[David Griffiths] I have recently moved home, and I wanted to tell my bank the new address for my business account. I logged into the internet business account management centre, with my username, password AND
one-time passcode from my whizz-bang security gizmo, but I couldn’t find any option for updating my address. "Perhaps I have missed it", I said to the lady in the call centre, after she had been through all of the additional security questions and had confirmed that it was indeed me, "No", she said, you have to go into the branch and tell them". "But I work in London, and can’t get in". "That’s ok", she said "I’ll contact your branch and they can send you the form". "And where will they send it?" "Ah!", she said, "You don’t live there anymore, do you? You’ll have to write to them". "But if I write to them, how will they know it’s me?" "You’ll have to write to them", she repeated. Now I can tell a procedural road block whan I hear one, and I could tell I was hearing one – I considered my best option was to give in before they start quoting the Data Protection Act at me … I sent the letter…
So I have the security gizmo, I have all of the answers to their
security questions, I have full access to the account, and because of
all of this, they are convinced it’s me and they let me move my money
to anywhere that I want to. But they won’t let me change my address.
If a crim wants to do it, and divert my bank statements, cheque books,
cards and so on to his address, he just sends them a letter, and signs
my name (probably not that difficult) – job done, and there’s nothing I
can do about it.
Can I see the one-time signature catching on as an additional
security feature? Perhaps I can, because it apears that the security
experts don’t think that the password, one-time passcode gizmo and
security questions are enough.