A tale of overzealous security

I will be publishing my normal monthly post in a week or so. Until then, I wanted to share some stupidity with you, following from “Hacked off” and “Are your passwords secure?,” my last two posts, which dealt with online security. This post, too, is related to security — too much security.

Among the key points about security are having a secure login, a secure method of recovering passwords, and a secure way of confirming that the correct person logs in.

U.K. banks tend to issue small keypads that create a 6-digit, one-time random number that is required to log into online banking, with a user name and password. This is a fairly high level of security and completely justified as it protects money. The U.K. government, however, clearly has programming teams with too much time on their hands. Recently I received a letter from the U.K. government offering a new service: applying for my tax credits online. The letter contains a unique, 15-digit code that is needed to apply.

Beyond that code, all that is required to apply are four yes or no answers to a few general questions and then typing-in one’s total income. The site does not reveal any personal information and does not show any financial details about the applicant. In other words, it’s a fairly low-security requirement. A 15-digit code would be sufficient to protect this minimally sensitive data. But I forgot about the apparent bored programmers.

To complete the application, I first needed a unique user name and password. These can only be obtained by jumping through multiple hoops and receiving several letters, each with different confirmation codes. Fortunately I already have such a government user name and I was able to bypass this stage.

Then, having signed in using my user name and password, I had to enter the 15-digit code in the aforementioned letter.

Then I had to enter my social security number.

Then I had to enter the exact amount of the last tax credit payment.

Then I had to enter the last four digits of my bank account.

Then the government sent me a text with a 6-digit confirmation code, which I had to enter within 10 minutes.

Finally, after all this, I had give my four yes or no answers and enter my total income and it is was done.

It would have been simpler for me to have my ticked the boxes on the letter and posted (mailed) it. Next year, that is what I will do.

Whilst it is unlikely that a commercial site will go to such extreme lengths, the point is clear. The average consumer would have walked away long before reaching the end of the above torture.

Do not put unnecessary complications into an ecommerce checkout or login process. Keep it straightforward and easy. Use only the essential, bare-minimum security checks.