Banks are clueless about online security

By Stephen Kellett
14 February, 2011

During November I met Dave Collins from Software Promotions. I saw him presenting two talks on effective Adwords marketing and common mistakes you can make and how to avoid them. Articulate, well informed. So much so that I decided to hire Dave to do some work for Software Verification.

Dave wanted to be paid using direct bank transfer. Not a problem except that I have been really reluctant to do online banking because I’m concerned that no matter what steps you take there is always the potential for something nasty to be on your machine waiting to snatch you bank details etc. Maybe a tad a paranoid I agree, but that is how I work. But let us be clear on the risk, if you get hacked for online banking that is your entire account at risk, not the same thing as if your credit card details get compromised. Its the sort of thing that could put you out of business. Hence my paranoia.

Live CD

Anyway I decided I would do it using a Linux live CD, that way the only risk is the Linux CD or a hacked bios. Unlikely to be a dodgy Linux CD as so many people get the same image. Having your machine’s bios hacked is also one of the more unlikely circumstances to happen to you. An alternative scheme, which Joanna Rutkowska uses is to use virtual machines with snapshots and restore the VM snapshot on a regular basis.

Online Banking

Like most people I’ve banked with the same bank for years, both personally and for business. I started with Midlands bank but after some dreadful service when I was a student I moved to National Westminster Bank and have been with them ever since (except for a short spell living in Scotland where Natwest had no presence).

Given the nature of what banks do you would expect them to take security seriously. I did.

Account Number

So imagine my surprise when I found that the online banking account number for the new online banking for the business was DD-MM-YY-xxxx, where xxxx is a random value. Further investigation turns up that xxxx is actually the count of the number of people that have the same birthday. So if xxxx is 0185 then you are the 186 person with that birthday.

So what is the problem with the above? Given that so many security systems ask you for your date of birth when you need to talk to a human I’m astonished to find the date of birth as the first 6 digits of the account number. When I asked about this the answer given by the staff member was “Only you know your date of birth.”. Yes, I’m not kidding. She was sincere in that opinion. She didn’t seem to realise that, even without the Internet, social media, etc, your date of birth is available in many places.

What on earth is wrong with account numbers that start at 0 and increment by one for each new customer? Completely arbitrary, unguessable and does not leak any information (birth date). I guess something as simple as that is too complicated.

Conclusion

Anyway, that is enough for me, If you can’t get something as simple as an account number right what else are you going to get wrong?

Fully functional, free for 30 days