Friday, November 14, 2008

Security madness

Pangloss has just booked a ticket to Edinburgh on and had the booking details sent to her mobile. I was sent an authorisation code which lets me pick up the tickets from an automated machine.

Not a very difficult process you might think; certainly not for a professor of Internet law?

But in fact every previous time I have started to do this, I have given up in sheer frustration and irritation and just gone to the station and bought the damn ticket - why?

Because making this very simple everday e-commerce transaction involves:

- remembering my login - not easy because they refuse my "normal" passw as it does not have numbers in it (thus encouraging me to use a highly guessable password instead as the types of numbers people can remember ARE highly guessable - you know what I mean :)

- going through not just ordinary debit card security, but ALSO RBOS's *extra* security (since my debit card is RBOS) - which involves re entering much of the same info, plus a DIFFERENT passw from the one I already use for RBOS's *own* on line banking, again, a different passw from my "usual" passw, because of their *own* arcane restrictions)

- putting in my mobile no, but having to go through yet anothr log in get a "verification code" before I can actually get the damn booking reference sent to my damn phone.

Do you begin to see why I might prefer just to go queue at the station??

By contrast, in the days when I flew to Embra from Soton, somehow I could book a plane using an ordinary credit card, avoid extra security by using a credit card which hadn't yet invented "VisaSafe" or whatever :-), get a reference no, and just stick the credit card in a machine at the airport to get my tickets printed out. Damn it, I could even print my tickets AT HOME and forget all my ref nos.

This rant is partly then about why can't it be as easy to get a train ticket as a plane ticket when logic suggests it should be the other way around.

But mainly it is about B2C e-commerce and payment security in general. This is NO WAY to build a business model. I should not have to re enter fiddly personal details in different abstruse combinations three or four times to complete a simple transaction.

The banks' security, upped in reaction to their fears of having to reimburse CNP fraud losses (even though they off lay most of it on to the merchants) have reached the point where, I assert, they will do their best to deter most ordinary customers. I don't know what the answer is, though I suspect it has to do with identity management, or with physical token roll out to everyone, not just prized upmarket customers. But this simply will not do.


Anonymous said...

It's worse than that.

If your bank implements Verified By Visa, there's often no way of knowing whether the vendor you're buying from uses it until you get to the screen with it.

Then, if you decide you don't want to enrol in the Verified By Visa programme, you have to click "Cancel".

However, if you do that, your bank will decide that this is a fraudulent transaction, and will stop your card...

See also:

Oh, and it's trivial to change your VBV passwords (or someone else's, of course):


Michael Bromby said...

It's even worse than that! I've had similar thoughts about our friends at but I've just bought myself a ticket for the gatwick express who actually send your booking reference via SMS which is also the 'on-board redemption code' that you show to the grumpy old fella who checks the tickets on the train. What's to stop me forwarding this message to someone else? Nothing. It would appear on their phone as from 'me' but if they change my name in their address book to rename me as 'GatwickExpr' then all looks as it should! Clearly the conductor will realise when the code won't redeam on his handheld thing twice, but how does he know who the fraud is and what can he do?