My continued judging adventures

Yesterday I judged my first ever Magic Vintage event, the Star City Games Power 9 Series, Boston. (Vintage is the format where almost every card ever printed is legal, but several overly-powerful cards are restricted to 1 per deck. This particular event allowed up to 10 proxies.) We had 116 players (I think), and the prizes were the the top 8 players drafting a set of the “Power 9” cards, which are 9 old cards with a total secondary market value on the order of about $3,000. There’s nothing quite like deckchecking a $1,000+ deck. It was a fun experience, and while I don’t anticipate getting into the Vintage scene much, I’m very glad I went. There were all sorts of fun old cards and interesting interactions and interesting decks.

Next weekend is the Time Spiral prerelease, where I’ll be judging in Hartford again.

Two weeks after that, the set comes out, and I’m tentatively planning on running a big event at WPI for the release. (There seem to be a lot more players there than there used to be.) It should be a bunch of fun as well.

More about my bank

Last time, I mentioned that my bank seemed to have at least one lax security policy (or at least a lax security policy implementation), and I promised I’d share more.

So, last month my bank started requiring “Two-Factor Authentication” (as they call it), so that just a password isn’t enough to authenticate me to my bank’s web site. Now, this makes some sense, as this is my bank’s site, and a user posing as me could send a check to themselves with the online bill-pay service and clean out my account.

So, the implementation of this Two-Factor Authentication is something they call The Matrix. It consists of an 8 by 5 grid of numbers that I’ve received, and whenever I need to log onto my bank’s site they ask me for three of the numbers, specifying them by their coordinates. (Each number is labeled by a letter for the column and a number for the row.)

Now, this seems okay so far. If my password were compomised, then an attacker still wouldn’t be able to get in without having this matrix as well. And, even if they could intercept the numbers I type in for one login, they wouldn’t be able to use those for the next login. Presumably, my password would change (since I need to change it every so many days) before an attacker could gather enough numbers to be able to do anything.

However, I see a couple really big problems with this approach. This Matrix, the secure piece of technology being added here, is just sent to my email. It’s not encrypted or anything. So, it sure seems to me that anyone able to read my password or the numbers I send for one login attempt would have a much easier time trying to read my email, especially as it’s unencrypted all the way between the bank and my mail provider. I really doubt it would stop phishing attempts as well, as they would just need to do some kind of man-in-the-middle attack (basically be a proxy between me and my bank’s site) presenting my credentials to my bank’s site. Am I missing something here? It may make things slightly harder for an attacker, but I think that it’s primarily just adding (1) more difficulty in use, and (2) a false sense of security.

In another bank-related story, I found it quite interesting that today I received in the mail a savings account statement, that the bank paid 30.8 cents in postage to send to me, which had an entire point of informing me that they paid me 1 cent in interest last month. (I haven’t been using the account lately, preferring a much higher yielding money market account at a different institution.)

And yet, somehow, I don’t get the feeling that any other bank would really be any different…

Scary quote of the day

“Okay, your password has been reset to ‘password2’.” — The customer service rep. at my bank, after calling them, telling them that my account on their web site was inactive due to me mistyping my password too many times, and telling them my name.

There was no verification beyond me telling them my name.

More about the false sense of security when logging into my bank in the next update…