Because I forget stuff. Part of

Note: It appears you must have reached this page by a deep level URL. In general this site is currently down and unmaintained. See here

About This Post

Originally posted April 18 2006 at 15:04 under General and Web. 0 Comments. 1 Trackback (now closed). Last modified: 18 April 2006 at 17:10

LloydsTSB Online Banking

Paranoia grips
Hey, I'm not saying

Today I completed the sign up process for LloydsTSB online banking. I used to use this several years ago (long enough ago that IIRC it was just Lloyds at the time) but somehow stopped and so totally forgot my login details. When I got around to trying to sign up again last week (something I’d been meaning to do for a long time) it turned out that whilst I’d forgotten the computers hadn’t. They wouldn’t let me simply sign up because they recognised that there were login details associated with that account. That meant that I had to go through the “I’ve forgotten my customer ID” process, which basically results in them sending a new one out through the post (there is of course a question as to why—the customer ID isn’t supposed to be part of the security; the same passwords would still be valid with the new ID. Why send it through the post rather than generate a new one there and then. I suppose under some circumstances it might be slightly more secure but I’m not sure the play-off with convenience is worth it). Anyway, having received my brand new customer ID (and I think they don’t simply use account numbers not for security but because you can have more than one account associated with the ID) I had to then go through the forgotten password process. It’s seeming a long winded already, isn’t it.

The lost password process asks you to enter a new password and some “memorable information” (this seems to consist of requiring a memorable phrase, i.e. it’s essentially a second password…). The system then produces a screen with a reference code and a phone number to ring so they can confirm your not really some Nigerian scammer. All pretty much fair enough I think. Calling the number got an answer before even the first ring (actually that took me way be surprise. Let the phone ring one so I at least anticipate a connection!) Everything went smoothly enough and I was thinking fine. Except I’ve been sat here considering this, semi-consciously. The thing is, the way they identified me.

The routine followed the pretty standard pattern in this case. A few questions about the account (though not including the number and sort code) and there you go. It’s the questions, and my answers though. The first question was my postcode. Fair enough but it’s on the letter with my new customer ID remember. Second I was asked about a recent transaction for train tickets. I vaguely answered,of about £30 I think, as I dug around the wallet for a recent little mini-statement form the cash machine. The helpful call centre agent seemed pretty much about to accept this vague hand waving as I slid in £29.10. The thing is that’s still wrong; it’s certainly a recent transaction but not the one I was asked about. Indeed, it’s something like a 50% over estimate. The only other thing I was asked was to name a direct debit or standing order coming out that account—to which I pointed out that there aren’t any. That was good enough to activate my new password.

This all sounds pretty harmless but I can’t help but consider, what if I were trying to impersonate me? Let’s assume I had access to the accounts postal address (if this seems implausible I seem to remember the last time I changed address I had to fill in a form with account number, name and new address…) I request a new online banking user ID which I then receive and request a password change. The password change is confirmed by the post code (which obviously is known), a vague guess at the cost of a train ticket (they said it was form the Trainline and I’m pretty sure they were going to let it slide—I did still get it wrong remember) and saying there were no direct debits (it’s a fair bet that if the real owner hasn’t noticed anything amiss then this might be a pretty dormant account…)

Of course this is all a bit paranoid. If I have address access then its probably simpler to just request a new debit card and PIN—in fact as far as I know that takes even less security checking. Still, I think they should at least demand that I answer the questions I’m asked exactly correctly.

Comments (0):

Post a comment

Name and email address are required. Email address is never shown. If you enter a URL your name will be linked to it (this and other links will have the rel attribute set to contain nofollow). Markup allowed: <a href="" title="" rel=""> <em> <strong> <abbr title=""> <acronym title=""> <p> <br />. Anything else is stripped; please be valid. Single linebreaks automatically convert to <br />, double to <p>'s. Additionally anything that looks like a bare URL should get automagically linked. Many acronyms and abbreviations are also automagically handled.

Please note this blog's comment policy

Trackbacks (1):

More LloydsTSB

Having managed to get online banking I remembered the thing which annoyed me from all those years ago. If you read that post you'll notice I mentioned the "memorable information". The screenshot shows what the bank does with this.... [Read More]

Tracked from IMS_Blog on Apr 18, 2006 at 17:08

Trackback URL:


This Crazy Fool

Dr Ian Scott
Croydon (and Gateshead), United Kingdom
Bullding Services Engineer (EngDesign), PhD in Physics (University of York), football fanatic (Newcastle United), open source enthusiast (mainly Mozilla)

More about me [Disclaimer]

You may subscribe to IMS_Blog using the RSS Feed, the Atom Feed or by email.

Creative Commons License

From April 18 Other Years

© Ian Scott. Powered by Movable Type 3.2. This blog uses valid XHTML 1.0 Strict and valid CSS. All times are local UK time. For further details see the IMS_Blog about page.. All my feeds in one.