The bank security myth

c: | f: /

Don’t get me started on the “security” offered by systems like RBS Secure when buying things online. Can anyone spell snake oil?

Does your bank inconvenience you when buying something with a debit card online, by asking for a secondary layer of authentication in a tiny ‘secure’ window?

I want to know who dreamed that up.

It purports to provide additional security by guaranteeing that you are the card issuer — and you are actually you — by asking for random letters from a passphrase. This is a wholly unnecessary and wholly unreasonable security measure for many reasons.

Primarily, if someone has your credit card details — which are easy to buy for less than 70p a pop these days — then it’s trivial to change the passphrase in the system. All you need to know to alter the passphrase are two pieces of key info from the card: the name of the account holder, the card number itself (both of which someone has already just bought). And the final piece of required info is…

… my date of birth. Hardly rocket science to find out (Facebook has most people’s dates of birth in full view).

So if “I” — and I use that term loosely since I really mean “anyone” — can change the passphrase at the drop of a hat by knowing three readily-available pieces of info about me, then how can it be secure?

Secondly, I find I have to change the password on that heap of shit system every time I use it because it’s nigh on impossible to choose one that fits a memorable pattern that conforms to the laughable rules they impose in an effort to improve security. So I always forget it.

I’ve had all of the following messages thrown at me when trying to pick some phrase — bloody anything — before the transaction window times out and I have to go through the whole shopping cart / checkout process again.

“Sorry, your password”:

  • must contain at least one number
  • must not have repeated words
  • must not have any part of your name or card number in it
  • must not contain your PIN (forward or reverse)
  • has been used before
  • is too easy to guess
  • is too short
  • is too long (!)

And many besides. Since it’s so overly prescriptive and not altogether bright, the bank in their efforts to appear secure have all but forced people to use something completely unmemorable as a phrase. But for a laugh one day, I out-foxed the error messages with the following password:

aaaaaaa1

I mean, come on!

Scribe for me

(required)

(required, never made visible)

(optional, linked with rel="nofollow")

(required)