In my recent NatWest drama I started wondering about how secure the methods used to authenticate people are. There seem to be a number of methods used by different institutions in different countries.
German banks usually do the following for their online banking: First you need a password to get into their site. But you can just look around in that state. To actually do anything you will have to enter an additional TAN (transaction number) which is a one time code. The bank mails you a sheet with a hundred of these and you use them one by one. On the one hand this method is quite inconvenient as you need that sheet of paper and you need to store it in a safe place. An updated version of this method even numbers the TANs and you are asked to enter a specific one from the collection on your sheet each time.
This method raises a question about how it is to be used when you are not at home. It doesn’t seem particularly advisable to store the sheet of TANs in your purse, say, as losing it would be quite troublesome. On the other hand, with the updated method you cannot simply copy a few of the numbers and write them into your address book or something as any of the numbers could be requested. So this method isn’t particularly feasible for being used away from home unless you start thinking about more elaborate schemes like scanning the whole sheet and putting it into an encrypted file on your computer. Which in turn only makes sense if you have a laptop, I suppose.
One of my banks recently started advertising a slight variation of this. Essentially, they don’t send you a sheet of TANs anymore but they will store your mobile phone number and after you enter the details of a transaction they will send you the relevant number as a text message. To me this seems inconvenient as it isn’t clear that the message will always arrive at your phone within a second. Indeed, from what I have seen, particularly when you are out of the country, it is rather unlikely that it will be there immediately. In addition, I keep thinking that it should be easier to nick or peek on someone’s phone than to get to their bank files. Phones don’t seem to be locked, so, with a bit of luck, walking around in an office during lunch break could find you computers with stored password for a bank account and the phone to tell you the TANs right next to it. I expect the bank to blame users for their negligence in such cases, but I really think that this is just making it a bit too easy to be negligent (which may just be what the bank want to achieve as it covers their ass).
What always amused me is the way they deal with security at NatWest’s (Mac hostile) online banking and phone hotlines. You have both a PIN and a password for that. But for extra security they only ever ask three digits of your PIN and three letters of your password at a time. While this is extremely inconvenient for entering things (picture me trying to find out the eighth character of the password without writing it down) it has the charme that it makes it less risky to enter these credentials while in an internet café, say. They may be running key loggers there but at least they won’t get your full credentials. Not if you only go there once, anyway.
They also use the same PIN for their telephone service and ask you for some of the digits during some calls. Seeing how many times I had to use their hotlines recently, I can be assured that anyone who bothered tapping our phone lines should have a fairly good idea of these credentials now. During some other calls they also asked me for parts of my date of birth for authentication. Because that’s really secret information, right‽
Obviously this is a really hard, if not impossible, problem to solve and we will only get approximations to a good solution. But the bottom line remains that you can’t have a system that is both secure and convenient. And the systems as they exist today fail to include that little fact in their marketing materials.