Tuesday, March 11, 2014

Unintended Consequences

For the last few months I have been bringing my children (late elementary school and middle school) into the modern age when it comes to finances - setting them up with savings and spending bank accounts, teaching them to track their balances and plan their spending, and showing them how saving over time adds up. An approach my wife and I have taken is to give each child a savings account when they turned 10, that they could use to begin saving money to buy a car when they are of driving age. We offered to match any money they put into savings, but they would not be allowed to withdraw anything until they are 16(ish). We're not talking big money, but even a couple of bucks a week for 6 years can add up to a few thousand dollars ... and with multiple siblings that might be willing to pool their money, they could get a pretty decent set of wheels. But I digress...

In the process of teaching them how to monitor their balances online, we ran into the oddest problem: we could install our bank's mobile app on each of their devices, and the eldest were able to log in without any issues. However, the younger ones got an error along the lines of "the service is not available" when trying to log in. After a few back-and-forth conversations with customer service, we ultimately discovered that the bank blocks access from the mobile app to the user account for any child under 13 years old. The reason is a federal regulation that took effect last summer.

So let me get this straight: a 12-year-old child may have a checking and savings account, checks, an ATM card, and may log in and manage their accounts through the browser-based web site, but not through the mobile app. They can use a browser that could be compromised, instead of a dedicated-purpose mobile app provided by the bank. They can use a browser that uses traditional username/password access instead of the mobile app that uses an added layer of "trusted security."

The specific regulation quoted by customer service was the Children's Internet Protection Act - an FCC regulation first enacted in December 2000 and updated in 2011. This act applies to schools and libraries and requires that they provide protection measures that block Internet access to inappropriate pictures. I suspect however that the service representative was mistaken and meant to say COPPA, the Children's Online Privacy Protection Act.

COPPA is intended to give parents control over the types of information that a website can collect from children. It was updated with new rules that took effect July 1, 2013. The absurdity of this situation though is that a child cannot open a bank account, nor setup online access, without the parent's explicit assistance, and the bank in question provides very strong parental control over dependent children's banking accounts as well as login accounts. The bank already met the requirements of COPPA through its own account management design.

So what is likely to happen? Since the mobile app is tied to a specific device, its use is a form of two-factor authentication, meaning even with a simpler password or PIN on the device, you still get relatively strong overall protection. Through this bank's interpretation of COPPA, some children are likely to use a relatively weak password in the browser, WITHOUT the second authentication factor. Yes, the browser login can be set up to require a code to be sent by text message, but that's less convenient. One of the truisms of security is, if you make security convenient, your audience will in general comply; if you make security inconvenient, the audience will find ways around it.

How long until a child's bank account is compromised because this bank prevents use of a secure and convenient means of managing bank accounts, in the name of protecting children? Oh the irony...

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen