Over the next few weeks I plan to send out these personalized pleas for saner security to the banks and insurance companies that I work with. I felt that it was time as customers that maybe some of us more technically literate make a stand and do whatever we can to try to get these companies to pay attention and do the right thing for all of us. Therefore, I figured I'd make this a public letter that others can reuse or recycle. To that end, the letter that follows may be considered for use under the CC0 license.
Dear Bank or Insurance Company,
Given that you and I are both greatly concerned with the security of the accounts that I have entrusted with you, I think it is well past time that we sat down and had a serious conversation about security.
Frankly, I am tired of often answering your "security questions". We should both know by now that this is NOT two-factor authentication and that it is a charade. (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx)
Real two-factor authentication has gotten to the point in the last several months that it should be impossible to continue to ignore the elephant in this room. Real two-factor authentication is now both ridiculously accessible and sufficiently cheap that there should no longer remain any excuses not to support it. At this point every smart phone platform has at least one standards compliant TOTP application. Even truly physical tokens are cheap enough that you could (and should!) give them out like party favors to your customers, as a benefit to both of us. For instance, Amazon Web Services has partnered with Gemalto (http://onlinenoram.gemalto.com/) for $13 TOTP tokens and the video game Star Wars: The Old Republic is selling branded tokens for $5.
That's right, video games currently have better online security than you do. There are no more excuses left. Please, I am begging you, let us end this embarrassment together. Please, pleas, at the very least, allow me as your customer, and as technically literate customer, to switch to a real two-factor authenticator and never again have to answer one of your "security questions" again.
Let's see if we can get any results at all.