

2. The "forgot password" function almost NEVER tells you what your password was. Even after you give correct answers to their questions, it forces you to reset it. I understand it for banks and brokerages, but for mycokerewards and Starbucks? Really?

A system capable of telling you what your password was would mean they are storing it in plain text and anyone who hacks the server could obtain it. A properly designed system salts the password (encrypts, kind of) and then salts the password attempt and compares those two results. It's not capable of telling you what your password is because it doesn't store that information.

It's probably overkill for those applications, but I am sure they are using standard libraries rather than rolling their own less secure ones. It's less work and safer. Plus, that protects all the idiots out there using the same password for mycokerewards and their bank.

[thyme4change]

Aug 9, 2016 12:22:27 GMT -5 @athena53 said:

2. The "forgot password" function almost NEVER tells you what your password was. Even after you give correct answers to their questions, it forces you to reset it. I understand it for banks and brokerages, but for mycokerewards and Starbucks? Really?

What I hate about forgetting and having to reset is that once I get to the reset screen and see "Password must have..." special characters, etc, I generally remember what my password was.  If I could ask the password requirements before having to reset, it would be a lot easier.

[Deleted]

And the security questions are a real PITA.  At my age, I don't remember the name of my elementary school, I never had a puppy, I don't have any known relatives, etc.  Honest to God, I had to invent a completely fake persona for Discover because all of their security questions relate to a "Leave it to Beaver" childhood.  Next time I have to do a password reset, it's bye-bye Discover.  

[Anne_in_VA]

Aug 10, 2016 17:15:29 GMT -5 @donethat said:

And the security questions are a real PITA.  At my age, I don't remember the name of my elementary school, I never had a puppy, I don't have any known relatives, etc.  Honest to God, I had to invent a completely fake persona for Discover because all of their security questions relate to a "Leave it to Beaver" childhood.  Next time I have to do a password reset, it's bye-bye Discover.  

Yeah, I get that too.  I moved so much as a kid that it was hard to make friends, we never had any pets,  and I went to more than one school each year I was in school except for high school, so how am I supposed to answer these answers?  

[teen persuasion]

Aug 7, 2016 20:30:25 GMT -5 alabamagal said:

Aug 7, 2016 18:29:53 GMT -5 tallguy said:

I think it has become far more of a hassle than it is worth in some ways.  If you want to check your Social Security record, you have new security measures to contend with.  Go to the website, log in with your username and password, receive a text message on your phone with a security code, enter the security code at the website, and only then be allowed to view your record.  Every time you log in.  In addition, you have to change your password every six months.  If you do not have a cell phone, you cannot log in to MySSA.  If you cannot receive texts, you cannot log in to MySSA.  If you don't want to give them your cell number, you cannot log in to MySSA.  And that is all in addition to the security questions if you have trouble with your account or want (need) to change your password.  Seems a bit much.              

I saw an email about the social security new security features. Looks like a pita I only log in once a year or so

The financial aid websites are now just as bad. Thankfully this was my last year for that.

I have one credit card that has an extra security feature when you PAY your bill, it now requires to enter last 4 of ss number. I'm just not sure why the extra security is on making payments.

 
I've been following the SSA 2FA issue on Bogleheads - the requirement has been removed, for now, because it inconvenienced "some" users. The discussion was interesting; some pointed out that the method was not very safe, for multiple reasons. Those who did not want a cell phone were going to Google Voice to get the texts (eliminates the "device" in your hands aspect). Others pointed out that the system asked you each time if your # was still current, and let you update it instantly - if someone has gotten access to my userid and password, letting them change the cell # hands them the last key to my info.


Don't get me started on the whole college security thing. DS4 is having DAILY issues with anything online involving college, it never ends. It's not like we're inexperienced in this arena - we've had at least one kid in college since 2008, usually 2, all different schools. My favorite part is how the school can't tell me my kid's school id # for security reasons, but they are happy to request his SSN from me instead, to lookup his file. I also don't get access to his bill, but can be added as an authorized payee (how do I know how much to pay?) by the student.

The whole FA thing has become much more complex each year.

At work I've been helping a patron with the FAFSA and TAP applications. They've been in at least 5 times; it took us hours, and we went thru it 3 TIMES before we successfully got to the end of the FAFSA, at least. The had called the college for assistance (as suggested by the college) and were suddenly going to run off to the CU because they needed a credit card to pay to "process" their application - um, no, it is the FREE application for federal student aid - that's the point at which I took a more active role in assisting them.

Much of the confusion revolved around the multiple ids you need to create. FAFSA logins for student and parent, the new FSAid (or whatever it's called) for student and parent, linking them to past FAFSA pins (why, are pins still used with the new FSAid, don't think so?), TAP logins for student and parent,... The other problems occurred when you would be shunted to a pop-up box to complete some task outside of the FAFSA site (creating the FSAid, or the IRS retrieval process). When you completed the task, you returned to the FAFSA site to realize you'd been timed out, without saving your info! Applying for TAP used to be one-click after completing the FAFSA, now it is as complex as the FAFSA. You feel like you are going round in circles logging in to accounts left and right.

[Deleted]

The online pharmacy for our healthcare provider recently "upgraded" their system and decided that for reasons known only to them, DH and I could no longer use the same email address for notifications about our prescriptions.  Problem is DH doesn't have his own email, DH doesn't email anyone, and DH would seriously screw up any email he had because he's not that tech savvy. So I was forced to let him keep using our communal email and reset my pharmacy notifications to a gmail account I have for miscellaneous carp.  This week I went online to order a refill, verified that they had my new email and waited for a notice that my refill was ready.  And waited.  And waited.  Finally it came to-you guessed it-the original email address they said I couldn't use anymore    I thought about calling them but figured that conversation would raise my BP more than my refill could handle and talking to stupid never fixes it.

[TheOtherMe]

I received the email today from Social Security that their new "enhancements" are over with for now.

I'm guessing elderly people don't have access to computers.