NSI Barbaric security system

TheBanker

mikb said:

Section62 said:

Olinda99 said:

The particular dangerous one is mother's maiden name - in my opinion you should never use the real one.

Agreed.  The FCA should tell the organisations still using mmn to stop doing so without delay..

Personally, I can't believe that the FCA allowed it in the first place (or that any banks/financial institutions thought this was a good idea to make this even an issue).

Using researchable items of data as "security" is a joke. A bad joke. I have a range of "first school", "pet's name", "favourite car brand", "mother's maiden name"  and "where you grew up" answers -- none in common between organisations, because I recognised that this was a _stupid_ security feature.

The complication comes where terms 41.7 subsection j) says "You agree that _all_ information you submit to us is truthful and accurate ..." -- well, mostly. Apart from the security things.

And the other complication -- if they are digging into your credit files and cross-referencing with open banking etc. it is possible they are picking up information from _real_ sources. So when they ask about "How many children?" you need to counter with "Actual children, or the number I told you I had?" ...

The use of mothers maiden name pre-dates the FCA, and probably pre-dates financial services regulation as we know it today. I think it's been around since the early days of telephone banking. 

These types of questions were more secure in the pre-internet era where the answers were less researchable. 

I agree though they should not be used any more. 

Section62

TheBanker said:

mikb said:

Section62 said:

Olinda99 said:

The particular dangerous one is mother's maiden name - in my opinion you should never use the real one.

Agreed.  The FCA should tell the organisations still using mmn to stop doing so without delay..

Personally, I can't believe that the FCA allowed it in the first place (or that any banks/financial institutions thought this was a good idea to make this even an issue).

Using researchable items of data as "security" is a joke. A bad joke. I have a range of "first school", "pet's name", "favourite car brand", "mother's maiden name"  and "where you grew up" answers -- none in common between organisations, because I recognised that this was a _stupid_ security feature.

The complication comes where terms 41.7 subsection j) says "You agree that _all_ information you submit to us is truthful and accurate ..." -- well, mostly. Apart from the security things.

And the other complication -- if they are digging into your credit files and cross-referencing with open banking etc. it is possible they are picking up information from _real_ sources. So when they ask about "How many children?" you need to counter with "Actual children, or the number I told you I had?" ...

The use of mothers maiden name pre-dates the FCA, and probably pre-dates financial services regulation as we know it today. I think it's been around since the early days of telephone banking. 

These types of questions were more secure in the pre-internet era where the answers were less researchable. 

I agree though they should not be used any more. 

Barclays were using mother's maiden name as a 'security' question in branch for some things in the 1970's.

mikb

TheBanker said:

mikb said:

Section62 said:

Olinda99 said:

The particular dangerous one is mother's maiden name - in my opinion you should never use the real one.

Agreed.  The FCA should tell the organisations still using mmn to stop doing so without delay..

Personally, I can't believe that the FCA allowed it in the first place (or that any banks/financial institutions thought this was a good idea to make this even an issue).

Using researchable items of data as "security" is a joke. A bad joke. I have a range of "first school", "pet's name", "favourite car brand", "mother's maiden name"  and "where you grew up" answers -- none in common between organisations, because I recognised that this was a _stupid_ security feature.

The complication comes where terms 41.7 subsection j) says "You agree that _all_ information you submit to us is truthful and accurate ..." -- well, mostly. Apart from the security things.

And the other complication -- if they are digging into your credit files and cross-referencing with open banking etc. it is possible they are picking up information from _real_ sources. So when they ask about "How many children?" you need to counter with "Actual children, or the number I told you I had?" ...

The use of mothers maiden name pre-dates the FCA, and probably pre-dates financial services regulation as we know it today. I think it's been around since the early days of telephone banking. 

These types of questions were more secure in the pre-internet era where the answers were less researchable. 

I agree though they should not be used any more. 

True. But -- "friends" and family though ... they've never need to research things like that. Or dates-of-birth.

Then again, the meme of using a maiden-name as stupidity security was instilled in me at a young age. Before "memes" existed

"Try his first wife's maiden name" from Micro Live ... scroll to "Hacking Incident" and sing the words there to the tune of "Music! Music! Music! (Put Another Nickel In)"

Kim_13

Section62 said:

TheBanker said:

mikb said:

Section62 said:

Olinda99 said:

The particular dangerous one is mother's maiden name - in my opinion you should never use the real one.

Agreed.  The FCA should tell the organisations still using mmn to stop doing so without delay..

Personally, I can't believe that the FCA allowed it in the first place (or that any banks/financial institutions thought this was a good idea to make this even an issue).

Using researchable items of data as "security" is a joke. A bad joke. I have a range of "first school", "pet's name", "favourite car brand", "mother's maiden name"  and "where you grew up" answers -- none in common between organisations, because I recognised that this was a _stupid_ security feature.

The complication comes where terms 41.7 subsection j) says "You agree that _all_ information you submit to us is truthful and accurate ..." -- well, mostly. Apart from the security things.

And the other complication -- if they are digging into your credit files and cross-referencing with open banking etc. it is possible they are picking up information from _real_ sources. So when they ask about "How many children?" you need to counter with "Actual children, or the number I told you I had?" ...

The use of mothers maiden name pre-dates the FCA, and probably pre-dates financial services regulation as we know it today. I think it's been around since the early days of telephone banking. 

These types of questions were more secure in the pre-internet era where the answers were less researchable. 

I agree though they should not be used any more. 

Barclays were using mother's maiden name as a 'security' question in branch for some things in the 1970's.

I was asked it when opening a Regular Saver in 2013, having had no previous accounts with them.

masonic

I was asked it when applying for a regular saver earlier this month. It didn't make it into the set of security questions used for online banking. Presumably it was just to be used if I phoned to discuss the application.

Cathygpie

Hi all. Following my complaint to NSI, a manager called me. After listening to my calls, he apologised and upheld my complaint. 

I had not needed to contact them since 2014. I had set up a password then and saved it. Password rules changed and the one I had saved was too short. So I was locked out.

Barbaric was how I felt at that stage. I would now say that it was an abuse of process. New rules had been made but no explanation was given.

Telling me I had failed security on my kids and grandparents names was wrong and then taking me to Equifax questions without explaining why...

Reading from here, I have learned a lot more. I understand that those type of questions are no longer safe and have set up new responses. I have had to embrace these new rules but I am still concerned that the majority of the public don't know. 

The manager said that both my calls had not been dealt with correctly and should have been managed differently when I had supposedly failed security. 

They are sending me £75 for my time and stress caused. 

vacheron

OP. Are you sure you gave them the correct account number. If there was an error in the number you gave, or the advisor entered it incorrectly, it could be possible that the advisor was looking at the answers to somebody else's security questions, hence why every answer was apparently "wrong". 

I have seen this happen before, hence why I am asking. 

Cathygpie

Ha. Definitely correct account number. That is why the whole situation was so ridiculous and so I called back to try again the next day. I was then asked favourite kids TV prog and kids book. In 2014, I had never set those questions up. 

I have had some winnings recently, all sent to my home address. Probably different depts but still...

boingy

And in the meantime, most people use their spouse's birthday as their PIN, and have the same PIN across several accounts.

Olinda99

boingy said:

And in the meantime, most people use their spouse's birthday as their PIN, and have the same PIN across several accounts.

how else are you going to remember it !