IMS_Blog

The lost password process asks you to enter a new password and some “memorable information” (this seems to consist of requiring a memorable phrase, i.e. it’s essentially a second password…). The system then produces a screen with a reference code and a phone number to ring so they can confirm your not really some Nigerian scammer. All pretty much fair enough I think. Calling the number got an answer before even the first ring (actually that took me way be surprise. Let the phone ring one so I at least anticipate a connection!) Everything went smoothly enough and I was thinking fine. Except I’ve been sat here considering this, semi-consciously. The thing is, the way they identified me.

The routine followed the pretty standard pattern in this case. A few questions about the account (though not including the number and sort code) and there you go. It’s the questions, and my answers though. The first question was my postcode. Fair enough but it’s on the letter with my new customer ID remember. Second I was asked about a recent transaction for train tickets. I vaguely answered,of about £30 I think, as I dug around the wallet for a recent little mini-statement form the cash machine. The helpful call centre agent seemed pretty much about to accept this vague hand waving as I slid in £29.10. The thing is that’s still wrong; it’s certainly a recent transaction but not the one I was asked about. Indeed, it’s something like a 50% over estimate. The only other thing I was asked was to name a direct debit or standing order coming out that account—to which I pointed out that there aren’t any. That was good enough to activate my new password.

This all sounds pretty harmless but I can’t help but consider, what if I were trying to impersonate me? Let’s assume I had access to the accounts postal address (if this seems implausible I seem to remember the last time I changed address I had to fill in a form with account number, name and new address…) I request a new online banking user ID which I then receive and request a password change. The password change is confirmed by the post code (which obviously is known), a vague guess at the cost of a train ticket (they said it was form the Trainline and I’m pretty sure they were going to let it slide—I did still get it wrong remember) and saying there were no direct debits (it’s a fair bet that if the real owner hasn’t noticed anything amiss then this might be a pretty dormant account…)

Of course this is all a bit paranoid. If I have address access then its probably simpler to just request a new debit card and PIN—in fact as far as I know that takes even less security checking. Still, I think they should at least demand that I answer the questions I’m asked exactly correctly.