I’m not new to having gripes about online banking security: not only have I been involved in testing credit card processing and e-commerce websites, but I ended up cancelling a credit card for their implementation of 3D Secure (also known as “Verified by Visa” or “MasterCard SecureCode”). In fact it ended up being part of a piece by Davey Winder in PC Pro.
Anyway, I’ve recently bought an iPad 2, since I have Windows and Android devices at home, but nothing from Apple, and I thought I would give it a go. One of the first apps I downloaded for the iPad was NatWest’s mobile banking. I already have it on my Android phone, and it’s a very quick and handy app for checking your bank balances and transferring cash when out and about. Naturally, I wouldn’t be carrying the iPad around with me everywhere, but it would be handy to have it around.
Now I think this app is great, both the Android and the iPad versions. The interface is intuitive, it’s clever, presenting you with the right keyboard options when you need to log in, and the whole design is slick. But to install it on your iPad, you need a mobile phone, as NatWest send you a code to enter into the app to link it to your account. So far so good: if I’ve got all the account details, have downloaded the app, and get a text sent to my mobile phone, that’s pretty secure.
What took the biscuit though, was that if I asked for the security code to be sent to my mobile phone (as they ask you to do), it then invalidates the NatWest app on the phone, meaning that it can’t be used. NatWest’s solution? Get the security code sent to another phone. Now, I don’t know about you, but I will have a number of smart devices around the home (well ok, my phone, an iPad, some laptops and a PC), but what I’m not likely to have is two phones.
I can’t think of any sensible reason why sending a security code to a phone that has already got the app installed, would invalidate the phone app. Apart from poor design, that is. I mentioned this on NatWest’s Good Ideas page (my second post was refused, I suspect because I used the word ‘nonsensical’), and received a very prompt, if nonsensical (!) response: “This is in place for security reasons. Our Mobile team have reviewed this recently and at the moment it is not possible to allow access to both apps without the need for a separate mobile number. We apologise for the inconvenience.”
Well, I know it’s in place for security reasons. What I can’t fathom is how NatWest think that sending the security code to a second phone is secure. If I were desperate enough, one would borrow a partner’s or friend’s phone, which is inherently less secure. By sending a security code which matches a bank account to the same phone, not once, but twice, I would think that this enhances the trust level that the app is indeed being used by the owner of the account.
As it happens, I also have a car phone, so I sent the security code to that number, and sat in the car verifying the app. I suspect that not everyone has the ability to do that, and will find this nonsensical (yes, I like the word) security implementation rather painful.