Tuesday, March 04, 2008

Do the people running my bank's security read my blog?

Hoping that the security people within my bank read my blog is probably wishful thinking on my part. Maybe they do. I have no idea.

But today, they did something that I've been calling for on this site. My last post mentioned the issues around bad security practices used by organisations around the world (including banks) when dealing with their customers (people like you and I), specifically around mutual authentication between the organisation and the customer...or rather, the lack of any - thus relying on the customer to accept all the risk. If you follow the links in that post back to my earlier blog entries, you'll know it's been eating away at me for a while.

I applied for another type of account with my bank over the weekend. Today they called me to ask a few questions and to perform due diligence around the whole process. I fully expected the whole one sided authentication I've come to expect from organisations and was prepared to give the wrong answer the first time around (followed by the right answer if they correctly identified that my answer was incorrect). I had no reason to expect anything different because I've dealt with my bank in the past and this is what they've always done.

To my pleasant surprise, they began by telling me that I had applied for an account over the weekend (and correctly naming the type of account) and that they were about to give me partial details about myself and I would have to fill in the rest! EXACTLY the type of mutual authentication process I've been crowing about! Worked very nicely and painlessly. It also gave me a sense of assuredness that I was indeed speaking with my bank.

I'm not silly enough to mention which bank I'm talking about, but if your bank doesn't do this at the moment, start complaining until they do. It's the way things should be done.

No comments: