Nochex has been providing secure online payment services to small and medium businesses in the UK ever since 2001. It seems to take security seriously, as anyone dealing with your money should, with encrypted data transfers, encrypted data storage and servers at the same highly secure location as used by many high street banks. Unfortunately, the security chain seems to have a link missing when it comes to common sense and the type of confidential customer information that any identity thief would be drooling over the prospect of getting hold of.
The problem was revealed to me by an understandably annoyed customer who had set up a Nochex account some years back and then not used it for the longest time. Finding himself with a need to make a Nochex transfer of funds, said customer tried to log in but could not do so as his account had been deactivated through lack of use. Now that, I would argue, is a good thing. Dormant accounts are a security risk in and of themselves, ask anyone who has stopped using eBay for an extended period only to come back and discover the account has been hijacked by fraudsters trading on the account holders previous good reputation. If the accounts were deactivated, such fraud would not be possible.
Getting back to Nochex, the customer did not have a problem with the account deactivation nor the fact that to reactivate it a form had to be downloaded and completed. Some security checks are, after all, to be expected. What was not expected, nor appreciated, was the information that was required and the method by which it was to be delivered. "I needed to include a copy of a recent credit card statement. I needed to include a copy of a utility bill. I also needed to include a copy of a recent bank statement for the account I had registered with Nochex" the angry customer tells me, continuing "I then needed to put all this in an envelope, and here's the rub, address it to Account Reactivation, Nochex Ltd."
So, let's get this straight. An envelope containing all the physical documentation required to kick start a new identity for the fraudster, with an address label all but spelling out the nature of the contents inside. To be honest, it may as well be say 'to whom it may concern, valuable personal identity documents inside, please help yourself.'
At the very least a faceless PC Box number should have been used, that would seem to be simple common sense as well as security and privacy best practice. The angry customer would have actually preferred for the deactivated account to have been deleted, forcing him to open a new account and go through the much more secure process of applying for a new one online. Of course, the secure digital option was not open to him as Nochex already recognized him as a lapsed account holder and so insisted upon the very much less secure snail mail and a prayer route.
Talking of best practice, when a customer sends a covering letter with the requested documentation addressing his security concerns you might expect an immediate and detailed response considering that online payment services trade in trust as much as anything. But no, he heard nothing. So our concerned customer queried Nochex to "discover if all my personal data had been received, acted upon and shredded as per my instructions" but all he received back was a simple reply stating his account had been reactivated.
"I was in two minds whether to reactivate my Nochex account or not. Really I should have walked away, which in itself reveals that the whole account reactivation process is less than ideal, for both parties" he told me. Indeed, with ID theft being so rife it would seem ludicrous that any company dealing with payment services should resort to such a Heath-Robinson approach to security and privacy.
A Nochex spokesperson, Rob Harrison, told me "Nochex have always placed a high priority on the security of our clients' personal data and the integrity of their accounts. The identification criteria and processes for reactivating accounts and confirming our clients' identity are regularly reviewed. In this instance, we thank you for raising Mr X's concerns and we can confirm that we have contacted Mr X directly to confirm to him the safe receipt of his information and the subsequent secure destruction of that information."
I would like to say all is well that ends well, but given how easily things can go missing in the postal system it seems to me that this remains a data disaster just waiting to happen...