NS&I online log-in authentication

mikb

Swipe said:

The person you will have been passed to create a new password will not have sight of your account details. They will have been obfuscated during the process, hence the reason you were passed to someone else.

While that may be true, it is horrendously poor practice to normalise such things.

1) If they tell you "WE WILL NEVER ask you for your full password", and then go on to do that -- in whatever roundabout, justified way, then it opens the door on "never" meaning "mostly never, but on this occasion it's okay". Scammers won't just put a foot in the door, they will kick that door off its hinges.

2) In an ACTUAL scam scenario. "I am calling from your bank ..." scam calls, one of the SCAM techniques is to ask you to type in your PIN/Date of Birth etc. But to echo what you said above. "Don't worry, I am not able to access that, I am passing you to our automated secure system". Robot voice says "Please enter your pin". You naively comply. Scammer sees number come up on screen. Job done. Another sucker fooled.

It is a bad idea. I hope the poster above's complaint lands with someone in possession of the corporate brain cell that understands the problem, not just fobs them off with platitudes

masonic

AmityNeon said:

https://www.nsandi.com/contact-us

Have your details to hand

To manage your accounts or personal details, you'll need to be registered for our online and phone service. Please have your NS&I number and password to hand.

To whomever you spoke, they should not have asked for your full password. Internal systems used by agents may request specific characters from a customer's password, and if successfully verified, further account/personal details are revealed to the agent to further prompt the customer for identity verification. These systems are fully audited to prevent employee misuse.

It should never be possible for an agent to ascertain the authentication credentials of a customer that permit the agent to impersonate that customer through a customer interface (e.g. web login).

It should be impossible to verify specific characters from a customer's online password, because that means the password isn't being stored securely to guard against an online data breach. Only a hash of the password should ever be stored by the provider, and from that the password cannot be reverse-engineered. Only a full password can be verified by hashing it and comparing with that stored in the database if appropriate security exists. That said, I would not be divulging it over the phone (given its length and complexity, I doubt I would succeed even if I was willing). They should have sufficient telephone security details that are different than those used to log in online.

I think a complaint is wholly justified under the circumstances. No FCA Authorised firm would get away with this practice.

Prism

To agree with Masonics very valid point, if a financial company ever asks you for certain characters from the password, you should seriously consider if you want to continue holding an account with them as it means that their security is weak.

Ideally in this case the reset should have been done via a letter to your address since the land line is not longer a source of identity, and they shouldn't ask for the password over the phone as that is too easy to obtain.

Nardy

Swipe said:

There is also an NS&I 6 digit pin that you will have set which they may also ask for.

I can't remember what I did, but two weeks ago I managed to mess up my password or tried too many times and so I ended up calling them.They sent me a letter with a 6 digit pin, it arrived 5 or 6 days after the call. Once I got the letter, getting my account up and running again was straight forward.

Valuation100

I have just experienced the same issue; the person in security asked for my new password.   I told them that the UK National Cyber Security Centre, a Government Organisation just as NS&I are; their advice and guidance is " Never give your password to anyone, even security. "  The person in security said to me. "Do you want to proceed or not" I declined.   Later, I rang NS&I again and asked someone in Customer Service, after by-passing the ignorant Chatbot, whether this request was valid; as I thought I might have , somehow, been scammed.   He confirmed that it was correct and advised that I could give security a password and then, afterwards, change it.
More "waste" ; inconsistent security procedures in the Government departments that will require non standard auditing and customer issues.