Tuesday, 20 March 2007

First Direct: more secure online banking?






The telephone and online bank First Direct recently made its customers change the way they login to FD's internet banking service , "to make sure you're better protected from online fraud".

There was some negative publicity about First Direct's "server overload on switchover" problems, but am I the only person who's a bit puzzled as to exactly how the changes they're imposing are supposed to reduce the risk of online fraud? Why is the new system more secure?

Before, customers were each given two long "online ID" numbers: a "support ID" and an "access ID". To login you had to enter both numbers, and certain specified random characters from your password (e.g. the 1st character, the last character etc).

Now, you have to choose your own single login ID (instead of having to use the two online ID numbers). You can keep the same password. And you have to answer a memorable question (which you can formulate yourself) as well. Plus you pick two different security questions (you can't write your own one here) which you have to answer in order to reset your password or memorable answer should you forget it.

Call me cynical, but except for adding the extra step of answering a memorable question for logging in, how does changing two long numbers to a single easier-to-remember login ID improve security? Could it just be that people found the two online ID numbers so hard to remember that they had to write them down (which isn't exactly good for overall security)?? The changes may have improved security from a social or psychological point of view, but surely not necessarily from a technical perspective (apart for the addition of an extra question to be answered before login can be completed).

Plus, having security questions for resetting your password etc is just bog standard on the Web, and that mechanism really should have been in-built from the start. Making it easier to reset passwords by introducing those security questions is certainly more helpful for customers, but how is it better for online banking security? Unless again it reduces the likelihood of people writing down their passwords and carrying it around with them!

So, as you can tell, I do think the changes make First Direct's internet banking service more user-friendly for their customers from a consumer viewpoint, even though people were involved in some inconvenience in having to pick new logins, security questions etc; it is true. But I think it's a bit disingenuous to call the usability changes "security improvements" (again except for the addition of an extra question for login). Don't get me wrong, I like First Direct despite their £10 a month charge (which fortunately I don't get charged as I pay in enough into my account with them monthly). I just don't see why they didn't call a spade a spade.

One very good thing though is that they've made their site Firefox-friendly. Many online banks force you to use Internet Explorer to login, so First Direct do deserve a big pat on the back for that - I'm a huge Fox fan, as regular readers will know. While Mac users can't login to First Direct using Safari, they can if they have Firefox (). Let's hope more internet banking services make their sites Fox-friendly too.

2 comments:

Anonymous said...

I agree that the idea that this login procedure is more secure is bogus. If they really wanted greater security, they should have used an electronic security code generator in conjunction with the previous procedure.

Whilst implementing this piece of nonsense, they have also managed to break the sites ability to remember user preferences, such as the download format to use for financial records, and the dates for which data has already been downloaded. They claim that it caused "performance issues" during testing, so they disabled it! How lame is that?

Improbulus said...

Absolutely, Anon, one of those SecurID security tokens would be much much better.

I rarely used the site before (because of having to know 2 long ID numbers to login), I used their telephone service instead, so I didn't realise they'd disabled personal preferences (did they delete old preferences as well as disable the ability to set new ones??!). I agree, that is totally lame. I wonder why there's been relatively little publicity about that?