(In)security
Today I reset every password and pin that I need to get into my online banking page. It was so easy to do, I think I probably would have managed even if I wasn’t in fact me. Which is a bit of a worry, really.
What happened was, I locked myself out by mistyping my password three times.1 So I reset the password, which has to be confirmed by a call to the international support number (this is a New Zealand bank account, with National).2
On the phone to the nice lady from support, I got handed over to a computer system to confirm my identity by punching in a pin. Unfortunately, this is a special pin used only for this purpose, which means I haven’t used it in … oh, three years or so? So I got that wrong. Back to the nice lady, who had some questions for me.
“How long have you had this bank account?” … Good question. I haven’t the foggiest. I suppose I got it in high school, but honestly I’m not sure… I made a wild guess, and told her it was a guess, and judging by her prompting she relaxed the required standards of accuracy considerably. (“Are we talking ten years, twelve, fifteen…?”) Next question: name an address different from where you live now. “All right, I’m convinced you’re who you say you are. I’ll drop you back into the computer system so you can choose a new pin, then I’ll confirm the password reset.”
Really? That’s it? How many years I’ve had my account, and one previous address they have on file for me?
Now I presume there’s more to it than that. I’ve still got a kiwi accent, and I was cheerful and slightly befuddled on the phone. Quick on the address, slow on how long I’ve had the account: the way a legit caller would behave.3 If I had been me trying to be someone else, I would have been tense and unnatural-sounding, and all the data would have had to come from a file (slow while I look it up, then odd-sounding when I read it out). But if I’d been for instance our sales manager pretending to be me, I would have not just aced the questions but probably got a date with the lady on the other end.4 To do what I did, you would only need a bit of charm, some not-very-difficult guesswork, and some publicly available information about me.5
Now admittedly if the system was less flexible and more secure, I wouldn’t have access to my account at the moment. So on the one hand I’m glad they’ve left loopholes for those of us with less-than-perfect recall. On the other hand, it’s disturbing to think how easily someone really motivated could lock me out of my account — or install a repeating automatic payment with details chosen to blend in with my real expenses, or simply siphon the account dry and hope to shift the dosh on before I notice and call a lock-down.
Having said all that, please don’t go and social-engineer your way into my bank account. (You won’t find much there anyway.) You’re welcome to my student loan, though, if you’d prefer to hack into that.
Coda: a positive suggestion, for a change
I had actually expected to get one of those daft “security” questions (“What is your mother’s maiden name?”, or “What school did you first attend?”). While these are absolutely risable if used as intended,6 there is a way to use them somewhat more safely: lie. Nobody said the answer has to be true. It just has to reliably spring to mind when you hear the question several years after you first thought it up.7 It’s still security by obscurity, but I’ll take that over insecurity by transparency-and-flexibility any day.
Notes:
- Muscle memory from ten-finger typing doesn’t work with one finger on a tablet keyboard. In fact it wasn’t mistyping just the password: I forgot my customer number –also stored more in the fingers than in the brain– and which of a number of possible passwords I use for that account. [↪]
- Ironically, the National Bank of New Zealand was founded in London, owned for many years by Lloyds, and appears to be run from Australia. [↪]
- Well yes, I’m a legit caller. This time. [↪]
- The bloke in question once tried to explain to me what a comment in Greek on a youtube video meant. He didn’t realise I read a bit of Greek — his explanation was entertaining, but not very strongly correlated with the words I recognised. It took some effort to convince him that I actually knew better. [↪]
- And my bank account details to start with, which are on every printed statement the bank insists on sending me. [↪]
- Public records, people! [↪]
- Just like the password and pin didn’t. [↪]
Comments
An sms for every creditcard transaction would be a wonderful thing. Also for any non-automated transfer of more than X, and for the creation of every automated transaction.
I'm not too worried about hackery (like I said, there's buggerall in there to start with), so long as I find out about it quickly.
I'm a lloyds customer here and a Nation bank in NZ and its amazing how hardcore the security is here compared to NZ. Setting up an automatic payment? Fine just ring this number from the phone that's tied to your account and answer the (automated) questions. Now enter the ID we're displaying. Made a credit card payment online? I'll get a text informing me. Or if its a big amount, they'll ring me for confirmation. And to log on there's a username/password. And a second password where they ask for 3 random characters (i.e 2nd, 6t and 12th character). Nationals security has always made me nervous.