Re: A self-defeating approach?
It's commonplace. Most banks have *ancient* systems, and this is just one of many ways that shows.
If you want ridiculous, until last year the Coventry had a scheme where you had an eight-char password, uppercase alphanumerics only, changeable on request -- they posted you a form with eight boxes in it which you filled out and posted back, and then a few days later the password was changed. This was obviously grossly insecure so they pasted other security challenges over the top of it over time (and lately have replaced it entirely).
I bet this is because the password in question was an actual mainframe account password of some sort, changeable only from an operator console. It had that smell. (This year, they changed to allowing really long passwords, and better yet passwords with no stupid restrictions on what characters must be present, so I can just use the result of a yubikey's HMAC-SHA1 challenge-response as the password. Finally.)