ns&i security problems

gpu

I've just registered for a direct ISA with NS&I. The letter arrives with a temporary password which I must ring up to change. The letter clearly states never to give anyone your password and says "our telephone service operators will only ever ask you for part of your password, never for the whole password".

Despite this when I ring up they ask for my whole new password. I quoted the letter but they insisted. They led me to believe I could change it immediately so I gave them an easy guessable password with the intention of changing it online whilst I was on the phone to them. However, once I was into the web based system there was no option to change your password. So I asked the guy to immediately change it or allocate a new temporary one. He said he couldn't and I had to ring back...

When I rang back I said my password was compromised and I wanted it changing immediately. THEY CAN NOT DO THIS!! They will only send out a temporary password by post. Your password will not be changed until you receive the letter and ring up again. This could be 5 days. I insisted that I wanted the password changed immediately but they could not/would not do it.

So to be on the safe side I had no option but transfer my money out back to my current account thus losing my tax free allocation for the year.

They tell me that their "system is 100% secure". How can a system be 100% secure when it takes 5 days to change your password?:mad:

tom188

Sounds a rather extreme reaction to put it mildly.

In the very unlikely event that an operative used your details to steal from you they would lose their job and face prosecution, and you would have been refunded.

gpu

There have been many cases of fraud committed by bank staff. The point is you shouldn't give a full password to anyone. If someone over hears, bank staff or someone else near to you when your on the phone then they have your password.

And in this case I can't change that password for 5 days! Yes it's "very unlikely", but I'd rather be safe than sorry.

gpu

ns&i have since called and back tracked on what they said earlier. They now say that when you ask for your password to be re-set it should be done immediately.

However, I logged in to my account after I requested a password change and transferred out all my money. They say this should not have been possible and are treating it as a "very serious security incident".

So much for their assurance that the system is "100% secure".

masonic

The mitigating factor here is, of course, that even if someone did get into your account, all they could do is move the money to your linked current account, which would be inconvenient for you, but no good to them.

DawnW

gpu wrote:

ns&i have since called and back tracked on what they said earlier. They now say that when you ask for your password to be re-set it should be done immediately.

However, I logged in to my account after I requested a password change and transferred out all my money. They say this should not have been possible and are treating it as a "very serious security incident".

So much for their assurance that the system is "100% secure".

I had a similar problem re paswords and NS&I, though with a standard savings account rather than an ISA. There were other customer services problems as well to be honest, stationery necessary to operate the account did not arrive despite repeated phone calls etc, so I just took the money out in the end. Obviously this matters far less than losing part of your ISA allowance. I was going to give them another go with an ISA for the next tax year, but it seems thay haven't improved, and despite the good rate, I will look elsewhere.

gpu

ns&i certainly don't agree that its a "Lot of fuss about nothing much". They view it as a serious security breach.

"I have no doubt that thereafter there is an online change facility." You are wrong - there is no online option to change your password. Section 27 states "We may in the future offer the facility to change your password via the internet." It is your misconception not mine.

Section 26 refers to applications by post. I made my application online.

"more your misconception than reality" - get your facts right before you start accusing others of lying.

Mikeyorks

gpu wrote:

They view it as a serious security breach.

So you say .. but the crux of what is wrong appears to change a bit, as your posts progressed.

Where you came in .. is the outrage they insisted on the full password, when you rang to change it? Surely the penny has dropped by now?

gpu

ns&i changed their stance. First they said they couldn't change the password immediately. Then they rang me back and said they had changed it immediately, but in fact the old password still worked.

No secure banking system will ever ask you for your full password.

tom188

The websites of

Intelligent Finance
Halifax
Alliance Leicester
Lloyds TSB
Morgan Stanley

and many others

all request your password in full.

gpu

Then I won't be using them or recommend their use. There are many key logger programs out their that could easily grab your password. That's why the more secure sites will ask you for two or three letters only. It's also why others will ask you to select the letters/numbers via a drop down list (Nationwide for example)

read this http://news.bbc.co.uk/1/hi/business/6279561.stm