Security offered by UK banks to online customers varies widely, according to a survey by Which? Computing. Abbey and Halifax have less secure log-in procedures than their competitors, while Barclays scored top marks in the study. First Direct, Lloyds TSB, Nationwide, NatWest and RBS were also rated as "good", while Alliance & …
I love their system, it really doesn't interfere with me at all.
Chip & Pin anyone ?
Most of their recent security measures (like Chip and Pin) are designed to remove liability from the bank itself, not protect their customers. Most online banking terms and conditions show in great detail just how much wriggle room banks have if someone hacks your account, "oh that is not our approved secuirty software sir"
Thanks to Gordon's light touch when it comes to banking regulation it becomes more obvious who the master and slave is and thanks to Thatcher and her ilk it's more and more difficult to do anything without a bank account.
Mines under the mattress with my pron
When I first moved to the UK four years ago, I got a Lloyds account and was instantly impressed by their internet banking and telephone security. Not only are there dropdowns requesting only 3 letters of a minimum 8 letter password, but you must use the mouse to select the letter, as they placed spaces before each character in the dropdown eliminating the keypress shortcut.
By contrast, you should see the internet security in the US...its pathetic. My online Bofa ID was my social security number that I had to type in every time! I also on occasion had to type in my mothers maiden name and birthdate. With those three pieces of information alone my identity could easily have been stolen. I consider myself lucky that it never was.
You have to wonder just how hard they looked at each bank's offerings as my HSBC accounts came with a securID type token to generate random numbers as part of my login. Don't care how good your keylogger is, it still is going to struggle on that basis. They also have an inactivity timeout which forces me to login all over again, an absolute pain if I have stopped to make a coffee etc but would clearly make it hard for someone to sneak in and continue my session.
If you are accessing your bank online from an Internet cafe however, then you pretty much deserve all you get.
Shame they didn't get onto the 'Verified by Visa' and suchlike where security is not so much an afterthought as non-existent. Companies get really narked when I refuse to complete a transaction because they have thrown this in but when all you need to reset the password is the cardholder's date of birth, I refuse to believe that it can be called a security measure.
Are they sure?
Log in is just one measure.
With my bank, they have introduced another measure. If you want to take money out of my account then you'll have to set yourself up as a payee. And then they will phone me to auto complete the process.
I thought I'd find it a bit annoying, but actually, it's OK.
Of course, if you've burgled my house, and you are using my landline as well as my computer (which you've password cracked), or you've stolen my mobile phone and I haven't noticed, and so on and so forth.
Of course I'd be impressed if you'd managed to get a key logger on to my computer at all, because, as Which says in in September issue, Windows XP [...] is more vulnerable to viruses [than Linux].
Modern keyloggers will also take screenshots when you click a drop-down list. And I use tab and up/down to navigate drop-downs anyway, sounds like Which are too incompetent to know about that.
"The banks may say it’s the hidden security measures that count" and they'd be right. Any login "security" measures above username/password/token are just annoying security theatre. (Yes, an attacker who knows my strong password _will_ know my address, date of birth, and mother's maiden name).
"The vast majority of our fraud defence is not visible to customers and we deliberately seek to provide security which does not adversely impact our customers' ability to bank with us online," is a very sensible approach
"Which" are usually very sensible, it's a pity they decided to talk about an area they're obviously clueless about.
HSBC online security is a joke
All that a customer is asked for is their login ID, DoB and random digits from their numeric security code (which never changes). All it takes to capture is a keylogger on the system - it would be interesting to know just how much money it costs them annually?
IMHO the big banks could learn a lot from smaller banks in Eastern Europe which are much less complacent when it comes to dealing with fraud. I guess they can't afford to just swallow their losses as easily.
Barclays are using PIN devices: welcome to 21st century - Latvian banks have been using them for over five years. I can only hope one day HSBC wakes up and realises what time it is.
true, Halifax also has excellent elephant defenses
Behind the scenes where we can't see it they toil ceaselessly to protect us from the scourge of living-room elephants, their only reward the knowledge that, despite their shallow jeering, the Which? researchers too are safe from having currant buns & peanuts picked from their pockets.
world reels as bankers fail to live up to promises! mock horror alert outs financial institutions as not as secure as advertised! users remain ignorant of risks and happily pay for continued incompetence of authority!
new tv program idea: big banker. 10 individuals are hand picked from britain's top 10 financial institutions and are forced to spend 10 weeks locked together in a house. they are set a series of group tasks aimed at developing an effective counter fraud strategy and bringing their respective institutions' privacy policies up to scratch. if, at the end of ten weeks they have failed to determine any effective policy or look like they give a shit, they all get shot by the cast of The Wire.
Barclays security . . .
Yes, they have the PIN device but you can also access your details without it which requires you to enter your debit card number, 3 digit security number and date of birth - somewhat reducing their security to the extent that if you happened to be on a compromised machine you give away just a little bit of information!
At less than a pound a year why bother with security?
I don't believe the numbers or it is not a problem.
Well, obviously, it is a problem. Especially if someone empties your account and the bank turn round and say it is the clients fault and responsibility for being so insecure.
This type of fraud is one small element of "The Grand Banking Fraud" because of inappropriate security. Consider Cash point, creditcard and debit card fraud. Consider 'Phantom' withdrawls. When they can be laid at the door of the bank it is a non--trivial task to get your money back as a result of their error.
So the review seems to be suggesting that making the authentication process more tiresome for the customer equates with more security.... Computer security is hardly a new subject and looking at the ideas and technologies that have emerged from decades of multi-user system use would be more sensible than assuming that because it's complicated it must be clever and good.
We don't need no steekin' security
I've had major row with Lloyds TSB.
A person saying he was from their Credit Card division phones me to query a transaction - then asks me to give him my password - the whole password, not just a couple of characters from it. When I refused, he wouldn't discuss the problem.
I then phoned up to discuss this with someone, but all they would do was state that this is their company policy. They were able to confirm that the person that phoned me was from their dispute division - but couldn't put me through to him as that department don't accept incoming calls. I've actually written to them to point out that their current policy is a bit flawed, but all I got back was a standard acknowlegement. They simply don't see where the problem is.
If the major banks don't follow basic good security practice and actually encourage bad practice, how are we going get the average user to be sensible?
Barclays scored Top Marks
Barclays' PIN Sentry is indeed good. But Barclays are so hot that if you purchase something online that isn't "protected" by "Verified by Visa" they are likely to slap a lock on your account.
Twice recently, after purchasing software for a new smart phone from Handango Barclays locked my account, just as I was trying to pay the phone company providing air time.
First time, I could understand as I hadn't used Handango for two years, but the second time it was not "unusual behaviour", especially as I had made a purchase only one month prior.
Another turd study
I'm with Barclays for my current account and Abbey for savings.
Abbey deserves to be chastised, if not only because for a long while you couldn't even access you online account in anything other than IE6, which is a bit useless when IE7 was originally out and you couldn't have gone back to IE6 if you wanted to and with it not working in Firefox you had no access to your account.
With Barclays, that chip and pin machine is fucking awful. I access my online account far less now because of it having to have it around, so if I am a victim of fraud it'll take a couple of weeks before I know because of the infrequency of accessing the account to find out.
But here's the deal, I've been a victim of card fraud, my card was used to buy 150 euros of Italian phone credit, yet, I'm aware as anyone can be of security threats to your card. My network is secure - I have checked it repeatedly, I have checked every machine inside out and do so often, my card details were not lost through fault of insecurity on my system. I also rarely use my card directly, in stores, I use cash, and I check cash machines to make sure there's nothing dodgy about them when I use them, so may even call me paranoid about card security. Yet somehow my details leaked, so realistically the only place they could've leaked is from an online retailer like Amazon or someone who never notified me or my bank of said breach, or perhaps weren't even aware of it themselves - that's not to say it is Amazaon, I've purchased from many online retailers, but it can only have been one of them unless it was Barclays themselves as there was simply no other attack vector to get my details.
So what's my point? It's this, the security of an online banking login is irrelevant beyond a point, Barclays method may be more security, but ultimately it's meaningless when we have no way of forcing retailers to accept they've had a breach and tell people, or for them to even know in the first place. Even then I'm not convinced by the security argument, Barclays were fortunate I checked my account the same day that it happened and informed them quickly, but with a chip and pin machine required for access I may not be able to inform them quite so quick next time.
In other words this study is a farce, it's only checking one small section of online security - it's checking the login process itself. This is meaningless if you ignore other attack vectors and if you ignore the social aspect of a more complex system. In my experience, Abbeys system for all it's flaws is more secure, because the only place my login details need be stored is my head, and I can check it regularly for suspicious activity and inform them as soon as it happens if an external retailer leaks my details as they have in the past.
Yeah all this fuss about security and no one ever mentions that using M$ products to access your banking is the root cause.
HSBC & IF(Halifax)
My personal IF account majorly vulnerable as mentioned in the article,
my HSCB personal account is not as bad (enter the first number, 3rd number and last number etc).
However, my HSBC business account actually supplies me with an RSA token, and when I asked if I could have this on my personal account they told me there was no demand :(
I have also worked at some of these banks as a security consultant and there are some banks I wouldn't trust as far as I could throw Gordon Brown whilst he's carrying all his unelected stooges on his back.
I use them and have worried about keyloggers, especially when I actually found one on my gf's laptop which I regularly use to do online banking. Needless to say a quick username and password change - from my own machine - was in order. The facility to change username as well as password is quite reassuring for me, but for Joe Bloggs who doesn't even know he has a keylogger that's admittedly no use.
I'd take issue with the report's other points about Halifax though. They *do* have visible security when you're setting up a transfer, but not when you're actually using a transfer you've previously set up, which seems reasonable to me. Plus when you're setting up an international transfer they use a callback system which is so uptight I ended up having my online service blocked three times for suspected fraud when trying to set up a simple wire transfer for $100.
Egg online banking
This article reminds me of an incident a year or so ago. I notice that Egg are not mentioned in the article as being either good or bad, but my experience is probably one worth sharing.
After some late-night searching for some urgently-needed software, I noticed my home PC behaving strangely and determined that it was infected by some nasties. Not a problem, I thought, simply restore an image backup from a few days ago and carry on. The thing was that I had used Egg online banking that evening, and I wasn't sure if the infection occurred before or after this.
So, as a common-sense precaution, I changed my banking passwords. However, my security-researcher side was curious as to whether in fact there had been, or would be any attempted logins by someone who was not me. Disappointingly, the Egg website does not offer any useful 'you last logged in on' or any access log function, as I am used to seeing on other banking web sites that I use. So I composed a message telling them about this and asking politely if they could give me some sort of log-in history.
I was most surprised to receive a curt response, quote:
"Dear Ed I'm sorry but we don't keep records of when you log into the Egg website. Thanks for your message. Regards Siobhan ***** Internet Customer Services"
Cue loud alarm bells. A 'secure' banking web site that does not have any logs? Doesn't sound right to me. So a reply went back to Egg, again polite, explaining that I work in the IT field and I thought this was a most unusual state of affairs, could they please clarify the situation for me?
A week later, on a Saturday afternoon whilst I was walking in the Lake District, I got a phone call from a lady at Egg. She seemed to want to be helpful and reassure me that my accounts and funds were not in any danger. However, she completely failed to undestand the principle that logs are a pretty essential thing in any web site, especially a security-sensitive one. As I was trying to enjoy some relaxing weekend time, I didn't want to labour the point so after 20 minutes I gave up and left it at that. I never found out whether the malware compromised the password and a malicious individual might have attempted to gain access to my accounts.
I would be most interested if anybody has anything further to say about this experience, or their own...
As a Halifax customer of over 15 years
I concur, their site is utter shite, but then so are they, I should have moved long ago, but all the pissing around with resetting dd's, standing orders and the fact that changing banks alters your credit rating stops me.
Barcleys take it too far
...with that poxy calculator... so stupid.
Timesouts and logouts
[[ The Which? Computing study also criticises some banks - including Abbey, Alliance & Leicester, HSBC and Halifax - for not logging out clients when surfers move on to browse at other sites, an approach that leaves accounts potentially vulnerable if accessed on a shared computer. ]]
I personally prefer to stay logging in when I'm checking other pages: because I could be consolidating my statement against my third party credit card online bill etc, doing VAT conversions to double check pricing etc. The sites do have a "logout" button for a reason - perhaps shard computer users should use that if they want to protect their own data (plus most sites have a timeout facility: I know HSBC's tends to be a little on the shortside for me and times out after just a few minutes).
HSBC may also not require transfer authentications: but you do need a keyfob to log in - and I prefer a single keyfob authentication then having to use my Nationwide "card calculator" device to authenticate a whole batch of transfers individually (punch pin into device, enter 8 digit code into device, enter amount into device, try and read 8 digit code and enter into website - repeat for next 6 transfers: even through I've sent transfers to the same accounts every month for the last year!).
Halifax hidden security measures
Halifax: "The vast majority of our fraud defence is not visible to customers and we deliberately seek to provide security which does not adversely impact our customers' ability to bank with us online,"
Oh, is that security by obscurity per chance?
Halifax, the bank that went titsup. Given their financial track record, it doesn't inspire much confidence in their IT/security skills given the absence of any real front-end measures.
The (UK) banks need their heads knocking together to come up with a unified response, probably giving Secure ID tags (or equivalent) to *all* account holders.
Re: Another Turd Study
"...but it can only have been one of them unless it was Barclays themselves as there was simply no other attack vector to get my details."
Some of these banks' IT departments use live customer data in their test environments. Some of these banks' IT departments offshore IT development too.
Work it out.
@AC 10:28 / Spencer 11:52
Yes, the Barclays PINsentry device is a pain but it's worth remembering the codes it generates for login purposes are not time dependent, only sequentially dependent. Take five minutes to sit down with it and generate 20 or 30 consecutive codes, then store them in a text file in a TrueCrypt container and use them in order, deleting each one as you go. Unless you log into online banking four or five times per day the list should last a while. If you use online banking away from home, use portable TrueCrypt and store the container on a thumb drive. It's one more item to remember but a lot more convenient than the 1977 pocket calculator Barclays would have you lug everywhere.
My husband and I use an investment bank called Alliance Trust Savings. Their online thing is possibly the most insecure I've ever seen. Userid and passcode, all numeric. Type both in. No choosing from a list, no secureid solution.
My broker has suggested to my husband and i that we use a more secure system.
just thought id recommend you all do too!
Coutts Media Banking
Admittedly, business banking where you're throwing hundreds of thousands around the whole time isn't the same client base as some granny at home, but I have to say they're bloody good. 2 lots of random character picks from a pin and a password with forced monthly changes, challenge/response for authorising transfers with the calculator thingy, configurable. Last log-on, proper auditing, least permissions granted to suit the needs of the account holder, etc. You can even have a paper/fax system of signal card unique random numbers to strike off in sequence to authorise a phone or paper/fax transaction, should it be useful to you.
Seriously, if you're looking for a good service for business banking, Coutts are very good and not *that* expensive. Makes my lloydstsb look wimpy by comparison, security-wise.