Trust these muppets with our money?

Estimated reading time: 2 minutes

Two examples of banks giving me ridiculously stupid security advice.

Firstly, when the original NatWest iPhone app came out but before it was well publicised, I stumbled upon it on the App store and thought I’d give it a try.

It was (and continues to be) made by an unknown third party called Monitise Group Ltd. Naturally worried about giving my bank details to a random company, I took the app into a branch of NatWest to ask if it was genuine.

They hadn’t heard of it, and could find no mention of it on their intranet. The lady at the enquiry desk took a look at the app, shrugged, and said that because it had their logo and looked like she would expect an official app to look, it must be genuine!

So there you have it. If you make some software with NatWest’s logo on it, they will happily tell their customers to trust it with their bank details.

Is this a card skimming device to steal your bank details? Or the security device it claims to be? A few months later I was at a Lloyds TSB cashpoint, and noticed a strange plastic device over the slot, and a sticker saying “this security device has been fitted to the cash machine to protect your card details”. Not likely!

We’re told not to trust ATMs which look like they’ve been tampered with in case criminals are ‘skimming’ card details as the card passes into the slot, so this immediately raised a red flag to me. I didn’t use the machine, and I called the bank, who agreed it sounded suspicious and said they’d send somebody to look at it.

When I got home, I searched the web to see if I could find any more details. Unbelievably, it seems the device is genuinely there to add security by making the slot an odd shape, so criminals can’t attach card skimmers. It’s known as an anti-skimmer, or a “full insert protruding card reader”.

They’re teaching people that it’s okay to use a cashpoint with a weird device attached to the slot. And no doubt the card fraudsters are busy making skimming devices that fit around or even look like anti-skimmers. Who made this ridiculous decision? This is a real life example of the password anti-pattern which was so prevalent online a couple of years ago.

This would be laughable if we didn’t have to trust banks with our money.

4 thoughts on “Trust these muppets with our money?

  1. I always find it annoying that banks don’t allow you to use long passwords with special characters.

    The securesite password for online card payments limits you to about 8 characters.

    Surely an Internet banking password should be able to be at least as secure as a twitter password.

  2. Wow, the anti-skimmer device is just ridiculous. Just thinking that they might have paid a lot of money to a ‘consultant’ to give them that advise gives me the chills.

  3. I’m not sure where I read this, but – I seem to recall that most anti-skimmer attachments are supposed to make the card ‘judder’ randomly before it enters the machine, in theory preventing a read before the card is fully inserted.

    That doesn’t invalidate your point about expectations and anti-patterns, though – the messaging on these devices needs to be stronger if they’re to be “legitimate”.

Comments are closed.