Comments on: When good security goes bad http://www.edgeblog.net/2007/when-good-security-goes-bad/ Notes from the edge Tue, 06 Jan 2009 11:15:52 +0000 http://wordpress.org/?v=abc hourly 1 By: JR http://www.edgeblog.net/2007/when-good-security-goes-bad/comment-page-1/#comment-63701 JR Wed, 21 May 2008 01:38:15 +0000 http://www.edgeblog.net/2007/when-good-security-goes-bad/#comment-63701 I have a schwab account and just the other day i went to log in..for the last character of my password i hit the wrong key, and it logged my in. So i decided to sign out and sign back in hitting the wrong key agian...and In I am logged!?!?! I have a schwab account and just the other day i went to log in..for the last character of my password i hit the wrong key, and it logged my in. So i decided to sign out and sign back in hitting the wrong key agian…and In I am logged!?!?!

]]> By: Schwabbed http://www.edgeblog.net/2007/when-good-security-goes-bad/comment-page-1/#comment-28506 Schwabbed Wed, 07 Nov 2007 23:36:03 +0000 http://www.edgeblog.net/2007/when-good-security-goes-bad/#comment-28506 Yeek! Yes, they really are that "steal me" about this info there, but it doesn't matter because whenever the markets are getting squirrelly you can't even log into their site for a day or two, because they're so busy taking care of important people. Or something. No, if you selected the email-only choice you don't get anything in the US mail. When we got moved to Schwab they were pushing the email/web option but it then (maybe still) required the user to agree that if their software says you clicked on "Yes" then you can't argue that didn't happen. It seemed pretty dumb. I went through this password question with my own employer when all got switched to Schwab a few years ago. That was before Schwab even had their cute little PIN option. I was just hoping to turn up a blog discussing the actual choices Schwabplan offers. Things like: Charles Schwab Stable Value Fund WRAP ISSUERS* 1. AIG Financial Products 16.2% 2. AEGON 16.2% 3. Bank of America 16.2% 4. IXIS Financial Products 16.2% 5. State Street Bank 16.2% 6. UBS 16.2% Is this "State Street Bank" the same entity as the State Street being sued in the news for putting people's money into wildly risky stuff inappropriately? Yes, I've asked Schwab's help email folks that several times. No response. Yeek! Yes, they really are that “steal me” about this info there, but it doesn’t matter because whenever the markets are getting squirrelly you can’t even log into their site for a day or two, because they’re so busy taking care of important people. Or something.

No, if you selected the email-only choice you don’t get anything in the US mail.

When we got moved to Schwab they were pushing the email/web option but it then (maybe still) required the user to agree that if their software says you clicked on “Yes” then you can’t argue that didn’t happen. It seemed pretty dumb.

I went through this password question with my own employer when all got switched to Schwab a few years ago.

That was before Schwab even had their cute little PIN option.

I was just hoping to turn up a blog discussing the actual choices Schwabplan offers.

Things like:
Charles Schwab Stable Value Fund

WRAP ISSUERS*
1. AIG Financial Products 16.2%
2. AEGON 16.2%
3. Bank of America 16.2%
4. IXIS Financial Products 16.2%
5. State Street Bank 16.2%
6. UBS 16.2%

Is this “State Street Bank” the same entity as the State Street being sued in the news for putting people’s money into wildly risky stuff inappropriately?

Yes, I’ve asked Schwab’s help email folks that several times. No response.

]]> By: Matthew’s Weblog » Wishful Security Thinking http://www.edgeblog.net/2007/when-good-security-goes-bad/comment-page-1/#comment-25284 Matthew’s Weblog » Wishful Security Thinking Wed, 17 Oct 2007 16:29:07 +0000 http://www.edgeblog.net/2007/when-good-security-goes-bad/#comment-25284 [...] that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with securi.... Having worked in a financial services company, I can only say that the troubles he encountered are [...] [...] that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with securi…. Having worked in a financial services company, I can only say that the troubles he encountered are [...]

]]> By: Darrell Wright http://www.edgeblog.net/2007/when-good-security-goes-bad/comment-page-1/#comment-25038 Darrell Wright Mon, 15 Oct 2007 18:00:29 +0000 http://www.edgeblog.net/2007/when-good-security-goes-bad/#comment-25038 One thing to remember is the people they are dealing with. These are the same people that already printed out the page with the password and put it in a file so that they can later use it to logon to the site. Now if what they wanted was a way to verify the tie between the physical you and the online you, there are definitely better ways. Especially seeing as this does neither. Something like mailing you the password that allows you to be asked more questions. Somewhat the beginning of a CHAP session. But, back to my original point. The people they are dealing with most likely requested something like this. Also, the laws around opening others mail are very severe compared to intercepting wire communications. One thing to remember is the people they are dealing with. These are the same people that already printed out the page with the password and put it in a file so that they can later use it to logon to the site.

Now if what they wanted was a way to verify the tie between the physical you and the online you, there are definitely better ways. Especially seeing as this does neither. Something like mailing you the password that allows you to be asked more questions. Somewhat the beginning of a CHAP session.

But, back to my original point. The people they are dealing with most likely requested something like this. Also, the laws around opening others mail are very severe compared to intercepting wire communications.

]]>