Having the freedom to travel a lot because of your job is a great thing. It means you can disappear off to a different country for a few months to visit friends or family, or just see the world.
The problem is that often the utilities we make use of at our home bases aren’t really set up to deal with people that are out of the country regularly, or for longer than a couple of weeks. Sometimes, they can’t even cope with any length of absence due to badly thoughts out and implemented processes.
I’ve run into a pile of these issues, such as my mobile phone operator (T-Mobile) acting like complete idiots and refusing to allow international roaming, or how to submit electricity meter readings when you can’t physically get to the meter.
Today though, Tesco managed to knock it out the park, delivering a perfect example of how things are made difficult for those who wander.
I logged on to my Tesco banking account to make a credit card payment, and was confronted with the news that they had recently made changes to their security checks. As a result, if you were logging in from a computer that they didn’t ‘recognise’, then a security code would be sent to the mobile number registered on your account.
Oh, great.
This wouldn’t be a huge deal if we were away for a week or so, but given that we’ve been gone for a few months, this isn’t good. It means that I won’t be able to make any payment to my account, and so miss the minimum required to avoid charges.
The process to get the mobile number changed is a pain in the ass, and I’m not entirely sure what I’m meant to do. The Tesco Website seems to suggest that the only alternative is to have a one-time access code sent to your home address by post.
A One Time Access Code is a code we use as a security measure to confirm your identity when you forget your login details or use a browser, computer or mobile device that we don’t recognise.
Check that your mobile number is up to date and select Send. We’ll send the One Time Access Code by text message.
If you don’t have a mobile phone number, you’ll need to call us on 0845 300 3511 to get a Temporary Security Number by post.
This is DUMB.
Given the inconsistency in the way these places implement their checks, I downloaded the Tesco Banking app to take a look and see if I could bypass the mobile number validation. Unlikely, but worth a shot.
What really stung though, was this message:
That’s right. If the mobile number you need to login to the online banking account isn’t correct, you need to log in to the online banking account to change it.
Well done Tesco. Well done.
What really annoys me is that this is completely un-necessary, for various reasons.
* Recognising computers or devices via cookies is a pretty crappy approach, penalising those who regularly clear out their caches. There are far better ways to deal with this (such as registering MAC addresses) that don’t rely on the browser config staying the same.
* Having a two factor method of authentication is important, particularly for financial related accounts. However, to tie that into SMS text messages is pish. Mobile coverage and carriers are far too unreliable to be used as the sole source for 2fa. There are plenty of alternatives available to generate tokens – independent of something as variable as a mobile number.
* There should always be an alternative to access the account where you can’t use your device. It’s why Google, LastPass, WordPress, and countless others all provide back-up, one-time access codes that you are meant to store in a safe place to use in the event that you can’t receive a text message, or a code to your smartphone.
So there we have it. Tesco has failed to implement a sensible account verification process, despite standards and templates already available widely online. Useless.