Please support our Tech Talk advertiser:
Featured Entry 
Dec 11th, 2007, 6:21 am
Nochex has been providing secure online payment services to small and medium businesses in the UK ever since 2001. It seems to take security seriously, as anyone dealing with your money should, with encrypted data transfers, encrypted data storage and servers at the same highly secure location as used by many high street banks. Unfortunately, the security chain seems to have a link missing when it comes to common sense and the type of confidential customer information that any identity thief would be drooling over the prospect of getting hold of.
The problem was revealed to me by an understandably annoyed customer who had set up a Nochex account some years back and then not used it for the longest time. Finding himself with a need to make a Nochex transfer of funds, said customer tried to log in but could not do so as his account had been deactivated through lack of use. Now that, I would argue, is a good thing. Dormant accounts are a security risk in and of themselves, ask anyone who has stopped using eBay for an extended period only to come back and discover the account has been hijacked by fraudsters trading on the account holders previous good reputation. If the accounts were deactivated, such fraud would not be possible.
Getting back to Nochex, the customer did not have a problem with the account deactivation nor the fact that to reactivate it a form had to be downloaded and completed. Some security checks are, after all, to be expected. What was not expected, nor appreciated, was the information that was required and the method by which it was to be delivered. "I needed to include a copy of a recent credit card statement. I needed to include a copy of a utility bill. I also needed to include a copy of a recent bank statement for the account I had registered with Nochex" the angry customer tells me, continuing "I then needed to put all this in an envelope, and here's the rub, address it to Account Reactivation, Nochex Ltd."
So, let's get this straight. An envelope containing all the physical documentation required to kick start a new identity for the fraudster, with an address label all but spelling out the nature of the contents inside. To be honest, it may as well be say 'to whom it may concern, valuable personal identity documents inside, please help yourself.'
At the very least a faceless PC Box number should have been used, that would seem to be simple common sense as well as security and privacy best practice. The angry customer would have actually preferred for the deactivated account to have been deleted, forcing him to open a new account and go through the much more secure process of applying for a new one online. Of course, the secure digital option was not open to him as Nochex already recognized him as a lapsed account holder and so insisted upon the very much less secure snail mail and a prayer route.
Talking of best practice, when a customer sends a covering letter with the requested documentation addressing his security concerns you might expect an immediate and detailed response considering that online payment services trade in trust as much as anything. But no, he heard nothing. So our concerned customer queried Nochex to "discover if all my personal data had been received, acted upon and shredded as per my instructions" but all he received back was a simple reply stating his account had been reactivated.
"I was in two minds whether to reactivate my Nochex account or not. Really I should have walked away, which in itself reveals that the whole account reactivation process is less than ideal, for both parties" he told me. Indeed, with ID theft being so rife it would seem ludicrous that any company dealing with payment services should resort to such a Heath-Robinson approach to security and privacy.
A Nochex spokesperson, Rob Harrison, told me "Nochex have always placed a high priority on the security of our clients' personal data and the integrity of their accounts. The identification criteria and processes for reactivating accounts and confirming our clients' identity are regularly reviewed. In this instance, we thank you for raising Mr X's concerns and we can confirm that we have contacted Mr X directly to confirm to him the safe receipt of his information and the subsequent secure destruction of that information."
I would like to say all is well that ends well, but given how easily things can go missing in the postal system it seems to me that this remains a data disaster just waiting to happen...
The problem was revealed to me by an understandably annoyed customer who had set up a Nochex account some years back and then not used it for the longest time. Finding himself with a need to make a Nochex transfer of funds, said customer tried to log in but could not do so as his account had been deactivated through lack of use. Now that, I would argue, is a good thing. Dormant accounts are a security risk in and of themselves, ask anyone who has stopped using eBay for an extended period only to come back and discover the account has been hijacked by fraudsters trading on the account holders previous good reputation. If the accounts were deactivated, such fraud would not be possible.
Getting back to Nochex, the customer did not have a problem with the account deactivation nor the fact that to reactivate it a form had to be downloaded and completed. Some security checks are, after all, to be expected. What was not expected, nor appreciated, was the information that was required and the method by which it was to be delivered. "I needed to include a copy of a recent credit card statement. I needed to include a copy of a utility bill. I also needed to include a copy of a recent bank statement for the account I had registered with Nochex" the angry customer tells me, continuing "I then needed to put all this in an envelope, and here's the rub, address it to Account Reactivation, Nochex Ltd."
So, let's get this straight. An envelope containing all the physical documentation required to kick start a new identity for the fraudster, with an address label all but spelling out the nature of the contents inside. To be honest, it may as well be say 'to whom it may concern, valuable personal identity documents inside, please help yourself.'
At the very least a faceless PC Box number should have been used, that would seem to be simple common sense as well as security and privacy best practice. The angry customer would have actually preferred for the deactivated account to have been deleted, forcing him to open a new account and go through the much more secure process of applying for a new one online. Of course, the secure digital option was not open to him as Nochex already recognized him as a lapsed account holder and so insisted upon the very much less secure snail mail and a prayer route.
Talking of best practice, when a customer sends a covering letter with the requested documentation addressing his security concerns you might expect an immediate and detailed response considering that online payment services trade in trust as much as anything. But no, he heard nothing. So our concerned customer queried Nochex to "discover if all my personal data had been received, acted upon and shredded as per my instructions" but all he received back was a simple reply stating his account had been reactivated.
"I was in two minds whether to reactivate my Nochex account or not. Really I should have walked away, which in itself reveals that the whole account reactivation process is less than ideal, for both parties" he told me. Indeed, with ID theft being so rife it would seem ludicrous that any company dealing with payment services should resort to such a Heath-Robinson approach to security and privacy.
A Nochex spokesperson, Rob Harrison, told me "Nochex have always placed a high priority on the security of our clients' personal data and the integrity of their accounts. The identification criteria and processes for reactivating accounts and confirming our clients' identity are regularly reviewed. In this instance, we thank you for raising Mr X's concerns and we can confirm that we have contacted Mr X directly to confirm to him the safe receipt of his information and the subsequent secure destruction of that information."
I would like to say all is well that ends well, but given how easily things can go missing in the postal system it seems to me that this remains a data disaster just waiting to happen...
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 1,151 views, 0 comments, and 19 linkbacks. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Dec 11th, 2007.
•
•
•
•
advertising apple botnet browser business crime data development email environment europe facebook firefox forensic gaming google hacking hardware help ibm internet iphone ipod law legal linux malware microsoft mobile mozilla news phishing privacy research search security social networking software spam survey technology trends trojan uk virus vista web windows yahoo youtube
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Guild Wars 2: In-House FAQ (14 Hours Ago)
- UK ISPs agree to throttle illegal music file-sharers (19 Hours Ago)
- Intel To Focus on Devices, Again (1 Day Ago)
- WikiGoogle or GooglePedia? Nope, it is Knol actually. (1 Day Ago)
- 5-4-3-2-1 your website in infected (2 Days Ago)
- Botnets boost click-fraud rate (2 Days Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (3 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- More Dark Spots on Apple's MobileMe Migration (4 Days Ago)
- Power-Sipping PC Runs Linux (4 Days Ago)
