Unshakeable Salt

Security and banks should be synonymous,  after all there is regulation up to the hilt to ensure that everybodies money is safe.  Unshakeable Salt has provided PCI-DSS 3.0 consultancy and we understand what measures need to be undertaken by financial institutions to protect from loss. However there is an emerging trend by banks to implement hip and trendy features that reduce the existing security safeguards that the public expect to be in place.

So why have Natwest and RBS introduced something known to be less secure as being their authentication to their mobile apps ?

A mobile phone passphrase for a banking app is typically 4-18 characters in length,  it is the ‘something you know’ part of the 2 Factor Authentication (2FA).  The ‘something you have’ being the phone upon which there is a level of trust previously established by the binding your account to a specific device.

By swapping to the use of the biometric sensor on the phone you limit the ‘something you know’ to being the knowledge of which finger(s) you can use.  Or as identified when the iPhone 5 first came out – the removal of it completely with the haptic use of Jelly Baby upon a previously unlocked phone by bypass the inbuilt security.

Access to your bank details are now 1 factor,  just the possession of the device.

So why ?

Convenience is certainly one reason, as it’s easier to use your phone one handed and let it scan your finger rather than move your thumb around and to type 18 characters before pressing submit.

When online banking and banking apps first became available everyone wanted to see the maximum security measures incorporated.   The scaremongers at the Daily Mail unusually didn’t say that your life savings would be wiped out.  Instead they actually provided correct information – after all,  all you can really do with the app is see your balance and transfer to people who you have already established a legitimate banking relationship with. So even if someone stole my phone,  got in from the front screen security measures, launched the app and used Mr Yellow jelly baby to get into my RBS app,  the most they would be able to do is transfer cash to my kids savings accounts or maybe pay my council tax for me to early.

So there isn’t really any change in risk,   just an end users perception of risk.

Security isn’t hip, trendy and particularly understood by the public.  Mike Hine at Information Security Magazine picked this up in his recent blog article on the ‘Security and the Cool Factor‘.  But if it did become trendy or better known,  then security would in fact become easier.  Over the years Health and Safety campaigns through the UK have made people sceptical,  with ‘Safety First’ becoming associated with more cost and a longer wait.  Because there hasn’t** been an ‘Information Safety First’ campaign of similar magnitude there is still a chance we can make it trendy and drive adoption correctly.

Maybe the banks are making those first steps by championing change and raising the public awareness that we all need.



** I acknowledge the existance of GetSafeOnline & Cyber Streetwise, both of which are approaching the subject in the typical buzzword approach.


Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post