Gallery

Security without a smile

Posted on 8 Jul 2008 at 14:20

This month, Davey Winder isn't smiling about transactional security and gets his knickers in a twist over spam-address spoofing.

The first response he received from someone called Ron included this rather incredible justification: "If we allowed all customers to pick their own password, it would require another computer, and access to that computer by advisors to amend passwords for customers who have forgotten what it was, or want it amended." Or put another way, we would have to buy another server and invest some money in customer service to ensure the system worked. John Colley, another chap I spoke to about banking security for the PC Pro feature, a chap who used to be Group Head of Information Security at the Royal Bank of Scotland and Head of Risk Services at Barclays Bank, said that banks "will weigh up investment against fraud losses".

Matthew meanwhile stuck to his guns and responded to the Smile brush-off with: "Smile has decided what password will be used and linked it to my online account. With all my other credit cards, I have personally chosen my password for VbV (normally at least nine characters, randomly alphanumeric) and this password is not linked to any other account. By using the memorable name and linking it to my online account, you have not increased security, but reduced it." This time it was Danielle from Smile who responded, and concluded of the memorable word route to VbV security that: "We feel that that this method is much more secure and customer friendly waymethod [sic] of both registering customers, and authenticating customers, and keeping them fully informed in the process."

Neither Smile nor Visa had responded to my own email request for clarification, but the following fuller email explanation Matthew received from Danielle was illuminating, if only for revealing the bizarre logic being used to justify the move (the only changes I've made are to correct spelling errors): "Thanks for your feedback on this area. The reason why we have chosen to use your memorable name is for the following: With all other Financial Organisations offering the VbV system, customers are given the opportunity to register a Password over the internet the first time they make a transaction on a Verified by Visa internet shopping site. Often, the only questions a customer needs to answer before being allowed to register a password, is confirm the card number, expiry date, and their date of birth. This isn't the most secure method of registering a password for a customer, especially when the password is for authenticating future internet purchases. Another problem with this type of registration, is customers not being aware of the VbV system, and is believing that the request to take further information is a fraudulent request. For this reason, The Co-operative Bank have decided to take a different approach. Rather than giving the customer the opportunity to register a password, CFS will add our customers to the VbV scheme, and will use their memorable name to authenticate them rather than a separate password."

So there you have it, all those other banks and credit card providers are wrong, and using an easily guessed word already linked to the online bank account is obviously the most sensible approach to security that can be taken. I'd strongly urge Smile to reconsider its position and change to a system that allows customers to choose their own secure passwords that aren't in any way linked to their online bank account. Matthew, meanwhile, is changing his memorable name to something that's quite the opposite of memorable and which will then have to be stored in an encrypted file in an attempt to salvage some semblance of real-world security out of this mess. Either that, or he could of course move to a bank that takes a rather more long-trousered approach to the transactional security of its customers...

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site