Bank Security - two different approaches
posted Friday October 31st @ 6:41pm

As Aladdin's forty thieves discovered to their cost, passwords are only as good as the control you have over who overhears them. A paranoid acquaintance of mine once told me never to sign my real signature except on cheques in case somebody learned to copy it. I remember at the time thinking how much more sense it would make to ask people to write something different every time - rather than just their name - and hold enough handwriting on file at the bank for a graphological computer program to confirm your identity later. It's like CAPTCHAs - only the intended recipient gives the right response to an unpredictable stimulus.

Some time ago Natwest decided to send me the above goodies by way of a token-based security measure. The idea is that they can confirm my identity by presenting a random number on screen and all I have to do is key it into this little unit.. no, wait, insert the card into the unit.. and key in a PIN number they supply to me.. and the number on screen.. and then punch the resulting number on the unit's screen into the browser. Yeah, it's a little over-complicated for two reasons. Firstly, plugging in the card adds nothing. Surely, if they can't manufacture them with unique identifiers in to start with, there could be some sort of setup process which I only do once? No? How about the card being small enough to stay inside the unit at all times? No, that's not allowed either. The additional PIN number is smart but, again, only proves that I know a PIN number which could just as easily be sent to the website on-screen. Just like the three other security codes I need for Internet banking anyway.

It's so irritating in fact that the only reason I didn't bin Natwest immediately was that I only need it to set up direct debits, standing orders and the like. So I can leave it at home and forget it exists most of the time. Banks, eh?

But then today I got a message from HSBC, who handle my personal account.

When setting up a payment to a new beneficiary or updating your telephone numbers we will confirm your identity in one quick and simple step - an automated call will be made to your chosen contact number and you will be asked to read out (or enter into your phone's keypad) a code which will be displayed in Internet Banking. Once the code has been recognised the instruction will then be authorised.

Genius! Let's face it, the Natwest doobery is too annoying to take anywhere and is sat at home anyway so I'm losing nothing by having to be at the office to pass security. I don't have to remember another PIN number and I can safely travel about the place without fearing I may lose my little bank unit. But what if I really need to make that transaction away from home? And nobody is available to answer the phone for me?

If none of the contact numbers we hold are appropriate to call you on at the time, the transaction could be delayed (by up to 48 hours) while alternative checks are undertaken.

Comment on this entry