Is there such a thing as <I>too much</I> online security?

14 November 2008

As a chap who cuts his cloths using the (usually blunt) tools of the freelance trade, I have to pay my own National Insurance contributions. These are paid direct to HM Revenue & Customs and like all bills, I can pay through online banking. Obviously I'm not the only one paying indecent amounts of money to the Government, so my bank makes payment relatively simple; I don't have to enter any of the account details for HMR&C, just select the correct payment office from a drop-down menu. Easy.

Well, sort of easy. Because my bank makes the process more complicated than it needs to be and I'm not sure why. It takes no less than three passcodes to login to my online banking. Even if some rapscallion hacked my account, I'm not aware of any scam that can be perpetuated by stealing money from my bank account and paying it to HMR&C. Yes, you might consider it daylight robbery that you're paying taxes in the first place, but that's not my point here. What I'm saying is there is no way that a person could profit by transferring my cash into the account of HMR&C.

So. Why do I have to bother with a card reader?

If you've never used a card reader, you slide your debit card into it and enter your PIN to generate a one-time passcode that authenticates new payment details. You can't transfer money to a third party without your debit card and your PIN and this added layer of security makes sense when payments are set up for unverified accounts; somebody could be posing as you and transferring your money to their account. But why do I need the card reader to pay the HMR&C? In this situation, the bank is in absolute control of where the money is deposited; I can't influence where the cash ends up and nor can anybody else posing as me, because the bank holds the account details.

Card readers are relatively straight fioward to use, but what's the point in this situation? Is it a case of pointless belts and braces, or is there a genuine need to make us accountable for every single transaction?

1 comment

  • Colin
    What annoys me is that the card reader is still susceptible to any sort of man in the middle attack - if a user is presented with a request to use it, they'd likely just think "Oh okay" instead of just wondering why it wanted to confirm their details when they were just requestiong a new cheque book. If the criminal wanted to be smarter, their attack could simply replace account details of a new payee with accounts they had control of and do it that way, too. I've seen information from banks justifying the card readers as being a good idea because "other countries are already doing it that way", but elsewhere I've read the US has already suffered from man in the middle attacks when such devices are in use. So basically an inconvenience that isn't necessarily helping

What do you think?

Your comment