Why My Bank’s Upgraded Security Blocked Me From My Money

What's Hot

2 Types of Black Marks Might Vanish From Your Credit File SoonBorrow

6 Ways the Obamacare Overhaul Might Impact Your WalletInsurance

7 Dumb and Costly Moves Homebuyers MakeBorrow

This Free Software Brings Old Laptops Back to LifeMore

Obamacare Replacement Plan Gets ‘F’ Rating from Consumer ReportsFamily

Beware These 12 Common Money MistakesCredit & Debt

21 Restaurants Offering Free Food Right NowSaving Money

17 Ways to Have More Fun for Less MoneySave

House Hunters: Beware of These 6 Mortgage MistakesBorrow

30 Household Uses for Baby OilSave

25 Ways to Spend Less on FoodMore

Nearly Half of Heart-Related Deaths Linked to These 10 Foods and IngredientsFamily

5 Surprising Benefits of Exercising Outdoors in WinterFamily

10 Ways to Save When You’re Making Minimum WageSave

Boost Your Credit Score Fast With These 7 MovesCredit & Debt

7 Painless Ways to Pay Off Your Mortgage Years EarlierBorrow

The Most Sinful City in the U.S. Is … (Hint: It’s Not Vegas)Family

The True Cost of Bad CreditCredit & Debt

10 Companies With the Best 401(k) PlansGrow

This Scam Now Tops ID Theft as the No. 2 Consumer ComplaintFamily

6 Stores With Awesome Reward ProgramsFamily

6 Ways to Save More at Lowe’s and The Home DepotSave

6 Healthful Treats for Your DogFamily

New Study Ranks the Best States in the U.S.Family

Thousands of Millionaires Moving to 1 Country — and Leaving AnotherGrow

Strapped for College Costs? How to Get the Most From FAFSABorrow

6 Overlooked Ways to Save at Chick-fil-AFamily

Ask Stacy: What’s the Fastest Way to Pay Off My Mortgage?Borrow

Where to Sell Your Stuff for Top DollarAround The House

8 Ways to Get a Good Price on a Shiny New AutoCars

Ask Stacy: How Do I Start Over?Credit & Debt

Secret Cell Plans: Savings Verizon, AT&T, T-Mobile and Sprint Don’t Want You to Know AboutFamily

30 Awesome Things to Do in RetirementCollege

14 Super Smart Ways to Save on TravelSave

The Rich Prefer Modest Cars — Should You Join Them?Cars

You’ll Soon Pay More to Shop at CostcoSave

10 Ways to Save When Your Teen Starts DrivingFamily

I appreciate my bank's effort to beef up security. But my story illustrates why security tools that aren't ready for prime time may do more damage than good.

How can a bank — or any organization — become less secure in its attempts to become more secure? Let me tell you how.

Security must do two things: Protect and enable. If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it. And that is the path to perdition (and hacking).

Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways. Both are equally important if a security scheme is to work.

This month brought yet another story chronicling the theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-passwords security” at places that really matter.

How two-factor authentication works

Still, I’m about to turn off two-factor authentication at my bank, right at the moment when everyone seems hell-bent to turn it on. Why? Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.

I’ve run into classic 21st century red tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme. I often don’t like single-anecdote stories, but occasionally they illuminate larger problems so perfectly they are worth telling. So here goes:

A quick review: Two-factor authentication adds a strong layer of security to a service by requiring two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know. Online banks and websites are slowly but surely nudging everyone towards various forms of two-factor authentication, because it really does make life harder for hackers.

Most of these two-factor forms involve use of smartphones, as they have become nearly ubiquitous. Log on to a website at a PC, confirm a code sent to your phone. Something you have (the phone) and something you know (the password). Simple, but elegant, and far harder for bad guys to crack.

And it’s great, when it works. But what about when it doesn’t work?

A simple glitch

Here’s a simple problem. Consumers get new phones all the time. If the code is tied to the physical handset, a new phone means the code doesn’t work any longer. What then?

Turns out this can be a really vexing problem.

I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason: It really does take good care of members.

At least it did, until it tried to implement two-factor security. I try not to be hypocritical, and follow my own advice, so I turned on USAA’s flavor of two-factor pretty early on. It’s a solid design: A Symantec app loaded onto your smartphone offers a temporary token — a six-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log on to the website. You can see all the layers of protection that creates.

Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website — a larger hassle if your phone battery is dead. But that’s a fair price to pay for security.

However, the hassle becomes immense when it becomes time to change handsets. So immense that as I type this, I cannot access my bank … and have no idea when I will be able to do so. (UPDATE: I was able to fix my login woes 24 hours later.) And that’s happened twice to me in the past year. Why? Chiefly because USAA is not set up to deal with the problem of new handsets.

To review: When I tried to access the website it demanded a token from my phone — a token that was no longer valid because I had a new phone. When I tried to use the phone’s app to access my accounts, USAA asked for a password because it didn’t recognize the phone. I didn’t have a password, I had a token — an invalid token. You get the picture.

All that is a predictable technology hiccup that’s not the end of the world. The real problem came next.

The difficult path to a fix

A call to customer service seemed to be my last available option, but that was dismal, too. At various times I wasn’t able to get through to customer service phone lines. What’s much worse, however, is what happened when I did get through.

People change phones roughly every two years, so this new handset problem must come up often enough. Yet it’s obvious to me that USAA operators are not ready to handle the problem when consumers call. Each time I have reached an operator, I had to spend a lot of time explaining the problem — and remember, I do this for a living. The first successful call today, the operator merely changed my mobile application login settings after putting me on hold for minutes. When I protested that, she said she had to transfer me to a special department, and then the phone went dead.

After a second call and wait, the operator was sympathetic, but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number. It took a while before I could convince her that “new phone” meant “new handset” not “new number,” a mistake I will correct in future calls. We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account. But after another long hold, and transfers to two other operators, I was told that, sadly, they were having trouble issuing temporary passwords and asked if I could call back in an hour or so.

I’ve left out many steps in this saga. At each stage, of course, I was subject to strict authentication questions. That’s fine — I was asking for a new password, after all. But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “no.” So I will have to, once again, convince a primary operator of who I am and that I am having token problems and that I need a temporary password. There is obviously no “token problem” script, ready for my problem.

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 2,001 more deals!