Barclays Merchant Services have an online system called ePDQ. When I want to do a refund, or if I want to check on whether a payment went through, I log into their system to see. Recently, they changed their password system.
Formerly, a password had to be at least 8 characters, of which one was numeric. And you had to change it each month, and you weren't allowed to reuse previous passwords for 6 months. Now it has to be at least 10 characters, of which at least one must be upper case, one lower case, one digit and one special character. And you can't reuse previous passwords for 12 months.
So I was happily cycling around 6 similar passwords; now I have to cycle around 12 passwords, and since there are 12 months in the year ...
So I complained. I complained about two things. A) I used to be able to search past transactions for the one I was looking for. Now, I can only search over a period of 30 days "to improve efficiency". But that doesn't improve efficiency, it reduces it. It means I have to do, for example, six searches instead of one. That's going to consume more of their computer time, and more of my time. B) The second thing I complained about, was Security Theater.
Security Theater is when an organisation does something that looks like security is improved, but actually it does nothing useful. Increasing the length of passwords, and adding special characters and so on, is useful against brute force attacks (where the password is guessed by trying all possible combinations). But a much better defence against brute force attacks would be to enforce a period of time between attempts to log in. So if you made a mistake in the password, you couldn't try again until four seconds have elapsed. If you get it wrong again, 8 seconds. Get it wrong again, 16 seconds. And so on. Or even, only allow three attempts, and you can't try again until tomorrow.
But brute force isn't actually how passwords get compromised. Compromise happens because people reuse passwords on multiple sites, or because they're asked to memorise such a long and complex password that they have to write it down, for example, on a post-it note stuck to the monitor. Duh.
A much better way to ensure security is to use two factor authentication. So, for example, on the HMRC site, I log in with my username and password, it sends a code to my mobile, and I have to type that code in. Two factors; the password, and possession of the mobile.
Another way to do this, is to issue the user with a small device. You log in, you get given a six digit code, you enter it into the device, it gives you another six digit code, you feed that into the web site. Two factors, the password, and possession of the device.
And that's what Barclays Online services do. I have the device, it's called a PINsentry. If Barclays Bank have understood this, how come Barclays Merchant Services haven't?
So I got called today about my complaint. The call started off badly, she didn't know my name. So I've been called by someone, I don't know who, all I know is they are claiming to be BMS, and now she wants me to reveal the information she needs to do the "security check". Naturally, I refused until she was able to prove to me that she really was BMS; fortunately she was able to do that.
So I've also requested that we use a password system so that next time I'm called by BMS, the caller is able to give the password that reassures me that she's not actually some scammer after my personal details.