Security without a smile
PC Pro recently published a group review of online banking services, and I was responsible for the part of that feature that looked at security. I spoke to Ken Munro, managing director at independent penetration testing company SecureTest, who told me: “If your bank wants answers to memorable questions, don’t choose questions that could be easily answered through researching you on social-networking sites. You could even choose fake answers, so long as you can remember them!” Excellent advice, as you’d expect from someone with plenty of hands-on experience at the coalface of penetration testing, but I doubt that even Ken would have been prepared for the sheer naïvety displayed by one bank that has come to light courtesy of PC Pro reader Matthew Cunliffe.
Like so many of our readers (the clue is in the title of the magazine) Matthew is an IT professional: in fact, he has himself worked on bank accreditation for the 3DSecure system that’s used by the “Verified by Visa” (VbV) and “MasterCard SecureCode” schemes that add an extra layer of security to online transactions. I’m actually something of a fan of this system, even though it does slow online buying down a little and introduces yet another password into the mix. What happens is that when you want to buy something using a credit card that’s registered under the scheme, despite the fact that you’ve already input the correct data for card number, expiry, name shown and importantly the CCV (credit card verification) number that’s used primarily for CNP (cardholder not present) transactions, you then have to complete another separate login replete with unique password. The idea is that while it’s possible someone has stolen your credit card, or you could have been somehow coerced into revealing the required information, it’s hugely unlikely in security-risk analysis terms that the same fraudster would also have access to whatever your password is for the 3DSecure system. Fail that part of the transaction and the whole thing goes pear-shaped.
That’s why the email from Matthew was so alarming. Indeed, not only did I get one email from Matthew, but I got a copy of his entire email correspondence with Smile, part of the Co-operative Bank, concerning the small matter of how it was choosing to implement the introduction of a VbV system for his Smile credit card. “I was surprised when they told me they were going to register me for Verified by Visa, and that my password would be my ‘memorable name’ from my online account,” Matthew told me, adding: “So not only is my VbV password rather insecure, it’s also linked to my online account: guess one, get the other!”
In all his time working on 3DSecure from the banking side of the fence, Matthew has never seen it done in this way, and I have to admit that neither have I. All my credit cards that are registered under the scheme let me choose my own password, unique and created with the usual care to be as secure as possible. In fact, all the card providers I’ve experience with insist on it. Not so Smile, whose responses from customer care really do have to be read to be believed.
Matthew, not surprisingly, contacted them saying: “I have just received the email about Verified by Visa for my credit card. I am shocked that you think using my memorable name for VbV is secure! It is memorable and therefore easy for someone else to find out. Linking my VbV password to my online account only serves to make both more insecure. I have been asked to ring you and change my memorable name. This does not improve security if it remains linked to both my account and credit card. I wish to be able to choose my own VbV password and for it to be separate from my online account. Your current method is unacceptable and I refuse to accept any responsibility for any web transactions until you change this process. PC Pro has already given the Smile website a damning review on security. This only makes it worse.”