First Direct recently “upgraded” its online security, which is to be applauded. After all, criminals are really creative so you need to respond to new threats all the time. In principle it’s a good idea, so I was looking forward to receiving something like a little fob that generates a random six-digit number or some other clever piece of technology.
Instead, when I embarked on the upgrade I quickly found myself bogged down in crashing web sites and glaring security anomalies. For example, when I started the upgrade I was redirected to a web site that immediately set an alarm bell off in my head. The site looked like one I’ve used before but it had a hyphen in the name whereas before it didn’t. Which is a typical hacker ruse.
So, mistake No 1: First Direct should have informed users of any changes to web addresses.
I would have moved on to the next step in the process except that the new web site was unstable all weekend, so another own goal by First Direct. If you invite your entire customer base to upgrade then you need to make sure you can cope with the demand. Two weeks later I tried again.
So I’m now on the “new” web site and am immediately asked to provide information that First Direct already has (admittedly, not all of it and probably not enough to hack into the account there and then, but with a key logger in operation, it would only be a matter of time). I was astounded. What should have happened is that the customer logs into the existing system and then, once all the security has been dealt with, the upgrade takes over. In other words, we identify each other properly before making changes.
Imagine my delight when I’d finished the entire process without any apparent errors only to discover that I could not log on. Apparently my data had not been committed to their databases, so I had to start all over again.
By the way, the new “security” is nothing more than just another question. And it is the same question every time. Looking at the new improved system, I cannot see anything that makes it any more secure. I can only conclude that the upgrade was not to address security issues, but rather it is an operational fix.
What really disappointed me was that the electronic services team at First Direct was unable to provide me with even basic assurance, and I spoke to quite a few of them. They not only weren’t able to provide assurance but also failed to understand my concerns.
I am hoping First Direct has made some crucial changes which will protect me, but I have to say that the complete hash that the firm has made of this process does not fill me with confidence.
reader comments