So, on September 19th, my credit union decided to implement some new security features that as a result, I will not be using them any longer. Let’s start at the beginning.

When I opened my account at Hughes, they were one of the first small credit unions to have online banking. Now, all they needed was my account number, and my PIN. SSL site, I was happy. I could have my computer automatically login for me and download my accounts, and import them into Quicken. The point was, I didn’t need to interact much with the poorly designed interface.

Sometime after that (and sometime ago) they decided they needed more security in the midst of the ZERO reported cases of theft of information. So they put a capcha there. For those who don’t know, a captcha is a test to distinguish biological entities from machines, via a simple task such as typing the word/letters in the graphic. Whatever, this was easy to defeat using a java servlet, a database, and a greasemonkey script. With a month of captured info, a little bit of math, I figured out the relationship between the image name (its a 128bit hex number, hint hint) and the image’s “code” and with a greasemonkey script, was back at it again. They didn’t change the algorithm too much when they “improved” security either. It was a pain in the ass with the capcha, and I was close to moving my money when they did this, but the cracking of their capcha system presented my a challenge that I had no choice but to accept.

Now for why I’m really pissed off. Here’s what I have to do to log in NOW, after these new updates that are brought on by yet another ZERO theft cases. First, I put in my account number and solve their capcha (same algorithm as before, tee hee) and hit next. Then, they ask me one of the 3 question/answer pairs I gave them when I went through the mandatory setup procedure, I have to enter the answer and hit next. Then they show me my code word which I’m supposed to verify and THEN I’m allowed to type in my PIN and login to the e-banking interface. This is too much of a pain in the ass for me to put up with.

So, all you fucking retards at Hughes, for not allowing the user to opt-out of this ridiculous waste of time security system, I’m taking my money (and my business) elsewhere. You fucked up for the last time. I won’t even tell my readers how you botched up bigtime with your pathetic bill pay service. Wait, yeah, I will. Long story short, I set up a bill payment, and they sent it to the wrong place. I resolved the issue with the payee (who, suprisingly have had this happen before with Hughes customers, and Hughes failed to resolve the problem) but it’s still 2 hours of my life I wasted.

If anyone from Hughes is reading this, you need to let your users decide if they’re too stupid to fall for phishing. I’m not an idiot, I know more about phishing attacks than the people that actually DO them, and I also know how to socially engineer any of the info I need to get through your system out of the victim, without spamming them. Your system is useless, and you need to provide a way for the user to opt-out of this junk and get back their good old-fashioned username and password. I will recommend to anyone I can that they NOT do business with you until this is resolved! You already lost one customer, and I foresee many more to come.

If anyone from Cavion (the people who make the ebanking software interface for HFCU) is reading this, design an opt-out into your software. Also, I don’t know who designed your capcha system, but it’s too simple to prevent any benefit.