I’m in the middle of opening a bank account with KBC, and I’m both sadly amused and annoyed with them.

Let us start with their security verification questions when creating an account.

  • What is your mother’s maiden name?
  • What is your favourite colour?
  • Where were you born?

Rather than rant, I shall quote the National Cyber Security Centre in the UK.

If your security question asks for a fixed piece of information, you should assume the attacker can guess the answer. Questions like ‘What is your mother’s maiden name?’ or ‘What is your postcode?’ are all easy to research, especially considering the widespread use of social media.

My security practice when encountering these types of question, is to use a password generator, usually in word mode rather than random string, to create a random answer – much like Horse Battery Staple, but not that phrase!

This leads to the second problem I encountered with their online account application. It’s a very slick looking web form, and it accepts spaces in both the favourite colour and birth place answers. However, when you go to the “I need an activation code” (because the phone app crashed while being set up, burning the code they sent me) flow, the web form Javascript refuses to accept spaces in the colour. Spaces in the birth place? Not a problem. Spaces in the colour? No, can’t have that, colour names can’t possibly have spaces in them.

Except it turns out that the first UI should never have accepted spaces in the first case. When talking to KBC’s customer service, they said “oh, there are no spaces in the colour”. So KBC’s system had silently mutated the secret I provided, and did not tell me that it was mutating it!

Oh, and there’s the third problem – their staff can see my secrets in their entirety. I’m not sure a 0.2 percentage point discount on a mortgage is worth this hassle.

So far, I’d rate KBC about 1 out of 10.

Banks and security requirements
Tagged on: