There is an old British saying “you can take that to the bank”; it means that the speaker believes something to be so truthful that the bank would accept it. It is believed to go back to when a cheque could be written on anything (it was simply a statement of intent) and it could be counterfeited with ease, but if it was definitely truthful then it could be “taken to the bank”.

Password security is critically important especially in the world of finance, and you can take that to the bank!

I went to my bank today (National Westminster Bank, or Natwest to us in the UK) to exchange some leftover Norwegian Krone, the most shocking thing I witnessed was not the exchange rate (I ended up with less than I started with after just a week). You guessed it; the most shocking thing I witnessed related to password security. At first look the security of my bank is rather impressive:

  • There are big bars on the doors, and the walls are about four foot thick!
  • The big thick glass between the public and the teller’s money drawer (a teller is a person who works at the counter).
  • You must verify your identity with your card and pin before you start a transaction/conversation with the teller.
  • My online account has two levels of a password, a random username, and a third factor for creating new events (paying a new person, changing settings, etc).

Unfortunately, this all falls apart in a way that the customer doesn’t normally get to see. If it had not been for a problem on the teller’s screen I would never have known about this failing and gone away happy with my “proper English money”.

Part way through my transaction the gentleman behind the counter informed me that he “had been logged out and will have to start again”; how odd I thought. He then informed that it “happens all the time” because they all use the same password.

A photo of screaming woman I presume from the sentence “we all use the same password” that they also share the same username, else it is a hell of a coincidence. When someone else in the branch (I really hope it is one username per branch and not one for the entire firm) logged into the system the teller was kicked out and had to start again.

It seems that the system in question was a “separate application” and not part of the core banking applications. From the replies on twitter to my shocked tweet (thanks to Troy Hunt’s retweet) I have been informed that it would be a major breach of banking regulations if they shared accounts for the main systems; that being said encouraging password sharing for any system is just wrong and even more so in an industry such as the financial sector.

I would not be surprised if the account is shared simply because there is a licence fee for the third party system they are using; sadly this is something we see all too often (I have worked at firms which do this on a regular basis).

I flagged this problem up with Natwest and they quickly came back to me for details, so hopefully they will sort out the problem and password sharing will become a thing of the past. Either that or the teller in question will get told off for letting me find out (I have told them that better not happen)!

The header image for this post was provided by @visuals_by_fred via The screaming lady image was from @gmat07 also on Thank you both Gabriel and Freddie.