There is an old British saying "you can take that to the bank"; it means that the speaker believes something to be so truthful that the bank would accept it. It is believed to go back to when a cheque could be written on anything (it was simply a statement of intent) and it could be counterfeited with ease, but if it was definitely truthful then it could be "taken to the bank".
Password security is critically important especially in the world of finance, and you can take that to the bank!
I went to my bank today (National Westminster Bank, or Natwest to us in the UK) to exchange some leftover Norwegian Krone, the most shocking thing I witnessed was not the exchange rate (I ended up with less than I started with after just a week). You guessed it; the most shocking thing I witnessed related to password security.
At first look the security of my bank is rather impressive:
- There are big bars on the doors, and the walls are about four foot thick!
- The big thick glass between the public and the teller's money drawer (a teller is a person who works at the counter).
- You must verify your identity with your card and pin before you start a transaction/conversation with the teller.
- My online account has two levels of a password, a random username, and a third factor for creating new events (paying a new person, changing settings, etc).
Unfortunately, this all falls apart in a way that the customer doesn't normally get to see. If it had not been for a problem on the teller's screen I would never have known about this failing and gone away happy with my "proper English money".
Part way through my transaction the gentleman behind the counter informed me that he "had been logged out and will have to start again"; how odd I thought. He then informed that it "happens all the time" because they all use the same password.
I presume from the sentence "we all use the same password" that they also share the same username, else it is a hell of a coincidence. When someone else in the branch (I really hope it is one username per branch and not one for the entire firm) logged into the system the teller was kicked out and had to start again.
It seems that the system in question was a "separate application" and not part of the core banking applications. From the replies on twitter to my shocked tweet (thanks to Troy Hunt's retweet) I have been informed that it would be a major breach of banking regulations if they shared accounts for the main systems; that being said encouraging password sharing for any system is just wrong and even more so in an industry such as the financial sector.
I would not be surprised if the account is shared simply because there is a licence fee for the third party system they are using; sadly this is something we see all too often (I have worked at firms which do this on a regular basis).
I'm sure it isn't, and I get the impression (obviously can't see the tellers screen from my side of the glass) that it was for "another system" due to the sort of transaction I was performing. I seriously hope the core systems are different!— melodiouscode (@jamesakadamingo) May 1, 2018
I flagged this problem up with Natwest and they quickly came back to me for details, so hopefully they will sort out the problem and password sharing will become a thing of the past. Either that or the teller in question will get told off for letting me find out (I have told them that better not happen)!
Oh banks have a lot to learn about #passwords. I was just in @NatWest_Help and the teller had to start a process again as he was logged out of the system because "we all use the same password". I feel so secure..... No not secure worried, worried is the word I meant cc @troyhunt— melodiouscode (@jamesakadamingo) May 1, 2018