UHF

Sorry mods if its off topic but this is causing a lot of fuss with people I know.

Lloyds TSB have just added a so called "memorable word" security "feature" to thier online banking site, it now means we have to provide a phrase, with a number in it which they will randomly ask you for random chars from EVERY time you login!

In addition to the password!!!

I'm after some people power on this one if anyone else is as frustrated as me?

Move it if you feel neccessary mods but i knew this would hit a wider audience.

bobfrog1

HSBC have done the same thing, stupid thing is when you're trying to work out the 6th letter you usually saying the memorable phrase outloud while counting the letters!!!

image doctor

So an extra 20 secsonds and all the extra security it provides is frustrating you?



I think you need to get bothered by something more important to be honest.

ID

chiark

Given that your password will be your pet's name and the year of birth of your child/wife/dog, passwords aren't very strong.

Authentication needs to be good in order for the bank to allow you to carry out financial transactions remotely...

I fully support stronger authentication, and this is definitely better than the previous set-up. It might be an inconvenience, but it's being done for a reason.

Nick.

UHF

hmm, the username they give you is something totally unrelated like 64363GH for example and my password (as a Network Manager) is NOT a pets name and is a random number/letter combo which I know!

I'm not saying its a bad idea for muppets but for people who know that they have good passwords they should be able to bypass it

chiark

True. But when people write their passwords on a post-it note, they need to try and do something else - as a network manager, you'll appreciate the hell that passwords can be...

Banks need stronger authentication in order to meet their obligations and reduce their own financial risk (despite them trying to pass risk of using IB onto the end users). Until another form of authentication is ubiquitous, this is the best they've got.

Why they don't roll out smart card readers and use chip-enabled debit cards as an authentication token combined with username/password is beyond me. Readers are cheap, but on the other hand the associated cost is probably a lot more than the fraud losses per account...

UHF

sure, its protecting the masses and forgetting about the minority, which makes me wish I was an ignorant user All we want is an option to not use it, just make it on by default and the people who have crap passwords probably wont actually know how to turn it off anyway!

TaviaRS

Barclays have always done that.

To login you need:

Surname
12 digit account number
5 digit security code
2 random characters from a user selected memorable word

Seems fair enough to me, I don't want anyone getting at my money.

dsmith

The primary reason for the move to the 1st/2nd letter style of authentication is to defeat keyboard loggers and the like.

A single recorded login will no longer give full access.

NatWest did it some time ago - Egg make you select some bits from drop down boxes with a mouse (harder to record/replay).

You will very soon get used to it and it is for *your* benefit as this style of hack has been done....

Deano

chiark

Now that really annoys me - I have complained to egg many times about that, as it's no more secure whatsoever from a decent logger. I've even proved this to them.

dsmith

Nick

I agree - just quoting their blurb. Its also for date of birth so not exactly triky to discover by other means considering the amount of info you do have to supply in full.

Deano

UHF

Thats exactly what lloyds have done, 3 combo boxes with data to choose, you cant even use the keyboard to snap them!

ChrisB

HSBC have changed their site recently.

Was user ID (two alpha, 10 numeric) and full passcode.

Now DoB, user ID and selective numbers from passcode.

Reffro

When Natwest changed the security protocol, I had to stop using it. They wanted me to remember a log-in, password and a phrase, which in theory was OK seeing as I have a excellent memory for those things.

But in practice I managed to log on only once afterwards, because I couldn't remember the damn phrase exactly, so trying to get the second letter of the third word etc etc was friggin impossible as I didn't write them down, as you are told not too. And seeing as it was a real ***** ache to get online in the first place (online application leading to lots of letters being sent indivdually over two weeks) I couldn't be arsed to resolve the lost password problem and went back to phone banking. If they can't make it any easier than that, its not as if its going to save me any money, so they'll just have to continue to employ real people for me to deal with.