Co-op banking on security – but not much

Cooptoken
The Co-operative Bank is rolling out its new security system. And today it securitised me. A very nice man rang me up to say he was from the Co-op bank and wanted to check my security details. How do I know you are who you say you are I asked him? Good point. So he gave me the telephone number I could call to go through the same procedure. Which was the same as on the letter  I had received in the post. So I decided it wasn't very secure but was probably legit.  Next he wanted to help me to set up my security token. What's a token I asked? It should have arrived in the same mailpack as the letter with the telephone number. Oh the calculator you mailed me. No he said its not a calculator its a token.  The covering letter had explained that a security token had been included in the pack. Though it didn't say what a security token was. I thought it was a special code number. After all the mail pack included a table with my name, my user ID and a customer ID. Wasn't one of these the security token? No said the operator wearily it was the plastic thing that looks like a calculator but isn't.

I turned over the plastic thing. On the back in small letters it said Pocket Token. (Not security token) It also had an S/N (serial number) and a B/N (never explained) It also had a date Sep -09. Is that a start date or an expiry date I asked? No it doesn't mean anything said the operator. Even more wearily. Can you read me out the serial number written on the back of the security/pocket token plastic thing? So I did. I entered a pin number he gave me and then I had to input a new serial number in the 'token'. Twice. For safety's sake.  And then I was informed that I was 'live'. Now when I log on I enter my user ID and then I need to use my pin to generate a random 10 number code on my plastic thing. And that will give me access to my bank account. No plastic thing, no random 10 number code – then I can't get into my account. So I will need to carry it with me at all times. I run 2 businesses with this bank. So will need to carry 2 plastic things. Which I shall have to mark so I don't mix up my random 10 number codes. I searched Google without result to find a picture of a token. So I went on the bank's own website and found an animation which showed me how to use a token. so I screengrabbed it to put a picture here.

If you're  still reading this. Then thank you – you're extraordinary. I'll be brief. Given the sheer amount of money at risk by fraud. And the cost of updating an entire online bank system to make it even more secure. Don't you think it would make sense to print a picture of the 'token' in the letter so I knew what they were referring to?  And to give it a consistent name. Wouldn't it make sense to agree a password decided by me and stored by the bank  so I know when it is really the bank who is on the phone to me. And wouldn't it make sense to do some kind of basic usability research to check that users had the faintest idea what was going on and that the process made intuitive sense to them?  This doesn't feel much more secure than the current system. But it does feel a lot more cumbersome.

 

Search
Google



WWW
furtherandfaster.paab.biz

Twitter Updates
Archives
Categories
Photo Albums
Planners drinks night No1 BucharestTV stations JeddahWillie Williams exhibitionGrindleford Grinch April 2007Putna Sihastra Monastery 2011


Designed by Matthew Pattman