Previously, you would just put in your card number, Watani Online password and click login, but it seems like some security fanatics thought they should introduce extra steps to insure the security & safety of clients' account.
In my personal opinion, I think it's a bad move and will only introduce inconvenience to both clients and the help desk. Let's take a look at what has been done, and then I'll comment why it's a bad move.
(1) The first step was to select 5 questions out of many, and then provide answers for them.
(2) The second step was to choose a picture and a password phrase which will be displayed as part of the login process.
(3) Then you enter your account password and login (yes you still have to do that).
(4) These are the options available to you upon your creation of the Watani Online Security Key and how you can "manage" it.
So now that you've seen the steps and screens of the security measure, why is this not secure?
- Answering those questions with true & relative answers will make them predictable and easy to guess.
- Answering those questions with answers that are random and have nothing to do with them is good practice, unfortunately you'll most likely forget them by the time you want to login the next time (end of next month?)
- Since you'll forget them, you'll write the answers and questions down on some paper, sticky-note, or in your mobile.
So what good is this? It's no different than writing the account password on a sticky note.
- After answering a random question correctly, you'll see the 2nd figure that says: If you recognize the picture, click proceed. (And it always shows the correct picture and password phrase!)
Does this step make any sense to anyone?
- After jumping two obstacles you come to the final one: Entering your account's password. AT LAST! (Assuming you still remember it after all these questions, pictures and password phrases).
- One of the management features is to "register" your PC. I read a PDF which NBK has linked me to and it didn't provide any info on how this mechanism works, so I'm assuming it's a simple Cookie.
If your computer is secure, register it.
NBK has thrown the ball at the client's field and assumed that clients (point-and-click users) would be able to tell whether their computer was "secure" or not to use that feature, which most people would use because it skips the random question step!
- The last option provided to "manage" the Security Key is that if you wish to change the questions, call their support line. This is both good and bad.
Calling the support line would require knowing your pin code and card number, and since you forget a lot, you wrote this down on your sticky-note along with the 5 questions. I'm guessing that if you call, they'd ask you for your civil ID number. But can't they ask for that online, too? Why bother calling the support line? They already ask for parts of the civil ID when adding beneficiaries to transfer money to!
I have just went through the WOL Security Key process and I believe that it's completely pointless. But before I continue, I'd like to note that I'm a computer engineer and have a healthy knowledge of security, so I'm not commenting just because I can!
The reason I think it's pointless is that, even though it provides great measurements against brute-force attacks it fails at social engineering attempts and even worse, it fails because people will forget whatever they filled, if they chose to write answers that aren't related to the questions to avoid social engineering hacking attempts!
If your advice to the latter is to write the answers down, then your new "secure" measurement has proved just as secure as a sticky note with my password on it, stuck at my monitor.
I hope you see this as a constructive comment and I hope you find an alternative method to improve the security of your portal, and our accounts.
And this is the reply I received:
Dear Mr. XXX,
We appreciate your valuable feedback, and would like to clarify that we have chosen the "WOL Security Key" since it is a proven security solution that has been implemented to ensure a safer online banking experience and protect your personal information.
Thank you for using Watani Online, if you require further assistance please do contact us.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
(yes, including the gibberish part!)
If I'm mistaken, please correct me. If you're like me, inconveniened with their measurement, contact them and complain.
This reminds me of the time I called them to allow Firefox to access their site (restricted to IE only) and said that I circumvented their browser check and it works fine with Firefox, only to be called a malicious hacker, introducing insecure software and not using the secure standard: IE 6. I didn't know whether to laugh or get upset.