Simple, but not stupid
Now and again, I encounter silly security lapses from people who ought to know much better, such as the financial organisation that telephoned me about an online credit transaction and requested my password as proof they were talking to the account holder. I explained patiently that while they knew who I was because they’d initiated the call, I had no proof of who they were and hence wasn’t giving them my password or any part of it. Instead, I suggested they tell me the third, fourth and eighth alpha-numerics from my password and if these were correct I’d give them the remainder. This was refused and, during the brief but heated debate that followed, it became obvious that the person at the other end of the telephone couldn’t understand why I was “being so difficult”. We finally agreed that I’d call them back and continue the conversation that way, but it exposed a misunderstanding of how security works that shouldn’t exist nowadays.
So does a tale of online payment provider Nochex and its identity proof requests that were brought to my attention by a reader. Nochex also belongs in the “should know better” category, having been involved with the secure payments business for more than six years. I’ve used Nochex and always found its encrypted data transfer and storage, and its use of the same secure server locations as many high-street banks, very reassuring. Yet, as so often happens, somehow the plot got lost in peripheral details: in this case, confirming the identity of an “expired” customer who wished to reactivate his account.
Setting up a new Nochex account is no problem, following a well-trodden path by asking for bank account details and a small deposit. Only after you’ve confirmed the amount of that deposit and the reference that goes with it is your account activated. However, as my concerned user explained, things were different when, having not used his account for a year or two, he found it to have been deactivated.
That in itself is pretty sound security, of course, and something that anyone who’s had a dormant Ebay account hijacked by fraudsters would have greatly preferred. The reactivation process appeared straightforward, requiring a form to be downloaded and returned to Nochex, but it also asked for copies of a recent utility bill, bank and credit card statements (all valuable documents for identity thieves) to be sent via snail mail.
All this invaluable personal documentation had to be sent to an address that started “Account Reactivation, Nochex Ltd”, a remarkable lapse in common sense equivalent to stuffing your passport and chequebook into an envelope and writing on it “Vital identity documents, please do not steal”.
Did nobody at Nochex think of using an anonymous PO Box for this kind of traffic, or of doing away with physical documents altogether? This was a lapsed account, so deleting it entirely after several email warnings would make more sense, with the user having to register a new account under the same email address using the existing secure digital confirmation process. To make matters worse, the user didn’t even receive any confirmation that his documents had arrived, or any response to a request that the document copies be shredded as soon as possible. He did eventually get an email saying his account had been reactivated, which did nothing to alleviate his concern.
Nochex has been informed of my concerns and a spokesman assures me it takes user security and integrity very seriously. “The identification criteria and processes for reactivating accounts and confirming our clients’ identity are regularly reviewed,” he said. “Thank you for raising Mr X’s concerns and we can confirm that we have contacted Mr X to confirm the safe receipt of his information and the secure destruction of that information.” Let’s hope that common sense prevails and this state of affairs is quickly rectified.