A look at the misplaced confidence, trust and liability that surrounds the consumer banking industry.
In last week’s post we looked over the physical security around the use of bank and credit cards. This week we focus on remote banking services such as telephone and internet, the security measures that are enforced and why they often aren’t worth the effort. These posts are not seeking to suggest a solution but are intended to raise awareness of the risks in the hope that you might be better equipped to spot a problem and deal with it should you be so unfortunate.
Traditional security checks were based on personal information that supposedly only the account holder would know but this has always been flawed insomuch that most of the information they would ask for is public record. As for other nuggets of information such as favourite holiday destination, there are comparatively few possible answers and humans are inherently bad at keeping secrets; if you had the time of your life in Las Vegas there’s a good chance that a lot of people would have heard about it.
The introduction of passwords did little to counter these problems because humans are inherently bad at remembering stuff, more so if it’s something that is not used often. As such security checks have to account for people forgetting their password so you’d be asked some ‘security questions’ and so we’re back to square one. These problems are prevalent in telephone banking and are no better with internet banking services.
Recently many banks have introduced two-factor authentication for internet banking, typically something you know (a password) and something you have. The second part typically being a physical device like a small key fob that generates a one-time-passcode (OTP). If somebody gets their hands on the physical token it’s useless to them without your password and if they guess your password it’s useless without the token. This is a significant improvement although it is still susceptible in a targeted attack.
The biggest problem with this in my opinion is the implementation; yes they improve security but they are often so clunky or intrusive that they become a pain to use. Barclays provide a card reader the size of a pocket calculator which you need to use when setting up a new payment; you insert your card and enter a PIN to generate a OTP. HSBC provide a smaller keyfob however you need to use this every time you log on so the improvement in size is offset by practicality.
Both of these irritate me because it means either having to carry an extra device with you at all times or only being able to do your online banking at home. Santander have a reasonable solution in my opinion; As with Barclays you only need a OTP if you’re setting up a new payment however the OTP is sent to your phone as a text message. For me this strikes the right balance of convenience and protection, I don’t need to carry anything other than what I normally would and if someone guesses my password they can see my bank balance but they still can’t extract my money.