Security T&Cs

oldfella · 6 November 2007 at 1:11PM

following is from a BM savings account and might be a new trend ?

You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or anywhere else, or let anyone else know, your password, identity details, or additional security details, and the fact that they are for use with your account.

Presumably if they can prove you are in breach and your account is defrauded they can claim its your fault. Whether that will mean you loose your money is an interesting question.

I reckon this might well be regarded as an unreasonable contract term. I dont see how you can be expected to remember all the passwords for all your accounts. If I choose to store my passwords in a secure place, I cant see why this should be a breach of T&Cs.

Mike

purch · 6 November 2007 at 1:39PM

store (whether encrypted or otherwise) on your computer

Not being a Geek I could be wrong on this but :-

I think that if you use your computer to access your account then the information you enter is stored electronically on your computer somewhere, and thus accessable to someone who knows how ( ie. a naughty Geek )

munk · 7 November 2007 at 12:40AM

Of course they mean 'store' as in store in a file on some storage device or other (hard disk drive, usb stick, floppy disk(!), etc). Whether you could argue that this kind of information is 'stored' in RAM for the duration of you typing in the password... is most definitely a geek question

I find this above quite depressing though - I use a password 'safe' application called Keepass which stores all my passwords on disk in a file which is encrypted. There is the option with Keepass to only allow access to the keepass file when a usb stick or other device is plugged into the PC which makes it very secure. Someone would have to a. gain access to the file on your PC, b. work out the password to the file and then on top of that c. acquire the usb stick that's required to be present in order for access to be allowed. Pretty good security basically but not allowed according to those rules by the OP.

agal · 7 November 2007 at 1:38AM

I currently have seven A4 pages of passwords/memorable data (and growing!). The chances of my being able to memorise all this data is zero.

munk · 8 November 2007 at 10:27PM

Yep, this is it, I gave up trying to memorize them all and instead use a password safe. As it was originally I was using just a single password for the majority of websites and then for the more 'high security' sites like banks etc I'd use unique passwords. However those weren't particularly high strength.

With keepass, you get a decent password generation program that creates high strength passwords, so every time I register on a new site I'll just create a unique new password and add an entry for it in keepass. That way when I want to login to the site I can just hit 'ctrl-alt-a' and I'll be auto logged into the site (basically a simple keystroke macro to enter the username, hit tab, enter the password and then hit enter... though you can create your own macros for more complicated login screens).

Keepass also notifies me 3 months after a password has been changed so I can change the password again to add extra security. Slight PITA and I only do this for 'high security' sites like banks etc.

Only thing that concerns me is that the keepass file that stores all these passwords is only protected by a single password itself! So the security of all those other passwords is only as safe as the master password.

Also since all my passwords are totally random it means if I don't have the keepass file to hand (which is stored on a usb stick so it's usually around), then I'm stuffed! Not too bad though because I can always just request a new password/click the 'forgot password' link for most sites.

I think a smart solution to all this would be a fingerprint recognition device that you could carry around easily (you can get them on usb sticks already but they're still pricy). That way you could just hook up your finger print recognition device, browse to any site you want to login to, hit some keystroke like 'ctrl-alt-a' or w/e and you'd be challenged to enter your fingerprint in the device. If that succeeds, the correct password for the site is located in the password db on the device and then automatically entered on the site. Smart

edda · 9 November 2007 at 11:46AM

oldfella wrote: »

following is from a BM savings account and might be a new trend ?
You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or anywhere else, or let anyone else know, your password, identity details, or additional security details, and the fact that they are for use with your account.
Presumably if they can prove you are in breach and your account is defrauded they can claim its your fault. Whether that will mean you loose your money is an interesting question.

Mike

I guess you are talikng about Birmingham Midshires here.

How can they prove it was you that was in breach?

Surely - in order to check that you are logging in correctly - they store your security information (encrypted or otherwise) on their own computer systems?

Perhaps you would agree to their T&C if they reciprocated the other way?

oldfella · 9 November 2007 at 3:06PM

How can they prove it was you that was in breach?

help desk - whats the second letter of your pw

defrauded saver - hang on let me look it up

help desk - sorry you are in breach, you have lost your money

ramagel · 9 November 2007 at 6:12PM

If you have typed this accurately or copied and pasted it, then I've highlighted the key word:

oldfella wrote: »

You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or anywhere else, or let anyone else know, your password, identity details, or additional security details, and the fact that they are for use with your account.

Given that so many folks now want your mum's maiden name, your place of birth, your father's first name etc etc you have no option BUT to let someone else know 'identity details or additional security details' such as these.

They key thing - and BM are being very straight here - is the use of the word AND in connection with the association of those details with a particular account.

I used to write PIN numbers down disguised as phone numbers: "mum's work: 01 849 2765" or whatever: this would STILL be permissible, as long as you didn't write: BM Account PIN: 2765 or "Mum's work phone number is really the BM PIN number" somewhere else!"

I'm not trying to make light of the problem: I HATE the idea of more and more sites having my mum's maiden name, where she was born etc etc and frankly I make it up for most sites that have no real need for the level of security they want to impose - if I can't get back in, well, there's always another email address to use.

I don't know enough about these "password safes" to know if I trust them, so I just try to be sensible and have strong passwords where needed.

Warning: ramble ahead.
I just guard really important info/sites with strong but memorable passwords. Can you remember your school telephone number from when you were 7? I can! Weird! It's (not) Abingdon4923 but that can make a strong password.

The registration number of your first car and the girl you had a crush on and always wanted to get in the back-seat of that car? Well, ORD500X and Judy becomes ORD500JudyX. Sorry I digress, but it was a nice memory.

The phone number of your last employer in Stoke (47625) ? 4S7t6o2k5e (geddit? The number INside Stoke ..... ok, I'll get me coat .... .... )

Ramble over.

The impossible things to remember without writing down are the `10 digit customer random numbers' some institutions give you and expect you to remember or quote 3 and 7 from. The only way any sensible person can deal with them is to writ them down in a disguised manner: once again, that's OK with the BM Ts&Cs because of that word "and".

The nice man at the Nationwide said that their customer number could be stored in a cookie on your PC .... so it's not a critical security issue (and Halifax also allow your user name to be stored a s cookie).

oldfella · 9 November 2007 at 7:25PM

The impossible things to remember without writing down are the `10 digit customer random numbers' some institutions give you and expect you to remember or quote 3 and 7 from. The only way any sensible person can deal with them is to writ them down in a disguised manner: once again, that's OK with the BM Ts&Cs because of that word "and".

its unclear from the text whether that is their meaning, I just took it as a list of things you couldnt do - any one of which would break the T&Cs

in any event its still unreasonable - it doesnt make any sense to store your pw without a direct means of knowing which is which - the programs that encrypt your pw on your PC dont do that - it would make it very difficult to know which sequence was for which account

its typical that its OK for the bank to encrypt your info via a cookie on your own PC, but you are not allowed to do it

ramagel · 9 November 2007 at 8:02PM

oldfella wrote: »

its unclear from the text whether that is their meaning, I just took it as a list of things you couldnt do - any one of which would break the T&Cs

Couldn't be enforced without the 'and' being read in the way I suggest: The Unfair Terms in Consumer Contracts Regulations 1999 (SI 1999 No 2083).

Security T&Cs

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free