Sunday 16 March 2008

Security 101 : The user should be able to authenticate

Are you listening Barclays?

I like security - particularly data security and in very particular data security that protects my personal information (unlike a certain Uk government department a few months back).

However, I've been around this game long enough, worked for a bank long enough and built more web applications capturing user data for long enough that I know there is one fundamental truth when it comes to data security and that is: pragmatism.

When I was at Uni I was told, "The only secure system is one that has no network connection, no keyboard or mouse and most of all no users" (and I apologise Dr Fekete for bastardising your phrase but you can't have done a bad job for me to remember it 15 years later!).

However the flip side of all of this was that depending on the data being protected, the security protocol should be appropriate without undue burden placed upon the user. Which is why logging into flickr is trivial but logging into your bank should and is a more arduous affair.

Banks are very secure enviroments which is good because the last thing I want is some 13 year old script kiddie making off with the tens of pounds in my bank account. Having said that, the bank should never make it difficult for me to get to the tens of pounds in my account due to security reasons.

At the moment though banks are running very scared and they are nailing the customers because of it. On my recent trip to Australia I had my card stopped no less than three times because Barclays decided that the activity looked fradulent.

Initially I thought something serious had happened but a call to Barclays got them to right the problem which was part of their new security measures. The next time it happened was because Barclays decided that it was time for me to come home and that I shouldn't be using my card in a Fraud Capital of the world like Sydney. The third time it happened though it locked my account out entirely and I was told I would have to come into a branch with identification documents to sort it all out - except there aren't any in Australia and I was leaving the next day for Hong Kong. Luckily a very understanding parent lent some cash.

I applaud Barclays' sentiments - they really were trying to protect my account, however it would appear as though client / bank trust has disappeared and I can no longer say "I want access to my money globally" without alarm systems going off all over the place. If I was backpacking I'd have been in serious trouble as without a bailout I literally had about 10c in my pocket.

Upon return to the UK Barclays' statement was along the lines of "Sorry but we're dealing with a lot of fraud and it's better to be safe than sorry". Tell this to one of my employees who just had £3K wiped out of their account due to identity theft (spent on local UK products and didn't fire off a single warning) and they are being told they have to prove it wasn't them...

In a way I feel sorry for Barclays because they are damned one way or the other - on this issue though it should just be a case of phoning and doing a vocal authentication then saying "I'm abroad for 4 weeks allow any transactions from xyz country until I say otherwise". In this manner everything other than DDs occuring in my home country should be treated as fraudulent and everything authorised abroad should be fine...

Bring on the chip in my hand is what I say...