Cooperative Energy and password security

As a protest vote against the Big 6 energy companies, I recently switched supplier to Cooperative Energy.   Switching is painless, fill your details in online, click the button and off you go.   They do of course want a password from you and I used LastPass to generate a unique one for me and memorise it.

Some time later, I went to login in to the customer portal just to see what I could do and was quite surprised to find my password didn’t work.  I mentally shrugged and clicked on the Forgotten Password link and waited for the usual password reset email to arrive.  I got this instead:

Dear Customer

The information you requested is…
eg!3fP^P*hVFs

If you have any questions please contact our customer service team

(This is, of course, not my actual password, this is just an example that I’ll treat the same way as the Coop did.)

Here we have two immediate problems.  The first is, of course, they have sent me my password in plain text in an email.  We all know that’s a bad idea.  Secondly, what they have sent is not actually my password.  My password looks like this:

eg!3fpp*hvfs

See what they did?  For whatever reason the caret has been removed and all the letters have be converted to lower case thus making my password less secure.    I sighed and went to change my password online and found I couldn’t.   If I want to change my password then I have to go talk to a human to do so.   This leads to problem three, which is that people generally pick stupid passwords and reuse them.   I’m sure Coop Energy only employ wonderful honest people, but giving them an email address and a stupid password is only ever going to end badly for someone eventually.

I’ve spoken to Coop Energy’s customer service team and they acknowledge the problems I’ve found.   Let’s hope, for the sake of a safer and more secure internet, they sort them out.

HSBC security nonsense

As has been widely reported, HSBC have rolled out a new security system for personal Internet banking. The requires you to have an Internet Banking ID, a memorable passphrase and a PIN for a small one-time code pad.  I already carry one HSBC token around with me, I have no wish to carry another. The new system is cumbersome beyond belief.  Here’s why:

Worst case logging on to my HSBC business account:

  1. Enter username that I chose.
  2. Enter password that I chose.
  3. Press button on RSA key, enter number into web browser.
  4. I am now logged in.

Worst case logging on to my HSBC personal account:

  1. Enter account number.
  2. Entry sort code.
  3. Enter date of bith.
  4. Enter 3 arbitrary characters from my security number.
  5. Obtain Internet Banking (IB) number.
  6. Enter IB number.
  7. Enter passphrase.
  8. Type a different PIN into OTP pad.
  9. Take number from OTP pad and enter into browser.
  10. I am now logged in.

At best, this process can be shortened to start at step 6. HSBC recommend not writing anything down, your IB number is “IB” then 8ish digits not in any way related to your account number. When setting this up I was asked to set two security questions and answers.

Select from drop-down “father’s middle name”

> John

< Error.

Select from drop-down “pet’s name”

> Lili

< Error.

> Lililili

< Okay!

Aaarrrrrrgghh. So I now have to remember incorrect answers to security questions.  Sure, that’ll work.  I contact HSBC:

Me> Can I use my HSBC business banking token for my personal account?

HSBC> No.

Me> Can I revert to not using this token at all?

HSBC> No.

Me> I will close my account if you cannot turn this nonsense off.

HSBC> Sorry, nothing we can do.

 

After 16 years with HSBC, I am no longer one of their customers.