I’ve written before about the nonsensical nature of UK banking websites, with security theatre that’s supposed to make us feel that a sequence of restrictive usernames, passwords, passcodes and memorable words (all passwords of one form or another) linked with publicly available information (date and place of birth, etc.) is somehow keeping us safe.
Unfortunately, that farce looks set to continue for some time to come…
Second factor authentication
Recently, my bank (First Direct) went a step further in an attempt to introduce a second factor to its logon process (i.e. something I have, in addition to something I know).
“Bravo”, I thought, “at last, similar security measures for consumer banking, to those that are used on the back-end by employees”… except I was wrong. At least, I hope I was.
First Direct gave me three options:
- Send me a device to generate a secure key.
- Use an app to generate a digital secure code.
- Continue using the old methods for Internet Banking logon, with reduced functionality.
On the basis that any device sent to me is unlikely to be where I am when I need it, I elected for the app option and, after upgrading the First Direct app on my phone, I went through a registration process. I don’t recall the details of the process but the end result is that I now have a “Digital Secure Key password” (oh goody, another password!) in the mobile banking app, that can be used to generate a code to log on to the full website via my browser.
And how complex is this “Digital Secure Key”? Just 6-9 alphanumeric characters – no better than a very simple password – and as that’s now the only level of security between a mobile phone thief and my bank account (aside from a PIN on the phone), the app on my phone actually less secure than it was previously with the username/memorable data combination!
Registered for @First_Direct Digital Secure Key (PIN via mobile app), only to find it still relies on a 6-9 char password! #SecurityTheatre — Mark Wilson (@markwilsonit) May 18, 2014
Still, at least there is some kind of second factor for website access…
Never write down your PIN (except when the bank does that for you…)
We all know that we shouldn’t write down the PIN for our cards, yes?
Ever.
It’s in the terms and conditions for your account – and if the bank suspects you have compromised security in this way they are unlikely to be able to help if there is fraud.
I have a Hilton Hhonors Visa card, provided by Barclaycard and, a few weeks ago, they sent me a new card as part of the rollout for Visa payWave (contactless) functionality. The card had a sticker attached, telling me to use it from 23 June – and in the meantime I could use my old card. Separately, they sent a new PIN (quite why my new card couldn’t use my old PIN is beyond me) and, as soon as I received it, I went to an ATM to change the PIN to one I would remember. Except I couldn’t – because the card wouldn’t work until 23 June! I even tried using a Barclays ATM.
In the end, I had to keep the card and the PIN in my house for a few weeks until they were both valid. Doesn’t seem very secure to me… and I wonder who would be liable if the card and the letter had both been stolen in the meantime?
And don’t get me started about 3-D secure
Verified By Visa. Mastercard SecureCode. Just another password to remember – and as far as I can tell just a way for the banks to pass fraud risk on to merchants!
In absolute agreement with you. I’m with FirstDirect too and the new authentication system is a joke. As well as the issues you mention, there’s also the fact that the app constantly wants to update itself just as you need to use it, and you can’t sign in till it’s done. If you’re stuck with no wi-fi in a dodgy signal area this is extremely frustrating. My office is just such a place, and setting up a transfer this morning took me almost half an hour.