Nationwide's new internet security idea involves "twenty questions"
The UK's largest building society, Nationwide, is stepping up security for online customers.
Customers are now asked for additional personal information, but some people suggest that
it goes too far and a different, more simple approach, might be better.
We asked for your comments - a selection of which are below - the debate is now closed.
James of Sandbanks' answer might get him reasonable marks in his IT security exam, but in practice, try remembering, in a few weeks time, that your favourite colour is 3bs7w8a (or whatever) over several different online bank accounts. He might just find he is a bit confused. Unless, of course, he writes them all down, in which case he would get zero out of ten. So the solution is a unique number generating authentication device is it? I have just received my first one and am looking forward to receiving about 12 in all! We used such devices about 15 years ago for secure remote login, until we realised they caused more problems than they solved - people lose them, tread on them, drop and smash them, the batteries go flat, etc. These poor solutions for improving online security seem to me to be an attempt on the part of the banks to delegate responsibility, for something they are unable to provide, to the customer. Fraud is a serious problem, but 20 daft questions per account and/or a pile of broken authentication key pads are not the answer.
Steve H, London
I think Nationwide are right to increase security for their online banking service. The questions and answers are not that hard choose or to remember.
John Dalby, London
Paul Lewis was right to mention the "lost" laptop in the interview, because it is indicative of the attitude Nationwide have historically taken to security. When does the top management take responsibility for its middle management incompetence?
The questions are simple to answer. The key is - do not take them literally. Provide an answer relevant to the question, not specific to the question. If the question says "what is your first holiday?", answer it with (for instance) the place you like to visit most, or the place that holds some meaning to you.
I am a Nationwide customer and have been for some time. What is the problem with Paul Lewis and Nationwide? Regarding the new security measures - instead of seeing this as a positive thing, he brought up, yet again, the laptop that went missing. Following that, earlier this year, I contacted my local branch and was reassured that I need not worry, and I felt that Paul Lewis was scaremongering. This morning he mentioned there were twenty questions that we had to go through. Well, you only need to choose five and they can easily be chosen from the first page. As a customer it took me about two or three minutes to choose my questions, which considering the protection it gives me, is not long. Why does he not mention the other banks and building societies that have left personal papers in skips? I have not seen or heard of any further security action that they have undertaken.
Sylvia Thomas, Tilehurst, Reading
Systems that have preset questions tend to encourage the "correct" answers - e.g. "What is your mother's maiden name?" prompts for an answer that is known by friends and family. Supplying false answers to these questions would be more secure but less memorable. The best system I have found allowed me to make up my own security question. Not being forced to choose from a predefined set of questions allowed me to come up with an easy to remember, hard to guess question/answer pair, where the answer bears no relation to the question. Something likeż Q: What colour tie do I wear in March? A: 3frencHHens. As a rule I do not use the same security details for different online accounts, so I have a large number of reminders for sign-ons and passwords. If I was given the opportunity to supply my own question and answer as described above I would feel confident in using the same security details for several sign-ons.
Regarding the Nationwide 20 Question Game - I have written to them without response, I have called them and met stonewall silence and I have just decided to move my account. They seem to have completely lost focus on what their customers need.
William Potter, Reading
Nationwide has introduced a security system so complex that some of its account holders are forced to write down their personal log-in details or risk being locked-out of their accounts. Under those circumstances it is arguable that liability for security passes from the society to the account holder. Perhaps Stuart Bernau would like to comment. The reason that initially only five of the three million account holders complained about the introduction of the new system, is that we have no alternative, although we own the society.
Howard Sherman, Clifford's Mesne, Gloucestershire
Yet again, as with all financial institutions, this approach, however poor, only addresses the bank's end of the transaction. It does nothing for protection against real identity theft, (not just the element focused on clearing money out of a specific account), where the weak point is the user's PC. Trojan and Worm attacks incorporating key-loggers and screen-scrapers, against which anti-virus and personal firewalls are impotent, will "hoover" up everything about the individual and his accounts, passwords etc. and then return the details to its "master". Isn't it a "beautiful" irony that this new Nationwide approach has the potential to worsen the situation by making even more personal details about you available to the crook. It seems that the banks will do anything to avoid addressing this real issue, since it will require them to support a piece of software resident on your PC. Until then, there is only one really secure method of e-banking: don't.
ING has an ingenious solution on its log-in screen to the problem of transmitting keystrokes, displaying a computer-generated keypad or dropdown list so only a mouse-click is required to select digits or letters.
I complained to Nationwide on 18th October and made it very clear the only way I would remember my answers would be to write them down. I work in IT and the first rule about passwords is not to write them down. Nationwide's response was to make out I was being difficult. I then complained in writing and was told I could put in anything because I wouldn't need the questions most of the time. Not being comfortable with writing down answers I then went into a branch to move my money from an online savings account to my current account. I was interrogated by the branch manager in public who didn't realise that Nationwide had put in an extra security layer which is hard to use. Due to the security questions and the branch manager's rudeness, I am switching current accounts to another bank which realises that asking people to remember lots of data is a security risk.
As an online Nationwide customer, and despite being a generation younger at 32 years old, I had a similar experience to your listener. I found it extremely vexing trying to answer the questions with memorable answers. I am dreading having to recall them at some point in the future.
As a blind internet banking user, I am extremely concerned by the increasing use of devices which generate a number on a display screen which you have to type in to get into your account. No one seems to have pointed out to the banks that these devices will, if made the only method of access to online accounts, completely exclude blind people like myself from being able to bank online. I love online banking and it works well for me at present. Let's hope this doesn't change for the worse by introduction of the remote authentication devices.
Re the 20 questions asked by Nationwide - I also found that I could only answer 4 of them, as the others were all aimed at 20 something year olds. I have no favourite football team or cartoon character etc. I found the comments by the spokesman from Nationwide disappointing. I am sure that more than 5 people found these questions absurd.
I have logged onto the Nationwide site and submitted myself to this new barrage of questions. Most of the questions I did not have answers for, and I'd never remember them anyway. I have had to record my questions and answers in a safe place (along with all the other security combinations for various online accounts). These organisations are forcing me to put my own security at risk! But, of course, if you don't want to keep all your eggs in one financial basket, then you are going to have to have a safe means of being able to access each account. This latest raft of questions, combined with earlier security codes, was indeed a huge deterrent as all I wanted to do was to check balances anyway. Perhaps extra security might only need to kick in if the visit was to transact rather than view?
The idea of question/answer security is really no longer satisfactory. Security is better provided by a tool such as an inexpensive version of the RSA fob. Even electronics is not required, a card with an array of random numbers on it, where the user is asked to input the number at a specific column/row, will give better security than the question/answer at little cost.
My first online account was with the Nottingham Building Society 20 years ago. It sent out a one time pad of numbers and was very secure and easy to use. Current systems are far less secure. Of the accounts I have the Nationwide is one of the most secure and usable.
Thank goodness you are discussing over-zealous online security. I am planning to close my Alliance & Leicester online account because in order to check my account details I need to remember not only a pin number, but also a twelve digit account ID number. Twelve digits!! How can I remember that without writing it down, which surely defeats the point?! This is daft and means I can't check my account when I'm travelling.
I have no objection to Nationwide improving security for those of us who use on-line banking but the man from Nationwide completely missed the point. We are being asked to choose five from twenty questions to provide security information. Like your contributor, I had difficulty in choosing just five from the puerile and juvenile questions. Favourite colour? I am a man in his fifties; I haven't had a favourite colour since I was a child. Favourite team? I can't stand football and object to my building society sponsoring an over-monied media business in the first place. First holiday? Who knows? My parents, presumably, but they died many years ago. Yes, let's have more security but let's have an adult way of providing it, please.
What should worry us that we are constantly being asked to provide all sorts of personal details, such as address, date of birth, national insurance number etc, not only by financial institutions but also commercial organizations, even when one is merely making an enquiry. How secure are the sites where such information may be stored and who would have access to it for cross-checking? As for Nationwide's procedures, it is just as well that I do not have any kind of account with them any more, for their `20 questions` cross the boundary between sanity and surrealism. If I were a customer, I would find them irksome and frustrating and would have no hesitation in closing my account and placing the funds elsewhere.
The problem is that so many of the questions are subjective, and could change over time. My favourite movie this year may be different from that next year - so this makes it difficult to always remember. Even the person from Nationwide who was interviewed admitted that he chose those questions which only had one answer: they should ALL only have one answer. Mother's maiden name, father's middle name, month of your mother's birth, own eye colour, town or city of birth - these are not subjective, and will not change over time. It is the 'favourites' questions that are so annoying, and so absolutely useless.
I have to admit that I cannot remember the answers I gave as most were inappropriate for my age, so I made them up. I now wish I had written them down!
The purpose of the security questions is merely to prompt the selection of a password. Nobody is going to check that your answer makes sense or is actually the name of a team, cartoon character or hospital. In fact, it's more secure if your answer has no relevance to the question, because that will make it more difficult to guess. So if, for example, you decide that "moneybox" is to be your security password, then whatever the question, you answer "moneybox."
There would be no compromise in security by allowing the customer to set their own question as well as the answer, when they first register.
I use other internet banking but Nationwide is so confusing that it is simply simpler to go out of my way and go in to the branch - surely that defeats the object of internet banking?
I have got round the problem of remembering passwords by using car registration numbers. Luckily, in spite of not being able to remember what I have just walked upstairs for, I can remember nearly all the registration numbers of, not only the cars I have owned in the past, but also the ones my parents owned as well. I can safely leave myself a written reminder, such as "white Renault". I know what the registration number was, but I bet nobody else does!
I complained straightaway at such arrogant and uninformed changes to customer internet account use. Makes me want to change Bank. Stupid questions. I told them they were idiots - could not help myself
I think the new security questions on Nationwide are an excellent idea, but I did not recognise some of the questions mentioned by the person you interviewed. Just in case of a lapse in memory (I am in my 60s) I have stored my answers - in a coded form - on a USB drive which is stored in a very safe place well away from my computer. It seems to me the most secure online bank I have come across.
Eva, West Yorkshire
I am a customer of Nationwide and I answered the questions. However I cannot really remember half the answers. I just hope they never use them. What we (the public) need is an electronic key on a USB stick that can be sent in response to a challenge. Maybe a key you register or something like that.
Cahoot must be way ahead of the rest. I have been using their web card for at least two years. When making an online purchase one produces on screen a credit or debit card replica of one's own card. A number for the card unique to that single purchase is generated. Further more, the expiry day is very close to the purchase date. It is about time that other card issuers got their act together.
Wilf Miles, Warrington
Relying on "secrets" like this is already known to be a busted flush (owing to insider fraud, social engineering and/or "lost laptops"). So why are Nationwide doing more of the same old, same old? Ultimately it is a lot of personal information being gathered with a potential disaster at the tail end. Is it wise for Nationwide (or any other institution) to hold the answers to these kind of questions in a database in the first place? I do not think so.
I have had an online account with Fortis Bank in Belgium for a number of years. It is a very effective and safe system that they have implemented. It requires no personal data, simply a "credit card" sized calculator type of device. I have a simple secret pin number for it that I never have to change and is firmly imprinted on my brain. On entering this number I receive a one time code to enter on the Bank's web site within a limited time. If I loose the calculator, it only accepts a certain number of tries before locking up. It is unique to me, no other customer of the bank can use it, even for their own account. When the battery runs down I get a new unique device. It seems to be the perfect solution.
You do not have to exactly answer the questions like an exam or memory test. The answers you type in are just checked by a computer database to see if the characters or digits match. You can type anything you like, just as I have done. For instance "What was the name of my first school?" As I do not want to answer stupid questions like this, my answer is 87321. A totally random number which I use for these occasions (that is not the real number here though). No ID criminal would ever be able to guess this if they tried to hack my account. You could even answer all the questions with the same number/letter combination like: 2b4lq81. As long as you can remember what it means you will be secure. Those who are complaining about the security questions for Nationwide's online banking are missing the point.
I have been enraged by the extra questions, and as a middle aged man, have a problem remembering where I have parked my car, let alone extra security questions. I have had three online accounts with Nationwide for over 10 years. I wrote online to complain to them and had a reply to say there would be a delay in their response, due to the high numbers of emails they were receiving.
Robert Egford, Cardiff
Prior to this layer, Nationwide's security was already one of the best. Those of us with joint accounts and shared computers are compelled to write down the answers to the Nationwide questions, as otherwise the joint account holders could give different answers to the same question. However, writing down the answers is not a problem if you only access the account from one place. Most of the people trying to break into your account will not be in that place!
An internet bank blocked my husband's account and he was asked to phone their security team. The outcome was that he was told to provide his memorable information again. Except that he could not provide anything he had given before. "First school?" he was asked. "No not that one, another one." He had to write the answers down as none of them were memorable.
The questions are definitely odd, but just tell them anything you will remember. They are not going to know whether Gromit is a cartoon character or a plasticine model!
It only takes a few minutes to select and answer five of the questions. I have recorded my questions and answers in a word document which is encrypted and password protected so it does not matter if I cannot remember my answers in five years time. I am glad that they have implemented this new security measure, but I will be even happier when I get my card reader from Nationwide.
My local Nationwide branch and staff at Wanstead are extremely helpful, but with regard to mortgages and online banking it would seem their hands are tied. I do not consider Nationwide to be very secure.
What really annoys me is that Nationwide keep lecturing us about security (they even sent us a leaflet about it earlier in the year), when it was their poor controls which meant customers details were stolen on one of their laptops.
I have special places where I note down all the log-in details for various websites. Depending on the nature of the website, I use different passwords. There are many places where the same password is used - it is impossible to keep all these ideas in memory alone. On the other hand, yesterday I phoned an insurance company to get information on bonds (yield and bid price) that I hold, and they wanted to know my NI number. This is beyond what I consider reasonable for basic information. They want far too much information, and the same seems to be true of others, all done in the name of "security". Like your contributor I do not have a favourite team, or colour, and other of their "security" questions could well be a matter of public record. Then there are sites where you know your password, since it is written in a special place, enter it, and find they deny that being correct. Sorry, it has scratched one of my sore places.
In the interest of account security I have different passwords for my several internet accounts. Following a "memory block" on 14/10/07 I was appropriately logged out of my bank account. Since, I have sent 2 emails and made more than 10 phone calls holding on between 10 and 14 minutes and each time have been unable to speak to an adviser to have my account reactivated. Each time the recorded message repeats "Sorry but we have unprecedented demand...". I do not need urgent access to this account, but what if I did? I now plan to close my account, probably the only way, by sending a letter.
I think the idea is good, but some of the questions do not produce memorable answers - and preferably should be one word. Even those that produced an easy to remember answer such as your first school still produced a problem - if I went to The Abbey School would I remember whether I had entered The Abbey, Abbey or The Abbey School as the answer?
I wholly agree that the Nationwide questions are puerile. I have had to invent answers (and write them down to be found by a burglar) because I object to having to give real answers as that only enables others to build up a complete profile of my private life, i.e. name of hospital where I was born, my mother's middle name (they already know her maiden name) and stupid questions like my favourite colour - which I tend to wear every day! (Name changed for reasons of personal profile security!)
B Thomas, Dorset
The questions asked are inappropriate for many people, especially those without favourites. The choice is so limited it will be difficult to give five consistent answers that they can remember. What is your favourite colour? Blue, no yell...
Some of the "twenty questions" are just silly, others would be easily guessable by family or co-workers.
Jason S, UK
The comments we publish are not necessarily the views of the BBC but will reflect the balance of views we have received. It is helpful if contributors state if they work for any organisation relevant to an issue discussed. Readers should form their own views on whether messages published represent undeclared interests, or views prompted by a common source.