So, you called it an enhancement…
Very upset with my previous bank, I recently decided to open a new account with another one.
As it usually happens, things went pretty well at the (very) beginning.
Once I completely stopped using my old credit card, though, the new one started bringing me some surprises.
The most shocking one happened when I wanted to purchase a couple of tickets to go to the theatre with a friend.
For starters, after (smoothly) selecting two adjacent seats, a painful and not intuitive at all set of operations was triggered by a pretty user-unfriendly payment platform, which, to be honest, was not my bank’s fault anyway.
The worst was yet to come, though.
The process actually ended up being halted by me when, in order to validate the purchase, I was asked for the PIN of my credit card.
Yes, you read it right: neither a temporary code (sent to me via email or SMS, for example) nor one of the digits included in the (slightly old-fashioned yet still properly working) authentication grid I was provided with while opening my new bank account.
I was asked for the PIN of my credit card instead, that is, a static and highly tied to my reserve of money, hence risky information to share online; and this was definitely my bank’s fault.
It goes without saying I immediately informed them about what seemed to me a clear security issue.
Since surprises never come alone, though, their answer was even more disturbing than the potential security breach itself: “don’t worry, that’s an enhancement we recently implemented”, they said.
“Well, it doesn’t look at all as an enhancement to me ‒I replied–. Anyway, in case my opinion doesn’t matter enough to you, the fact other (likely more experienced and wise) banks don’t do that may convince you that, under no circumstances, should using the PIN of a credit card to confirm an online payment be considered a good idea.”
Long story short, feeling unsafe with them, I’m now seriously considering opening a new account anywhere else.
Meanwhile, I had to ask my friend to buy the tickets herself.
Even though she mentioned that the payment platform seemed terribly user-unfriendly to her ‒which I find especially interesting taking into account she does not work as a tester‒, she (who is also lucky enough to hold a credit card from a bank different from my current one) was at least (thankfully and pretty unsurprisingly) not asked for the PIN of her credit card to validate the purchase.
Which somehow tells me I was not overreacting, was I?
Thanks for reading this article.
Feel free to recommend it or to add a comment.
Should you have any doubts about Software Testing, contact me: I will be glad to help you.
On the other hand, if you want to get notified about my blog posts,
sign up through the BLOG > SUBSCRIBE TO THE BLOG NEWSLETTER menu.
Thank you.