[LINK] Medicare "security"

[David Lochrin]

   I have steam coming out my ears as I write this!!

   I've had a letter from Medicare sitting on my desk for a while which asks me to log into their website and create an account giving personal details, including an email address and a bank account for lodgement of refunds, so I can make their life easier.  Today I decided to bite the bullet and do it.

   I'll skip the annoying preliminaries and go straight to the point.  They want five questions and answers for purposes of identification.  Five is pretty unusual, normally it's two or three, but I began with "What is my birthday?" and the appropriate response.

   However specifying personal details then required answers to two of these identifying questions for "high level" authentication, one of which was my birthday.  Now these questions are normally used in a personal verbal interaction so it's the substance of the answer which matters, and it hadn't occurred to me that the exact date format was important.  But it is - the system apparently compares character strings!!  Entering a question where the answer involves a date must be pretty common, and I can probably think of ten valid formats.

   Since I couldn't remember the exact date format I'd used I 'phoned the help desk and was told to create a new account;  the old one would just languish in the system.

   Medicare can forget it - I'll stick with snail mail.

   IMO this is a classic example of poorly thought-out design by poorly qualified people, and smacks of the notion that good security consists in digging lots of holes in the hope that an unauthorised user will fall into one.

David