Banking Security – Part 2

A look at the misplaced confidence, trust and liability that surrounds the consumer banking industry.

Decorative Image - bankIn last week’s post we looked over the physical security around the use of bank and credit cards. This week we focus on remote banking services such as telephone and internet, the security measures that are enforced and why they often aren’t worth the effort. These posts are not seeking to suggest a solution but are intended to raise awareness of the risks in the hope that you might be better equipped to spot a problem and deal with it should you be so unfortunate.

Security Checks

Traditional security checks were based on personal information that supposedly only the account holder would know but this has always been flawed insomuch that most of the information they would ask for is public record. As for other nuggets of information such as favourite holiday destination, there are comparatively few possible answers and humans are inherently bad at keeping secrets; if you had the time of your life in Las Vegas there’s a good chance that a lot of people would have heard about it.

The introduction of passwords did little to counter these problems because humans are inherently bad at remembering stuff, more so if it’s something that is not used often. As such security checks have to account for people forgetting their password so you’d be asked some ‘security questions’ and so we’re back to square one. These problems are prevalent in telephone banking and are no better with internet banking services.

Tell them a story..

One novel approach that I’ve witnessed is to construct a fictitious persona for the sole purpose of security validations. The information is used only for security validation so this is not fraud, it would only be a problem if you gave false information that affected a credit rating or service privileges. Problems arise when there is a crossover between account information and security checks such as your date of birth. This is quite labour intensive and needs 100% commitment, if you flit between real data and made up data you’ll likely lose track of which maiden name is needed for which account.

Two-Factor Authentication

Recently many banks have introduced two-factor authentication for internet banking, typically something you know (a password) and something you have. The second part typically being a physical device like a small key fob that generates a one-time-passcode (OTP). If somebody gets their hands on the physical token it’s useless to them without your password and if they guess your password it’s useless without the token. This is a significant improvement although it is still susceptible in a targeted attack.

The biggest problem with this in my opinion is the implementation; yes they improve security but they are often so clunky or intrusive that they become a pain to use. Barclays provide a card reader the size of a pocket calculator which you need to use when setting up a new payment; you insert your card and enter a PIN to generate a OTP. HSBC provide a smaller keyfob however you need to use this every time you log on so the improvement in size is offset by practicality.

Both of these irritate me because it means either having to carry an extra device with you at all times or only being able to do your online banking at home. Santander have a reasonable solution in my opinion; As with Barclays you only need a OTP if you’re setting up a new payment however the OTP is sent to your phone as a text message. For me this strikes the right balance of convenience and protection, I don’t need to carry anything other than what I normally would and if someone guesses my password they can see my bank balance but they still can’t extract my money.

‘Improved’ Security

Recently the leading credit card issuers have introduced additional checks when buying things on the web, commonly known as 3D-Secure and Verified-by-Visa. The intention of these is to reduce fraud by making sure that the person entering card details is the really card owner. Unfortunately these tools add a burden to the card owner and do nothing to improve the security because they call into the same rut as traditional identity checks. In order to reset your password you’re asked to enter a few bits of information; the account number, CVV code and expiry date are all printed on the card along with your name and the last bit of information is your date of birth which we’ve already seen to be trivial and publicly available.

If someone gets hold of your credit card they can start racking up internet charges despite the banks, card authorities and merchants claiming to have invested heavily in providing a secure process. This is akin to the misguided promotion of security that the banks paraded with the introduction of Chip&Pin in that it is no more difficult for a crook to learn your PIN that it is for them to forge your signature.

As I’ve mentioned previously, these posts are not looking to solve any problems or failings, they are intended to highlight some risks and weaknesses so that you might be better prepared to deal with any unfortunate instances that might arise. Of course you could choose to not use debit cards, credit cards, telephone banking or internet shopping but you’d also have to wave goodbye to a large portion of convenient living that we’ve all become so dependent upon, which is unlikely!
I hope this helps 🙂 and as always please drop any questions down below…