Australia's online magazine for entrepreneurs & SMEs

Who goes there?

Wednesday, 21 March 2007

Who goes there?

Once in a blue moon I check the Churchill Club's bank transactions online. A couple of weeks ago I did this, but after a while I was automatically logged out. When I tried to log back in again, I got the password wrong and it wouldn't let me log back in. Sound familiar?

I then rang the bank. A call centre operator asked me how many business internet accounts I had. I answered “two”, but apparently I only had one, because my online credit card account wasn't a business internet account, but a merchant services account.

Apparently this mattered to the operator. I was advised I would have to go to a bank branch to have the account unlocked; the call centre could ask me the question once and I got it wrong. Sound familiar?

After I showed my ID at the branch, I was told the account would be unlocked later that day and that I would be contacted. Of course I didn't receive any call, and had to go back to the branch the next day to repeat the process. Finally, my accounts were unlocked.

This got me thinking: what is the point of this security? I am continually told it is to protect me, but I am beginning to believe that's completely untrue.

I now have about 10 different banking passwords and account numbers and perhaps another 50 or so general passwords (such as the one for my SmartCompany subscription). Each organisation I deal with has different rules for their passwords, including:

• The minimum number of digits.
• How often the password must change.
• What characters are OK to use (numbers letters, special characters).
• Whether I can use a previously used password.
•  Patterns are not allowed (such as my surname).

My world is now so complex that I now have a standard set of different secret passwords that are used, just so I can manage my accounts. So for each individual account I have good security, but overall my security is massively reduced because once you know one of my passwords, you can easily access any number of my accounts.

Therefore I am compromising my own personal security just to cope. But the banks don't care because if I compromise my security by reusing passwords, it’s my problem not theirs. So they are protected.

I heard a great example the other day about the staff of a national organisation, who have to change their password every month and must use a unique password with a minimum of 5 characters. To cope with these rules more than half the employees in March this year will have the password "mar07". Where is the security in this?

But back to banks. I would suggest that bank security for online accounts is much more about protecting the bank than about protecting customers.

I note that when you are issued your new credit card you are told "you must sign the back for security", but since you are not responsible for any debts until you sign the card, the security they are concerned must be theirs not yours). No wonder when someone found Lloyd Williams’ platinum credit card on the beach the other week, it was unsigned.

Anyway, I used to use notes in Outlook to store my passwords, but I have come to the conclusion that this is too insecure because others can look at it, plus it’s open to being accessed by evil software.

I have instead downloaded a program called Password Safe to manage my accounts and passwords. Password Safe is free and secure and user-friendly. It comes from http://passwordsafe.sourceforge.net/ I haven't solved all my password problems, but at least I have improved my own security.