Biometric login

In Ecuador we have this bank, which we will call .. Banco del Pichincha, since that is its name and I have no intentions of masking it. My dear bank is arguably (very, though they are quite confident about themselves) the most reliable and stable bank in the country, or at least one of the most reputable ones.

So a month or so ago they decide to change the login system for their website, which means people have to register again and answer a bunch of questions about themselves if they (we) want access again. So far so good, we are promised a new login, which basically consists of a username and password instead of your id number and the incredibly unsafe 4-digit PIN. The new system is called nothing less than "biometric login". Now, I assume anyone with a slightly greater-than-average curiosity will try to figure out exactly what it means, but there's no real explanation on the website other than something like "it magically knows who you are using a digital fingerprint, of your damn soul". (I'm paraphrasing)

As part of the registration process, one is asked three "secret" questions (one of mine is "what is your grandmother's first name"), and to choose one out of 10 possible "secret" images to be associated to your account. After this is done, the first 10 times you login you are asked one of the above mentioned questions, and to choose the image again. Then, the eleventh time, you can finally forget about this extra step and just provide your username and password.

Now, so far this looks like a regular login system, like countless others on the internets, but the other night I figured out what "biometric" means for Banco del Pichincha. The site decided I wasn't myself, and it gave me this extra question/image step (digital equivalent of the middle finger), because my "behaviour" was different. So, the only thing I can imagine happened is that instead of seeing my bank account data using my "regular behaviour" (i.e. morning), I suddenly decided to switch personalities and couldn't resist the urge of looking at my transactions late at night. The horror. So, biometric not as in Mission-Impossible-style eye retina scan, or fingerprint technology, but instead by looking at the time you try to login. I wonder who sold this obviously expensive system to Banco del Pichincha, you geniuses!

Now, all this still kinda looks not-so-bad, except:

• During the last month the website has been down at least a third of the times I've tried it (twitter confirms a lot of users have had the same problems);
• The three questions you are asked are a lot easier to figure out than your password, which by the way is probably unsafe;
• A malicious co-worker can easily get a glimpse at what image you pick when you login (the image's background turns yellow on click), so that doesn't improve security much either;
• The "behaviour pattern" idea is limited to the login, which makes no sense to me as I would assume it works on the actions you take once you are logged in and doing potentially dangerous stuff.

Instead, all they've accomplished is to piss people off by having a lot of flaws and delays in the implementation. Some are small but annoying (such as if you gave your grandma's name in lower case and then when they ask it you type it in upper case, the system will restrict access and make you answer this stuff ten more times), but some are big, like the incredible downtimes.

Need I say more?