Would you recommend people use their mobile banking app where they can instead of online banking?
I would recommend taking a level of suspicion on everything you receive, mobile phones are highly secure and people should trust them more than they currently do. But the inherent weaknesses in laptops and desktops is behavioural (Cyber Hygiene) and we need to improve that. Cyber Hygiene relates to the steps you, as an individual, should take to maintain your security online, for example, passwords, backing up data, securing your personal data and implementing anti-virus software.
What do you think are the main causes of online identity fraud that we can help prevent ourselves?
Make sure your connection is secure, it’s important to be aware of what that security is. There have been tests for people to see the difference between a legitimate website and a copy – and they can rarely tell. Most of it is about ‘does it feel right’? For example a government website will have .gov.uk in the url. Check the domain name. If you’re still suspicious, go back to Google and type in bank’s name then go through the organic search result.
Be more suspicious about emails and phone calls. Most banks will not require an urgent action, so if it’s a communication for you to send or update information immediately, that’s likely to be a phishing scam. The good thing that’s happened to the banking industry is that they’ve added so many controls and levels of security with the FCA to protect you as a customer. They can’t just close accounts or make charges without warning. If you get something that seems unfair to you, there’s a high chance it is not real so don’t respond emotionally.
What really is the safest password format?
You need to combine two things – something easy to remember and something that will restrict brute force. There’s two approaches to guess your password – a dictionary attack and brute force attack. The first attempts common passwords or words from a dictionary. The second tries every combination of letters and numbers. So, in general picking a password which is not a common password (e.g. not “password” or “123456”) or a single word from the dictionary is a bare minimum. This will not prevent the brute force attack though.
To reduce the effectiveness of a brute force attack you need to make your password much less predictable and more random (this is known as ‘entropy’ in the tech world!) That doesn’t mean you have to use a lot of random passwords, you just need to make the number of variations required in a brute force attack to be as large as possible. In general, longer passwords are more effective than short ones. New government and industry guidelines state that combining three random unrelated words, possibly with a number or symbol too is in fact one of the best ways to create a secure password.
Why don’t we use token generators?
Token generators exist for other banks to help increase security from a web browser. It enables them to verify that you have something that you know (your password) and something that you have (your phone or token generator device). We don’t need that because those things are already in place – your phone is already acting as the second authentication. If ever we did provide a web platform we might need a token generator, but that could be your phone.
However I think that could provide a level of complexity which is a contradiction to our main goals of making banking more straightforward and convenient. A token generator is saying look how secure we are, but what it’s actually saying is – we have a problem with security and for us to fix it we have to make it the customer’s problem. The bank should solve that with technology. It’s important for us to not make our problem your problem.
We get this question a lot… so what’s the issue with rooted phones?
I totally understand why people root their phones (meaning jailbreaking or unlocking your device so that you can customise it). The majority of people who root their phones do so for legitimate reasons like updating their operating systems, not because they want to install malware. But when you root your phone you elevate the permissions for some applications to see other data. There are subtleties to prevent that, but we cannot see whether that is the case. Allowing rooted devices could also prevent us from being able to offer certain features, for example, Google themselves do not allow Google Pay on rooted devices.
For that reason we take this position of concern until we’re more confident we can protect you from the risks with a technological solution. The people that know that this is even possible are ‘tech savvy’ but we can’t differentiate those from people who don’t know what they are doing. Most banks are banking first with technology second, and they often outsource that bit but our focus is technology first for the benefit of our customer, with banking alongside, and it’s central to everything we do, including security.
What can we do to stay safe when using mobile banking?
There are a few basic things that are easy for everyone to follow – make sure any apps you are installing or have are genuine, look at reviews, the number of downloads, and the company name. It is also important to keep apps up to date, there are often security improvements included in updates.
Do you think mobile banking security has any limitations?
Yes (at the moment). Ultimately the limitations are in relation to the things that require you to be physically present in banks eg. cash and cheque. Every year, I get a cheque from my grandparents and we have to find technological ways to handle these things, like scanning cheques, which will be increasingly important for us with sole traders. It’s really important for us because it’s an issue for our customers. The things that ultimately tie people to their branches are things like mortgages, large value and cash transactions. People want the confidence of talking to someone, it’s that perception of security being face to face with someone. But times are changing and people are becoming more comfortable doing things online so aspects like that will naturally change over time.
The volume of cheques has already been decreasing for a few years but I don’t think they’re going to go away (not just yet) – there’s a lot of industries and places that still need them. In areas of poor internet connection they are important and they give the ability for someone to pay on your behalf. Society is becoming increasingly cashless and that will continue but we need to solve the problems that are preventing it, for example, small retailers are being charged for small transactions and in turn need to add a minimum card payment value or additional charge. Things are changing though…