16

My bank has recently replaced passwords with occasionally asking me information that is "known only to me". Such information includes my date of birth, postcode, and my mother’s maiden name.

Obviously these details are far from qualifying for "known only to me", and what’s worse, I can’t change these when they are compromised.

Is there anything reasonable I can do about this in the UK? I’m sure banks are legally obligated to implement proper security, and these days even people without any formal security education know that dates of birth don’t exactly qualify as "proper security".

I hope this falls within the scope of the site under the category of "policies".

AviD
  • 72,708
  • 22
  • 137
  • 218
RomanSt
  • 1,190
  • 9
  • 25
  • 6
    It seems like poor practice to me to *replace* passwords with those questions. However, you could always put in something incorrect, and that would be known only to you. – 700 Software Mar 26 '12 at 17:30
  • 2
    Related: http://security.stackexchange.com/q/10886/953 – Iszi Mar 26 '12 at 17:47
  • @GeorgeBailey They’re replacing the 3D Secure system, which, in case you aren’t from a country that uses such a thing, is basically something that asks you for a password before authorizing an online card payment. This was [already known to be very insecure (pdf)](http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf) so the change isn’t that significant. Separately from that, my bank has always allowed me to "log in" over the phone with nothing but account number, date of birth and/or postcode. – RomanSt Mar 26 '12 at 17:57
  • 4
    @romkyns - a key facet of security we have been hammering at the banks about is **holistic security** - ie get it to an equal level across all channels, as if there is a weaker channel (in your example, the phone banking) that will be the one attackers will find and use. – Rory Alsop Mar 26 '12 at 18:05
  • 4
    I'm quite curious to know which bank this is? – Lucas Kauffman Mar 26 '12 at 20:20
  • 1
    @LucasKauffman Before I name one, I guess I should double-check that they would actually execute a money transfer over the phone with just DoB + postcode. They give out the balance and cancel cards with just this much, but that’s not as sensitive as withdrawals. – RomanSt Mar 27 '12 at 13:51

3 Answers3

17

Find a bank with secure online banking, withdraw all your money and move it.

Make sure the teller knows why. Send a registered letter to the bank president telling him why it's a bad idea and why you've told all your friends and acquaintances why this is a bad institution to deal with online.

It's known as voting with your money. They don't secure it and only appreciate its removal from their system. Enough people do it, and they either sink or change.

Fiasco Labs
  • 1,557
  • 10
  • 12
  • 1
    I doubt that enough people will do it though; this requires someone with a huge social network and a lot of influence to do a move like that. Or someone with enough money to take out that the bank actually gives a damn... at least a few million, I reckon. – RomanSt Mar 26 '12 at 19:29
  • 4
    Who cares if enough people do it, your finances will be protected if you're the only one who does it and that **is** what's important. – Fiasco Labs Mar 26 '12 at 20:01
  • 3
    @romkyns Or get the the news to report on it. Then everyone will want to protect their money. – Izkata Mar 26 '12 at 22:00
10

In the UK they have to comply with the Data Protection act, which requires 'appropriate' controls over your personal data, but while I would urge you to try and argue that case with them, I feel the only sensible course of action is to change banks. Banks take a risk approach, and if they feel the risk (to them) is sufficiently small, they could take this sort of action - they may feel the chances of being fined under DPA 1998 or PCI-DSS, or the possible reputational damage due to a successful attack using this route is worthwhile compared with the cost of implementing a secure solution.

That said, I work with a lot of the UK banks and I can't think of any that would use this instead of passwords, in fact many have moved to two factor authentication (tokens, smart cards, SMS messages etc) so change banks, and make sure to tell them why you are changing.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
3

The "upside" of this however is that it gives you pretty good 'plausible deniability'. If money is gone missing from your account for whichever reason, the bank would have to prove it was you who took it out. With those security measures, I believe the bank would have at least some difficulty proving it was definitely you. As you rightfully stated, finding out those details is trivial.

With this slightly tongue-in-cheek remark, I would also say that it might be very inconvenient to have your account emptied, even if restored eventually. As with many things related to risk management, maybe split your risk across two or more accounts? I also liked George Bailey's suggestion to give a different d.o.b.

As a personal safety measure, I try to check my balance with online banking frequently, so if anything suspicious comes up I'll hopefully know about it quick enough.

Lastly, my personal bank account with a certain bank in the UK has better security measures than you described. They use a combination of questions, I believe none of which are your date of birth (albeit one of the questions is memorable date, which can be any date). You must answer at least two (randomly selected out of 5) correctly on top of your postcode or account number.

Yoav Aner
  • 5,329
  • 3
  • 25
  • 37