First Direct bank here in the UK have managed to infuriate their online customers by enforcing an en-mass change of authentication credentials. Read all about it here: http://news.bbc.co.uk/1/hi/business/6446919.stm. All credit to them for trying to improve security for their customers, but I wonder how much more secure the new procedures are.
It seems obvious that First Direct are torn between a rock and hard place. They clearly want to improve security and in doing so have increased complexity thus making it more difficult for customers to gain legitimate access to their accounts. While the increased complexity keeps out otherwise authorised customers does it really make things more secure? According to this report from APACS, out of 15million online banking customers it is claimed that less than half “regularly update their anti-virus software, with only 1 in 10 people having anti-spam software installed and about a third having a firewall.” Not only does this fly in the face of the advice given by the “Bank Safe Online” campaign and makes you wonder who actually reads the advice (or even knows it’s there) , but it also means that until we move to using additional form factors that mitigate key loggers and other insidious spyware then the measures taken by First Direct are ultimately futile because, if the statistics are true, then half their online customers are potentially already compromised.
The banks need to be doing the equivalent of what they do if you walk into a branch and want to withdraw cash in person: they ask for identification that proves as far as possible that you are you: a drivers license or passport. Asking for an unknown individual to enter a series of characters using a keyboard does not give anything near that level of assurance.
My question is: do FirstDirect think they are doing the right thing or do they want to be seen to be giving the impression of doing the right thing to a mostly (as the statistics suggest) ignorant consumer market where “62.5% (nearly two thirds) never change their password and 1 in 5 use the same password for non-banking websites as well as their online bank.” (taken from the APACS report).
Quite honestly, being made to enter a few more characters as added security when you’re not protecting your PC from spyware in the first place is like leaving your front door open and your wallet on the door mat when you go on holiday and hoping no-one will notice.