Wednesday 4 June 2014

More on passwords

I got called today by HSBC. Or at least, that's what they said. How do I know it really is HSBC? She said that her name is "Shell Townend". Which, by the way, is also the name of a building materials company in Sheffield.

So I called HSBC. They verified that there really is someone with that name working for them, and that they really had made the phone call.

But when they call back, it'll be someone else. So I phoned HSBC again, to complain.

Here's their system. They call you, and claim to be from HSBC. To prove that they really are HSBC, they give the first two digits of my date of birth, and the first three of my post code.


For most people, it's really easy to discover that information. It isn't exactly a secret. Use Google, or Facebook. So, is the information that HSBC a secret, and can be used as proof that they really are HSBC? Pants.

A password is a shared secret. It's something that HSBC knows, and I know, and no-one else knows. You'd think that a bank, with any kind of interest in security, would know this.

And it isn't only HSBC. Barclays think that my bank sort code and account number (which is on every cheque that I've ever sent to anyone) is a secret, and they use that to "prove" that I am who I say I am.

The reason why bank security is so awful, is that banks don't take security seriously.

And that's why I wouldn't use telephone banking, or internet banking.

And by the way, if you look me up on Facebook, you'll discover that my date of birth is January 1, 1905. And I don't have an address.


  1. So you are an unknown aged nomad then?

    How life changes. -

    I used to know you when you lived in a house, and I think you ran a business :)