June 30th, 2008

usability: Verification of Challenge Question and Challenge Answer

A website I use regularly requires me to verify my contact information annually. Today, I noticed that the last question on the verification page is for my “Challenge Question” — the question/answer combo that I would need to use if ever lost my password.

Here’s a small screenshot showing this question (click it to see a larger screenshot with more context):
What was the name of your first pet? xxxxxxxxxxxxxxxxxx

As you can see, it shows the question that I chose to use, but for the answer it shows “xxxxxxxxxxxxxxxxxx”, and says “Your challenge answer has been hidden for security reasons.” Then, it asks me to check a box saying “Yes, the information above is correct.” How can I confirm that my challenge answer is correct, if I can’t see it? The number of x’s does not even correspond to the number of characters in my first pet’s name.

While I appreciate that they do not display this relatively-sensitive information (since it’s almost like a password), I feel like it’s silly to ask me to verify something that I can’t see. I refused to accept that the answer was correct, and went ahead and selected/entered a new Challenge Question/Challenge Answer combination.

Posted by spugbrap at 08:53am EDT 3 Comments 

Categories: forms, password, website, security, usability, annoyance, web

May 15th, 2007

FIA Card Services can share your info even after you close your account?!?

From the FIA Card Services (aka Evil Spawn of the Bank of America+Fleet and Bank of America+MBNA mergers) Privacy Policy (emphasis added by me):

This notice describes the privacy practices of FIA Card Services for consumer financial products and services governed by the laws of the United States of America and applies to open, closed and inactive accounts with FIA Card Services.

For some reason, this concerns me a little bit.

I have two open accounts with them right now, and am going to go ahead and opt out of their information sharing options for both accounts. But it’s not people like me that I’m concerned about.

I’m concerned about people who may have ever had an account with Bank of America, MBNA, or any of the other credit card companies that they have collectively gobbled up over the years. People who may have canceled their cards long ago, cut them up, and forgotten all about them. People who may have even thrown away all of their bills/terms/etc., because it’s been so long.

According to the paragraph quoted above, FIA Card Services may share their information with other companies, even if their accounts are closed! Maybe I’m just naïve, but I never would have imagined that after I closed a credit card account, and stopped doing business with a company, they might still share my personal data with arbitrary third parties.

I’ll bet they don’t still mail annual Privacy Policy notices to everyone who has closed accounts. But, all of this may be a moot point. The wording is ambiguous enough that even though they *might* do something with that data, they probably don’t, and I have no positive proof that they actually do engage in this unethical practice. So, they get the benefit of the doubt, for now. But it’s still creepy, and they’re still evil for other reasons.

Posted by spugbrap at 12:05pm EDT No Comments 

Categories: credit_card, money, merger, terms, privacy, mbna, banking, ambiguity, weird, wtf, evil, security, boa, questions

March 2nd, 2007

LANDesk Security and Patch manager is not as friendly as it first seemed.

This afternoon, at work, a dialog popped up from the LANDesk Security and Patch Manager. That’s fine, and all, I don’t mind having the IT people making security patches automatically get installed on my work laptop, when I’m at work.

But, what pisses me off is the dialog that it gave me:LANDesk Security and Patch Manager dialog

At first glance, it looked like it was giving me up to 2 hours to get to a stopping point in my work, before it would force the update to take place. I’m not thrilled with having a deadline before a forced upgrade, but I understand that the sysadmins have tens of thousands of workstations to maintain security on, and the laptop belongs to the company, and so forth. At least this was nicer than forcing the update to happen right away, right?

But then I tried to go back to my work, and it showed its true colors. The stupid LANDesk countdown window (and its parent window) are “always on top”, and do not respond to Minimize messages. There is no minimize icon on the window’s title bar, and the “Show Desktop” shortcut (which usually minimizes everything, even things that don’t have ‘minimize’ options of their own) was ineffective against this LANDesk dialog.

Without getting this dialog to go away, getting any more work done was going to be difficult. :( I did figure out that I could drag that window out of the way, so the leftmost edge of it was just barely visible on the rightmost edge of my screen. Also, my TextPad window had an Always on Top option, which allowed me to bring it above the LANDesk window. But I was already distracted from my work, so I decided to take a couple screenshots, blog about this, and tell it to go ahead and install.

Posted by spugbrap at 02:58pm EST No Comments 

Categories: security, patch, sysadmin, automated, user_interface, usability, update, annoyance, software

February 5th, 2006

Removing empty macros from Excel, to avoid popup security dialog

Anyone that’s ever dealt with Excel has probably seen this security warning dialog about macros:

It’s one thing if the spreadsheet actually has macros in it, especially if it actually *uses* the macros in it. But even if you create a macro, and subsequently delete it, you still get this warning.

I found an Excel FAQ today that included instructions for fixing this. Worked for me!

Posted by spugbrap at 07:38pm EST No Comments 

Categories: macros, warnings, office, excel, microsoft, security, geek