Savings giant must face up to security flaws NOW
NATIONAL Savings & Investments has got itself into a terrible pickle in recent months, as my colleague Rachel Rickard Straus reports on page 128. And it has yet to find a way out of the mire it has created. I trust boss Ian Ackerley is working overtime to steer the NS&I ship into calmer waters because, if not, it’s surely time for him to seek pastures new.
By keeping savings rates too high for too long this year, and then cutting them to the bone, NS& I has caused surges in business (new savers wanting in, then customers wanting out) that its creaking back office has not been able to cope with. A back office not run by NS&I but by French IT giant Atos.
The result has been utter chaos – customers left hanging on the telephone like Blondie’s Debbie Harry and emails and correspondence either disappearing into the ether or left to gather dust. All reminiscent of the customer service meltdown at Santander when it went about integrating the businesses of Abbey, Alliance & Leicester and Bradford & Bingley ten years ago.
To add insult to all the customer injury it has caused, NS& I ( via Atos) has crassly attempted to carry on with the ruthless digitalisation of its business while this back office pandemonium has reigned supreme. Chaos piled on top of chaos. Madness.
I trust Mr Ackerley can get NS&I out of this pickle. I also hope he can find time to address other glaring weaknesses in the organisation’s armoury. Namely, its failure to adopt ‘two-factor authentication’ for customers logging on to its website.
Such a security measure is now routinely used by banks to protect customers from criminals hacking into their account and committing fraud. It means that in order to log into their bank account, a customer must not only input their own bank passcode and password, but also a randomly generated code sent to their mobile phone.
But no such code is needed for an NS&I customer to log into their account. A weakness that could be exploited by criminals.
Last week, I spoke to a data protection officer who is alarmed by NS& I’s failure to introduce two-factor authentication. Indeed, he is so concerned that he sought a response from NS& I via a ‘freedom of information’ request. He did not like what he got back. What it told him was that the organisation had not carried out a so-called ‘data privacy impact assessment’ on the system used by customers to access their accounts – as required by law. An assessment that is designed to ensure the system’s robustness against attack from hackers.
National Savings defended its stance by saying its current procedures were introduced prior to legislation requiring such an assessment to be carried out. In other words, no assessment is necessary and there is no requirement, therefore, to introduce twofactor authentication.
It also said that successful fraud against NS&I customers is minimal. In the financial year ending this April, it amounted to just £152,130 – with a further £8 million of attempted fraud being thwarted.
Yet my data protection guru remains unimpressed. ‘I would never green-light such a flawed system,’ he says, ‘never mind one that looks after hundreds of billions of pounds.’
He believes that without twofactor authentication, NS& I customers’ accounts are more vulnerable than they should be to attack from fraudsters. A view very much shared by the Information Commissioners Office, the data protection regulator. It implores businesses to ensure they have ‘appropriate security measures’ in place to protect the personal data they hold and also consider two-factor authentication in the creation of any passcode system.
More food for thought for Mr Ackerley to digest in the run-up to Christmas.
FINALLY, diversification is one of the cornerstones of successful investment. It’s a strategy investors should not forget in the light of Ai rb nb’ s extraordinary stock market debut last week – when its share price more than doubled on the first day of trading.
It’s yet more evidence that a ‘tech’ bubble similar to the one in 2000 is emerging. And as we discovered more than 20 years ago, market bubbles do eventually explode. Diversify and then diversify again.