I’ve written before about the nonsensical nature of UK banking websites, with security theatre that’s supposed to make us feel that a sequence of restrictive usernames, passwords, passcodes and memorable words (all passwords of one form or another) linked with publicly available information (date and place of birth, etc.) is somehow keeping us safe.<\/p>\n
Unfortunately, that farce looks set to\u00a0continue for some time to come…<\/p>\n
Recently, my bank (First Direct) went a step further in an attempt to introduce a second factor to its logon process (i.e. something I have, in addition to something I know).<\/p>\n
“Bravo”,\u00a0I thought, “at last,\u00a0similar security measures for consumer banking, to those that are used on the back-end by employees”… except I was wrong. \u00a0At least, I hope I was.<\/p>\n
First Direct gave me three options<\/a>:<\/p>\n On the basis that any\u00a0device sent to me is unlikely to be\u00a0where I am when I need it, I elected for the app option and, after upgrading the First Direct app\u00a0on my phone, I went through a registration process. \u00a0I don’t recall the details of the process but the end result is that I now have a “Digital Secure Key password” (oh goody, another password!) in the mobile banking app, that can be used to generate a code to log on to the full website via my browser.<\/p>\n And\u00a0how complex is this “Digital Secure Key”? Just 6-9\u00a0alphanumeric characters – no better than a very simple password – and\u00a0as that’s now the only level of security between a mobile phone thief and my bank account (aside from a PIN on the phone), the app on my phone\u00a0actually less secure than it was previously with the\u00a0username\/memorable data combination!<\/p>\n Registered for @First_Direct<\/a> Digital Secure Key (PIN via mobile app), only to find it still relies on a 6-9 char password! #SecurityTheatre<\/a> \u2014 Mark Wilson (@markwilsonit) May 18, 2014<\/a><\/p><\/blockquote>\n\n