As I said before, when you click on "Forgot Password?" some sites will just ask for your email address and, if it matches what is on file, they will email you something. When you forget your password, each site has different means to get you going again. Banks usually have the HIGHEST security as they are governed by the feds. In most cases, they will NEVER be able to send you your password because they can't read it at all. They can only send you a link that will get you onto the site so you can change your password. Usually, you will be using an SSL link (encrypted) to type in your password. If you forgot your password, then you will have to answer security questions. Some are of the type that everyone is commenting on, others may be date of birth, SSN (whole or part) and maybe something else that they have on file. After this, they will mail you a link (not necessarily a temporary password) that will allow you to get in and put in a new password.
Some extra security my bank has are alerts. You can get these by email, SMS or both. These will tell you when your password has been replaced and even if there was a change in your security answers. The idea being, if someone did manage to hack your login, you will find out and call the bank or the bank may even call you if something suspicious is going on. You can try to call them but you won't be able to get them to tell you the security questions nor answers. As you've said, these are all probably sent encrypted (SSL) and are probably kept encrypted (SHA-1?). There is no need for anyone at the bank to know your password nor the answers to security questions. They can ask you questions, including a security question (or two) and they they type in the answer you gave them. This is then encrypted and the encrpted answer is compared to the stored encrpted answer. If they match, you are who you say you are. What scares me are these other sites where you click on Forgot Password and they actually send you your password. In clear text no less! What you usually find is that these sites do not have any "regulations" like banks have and there usually is no real need for extra securtiy by the nature of the site.
An interesting thing users might want to check is if there is anything devastating that a hacker can do if they DO somehow get into your account. People should take a look. For example, someone could move money between my accounts. Big deal. There are a few things that I don't use that might be a big deal, such as "bill pay" or "transfer money to another bank customer". Thats where you just have to hope that the bank has other ways to protect those operations such as sending you an email with a link for confirmation or other means to catch suspicious activity.
Was this reply helpful? (0) (0)