Tumbling through NS&I hoops

In the olden times when weeks were three days long and daytime TV was a still photo of a young girl losing noughts and crosses to a toy clown, my family bought me a bunch of premium bonds. If you don’t know, premium bonds are a kind of 1950s national lottery: you give an agency of the government some money, they give you some numbers, and those numbers take part in a monthly draw forever. You might win a prize each and every month; you might win nothing, ever. It’s all in the hands of the gods, in this case the god called ERNIE, the random number generator for premium bonds (in the 1950s all computers had to be given names so people wouldn’t grab pitchforks and torches and raze the building).

Fast forward a few decades and a couple of addresses and naturally NS&I, the priests who tend the dead pixels of ERNIE’s 2013 descendant, no longer know where I live. Having found my premium bond holder’s number and discovered I won £50 nine years ago that’s still waiting for me to claim, I thought I’d sign up to their online service at nsandi.com and ask for my winnings.

“Complete the online and phone registration form”, said the website. By which they mean, it turned out: give us all the pertinent details and we’ll generate a PDF for you that includes those details, which you must then print, sign, have witnessed, and then post.

Not the mightiest of faffs, and I suppose fair enough — though it’s hardly the most fraud-proof authenticator. Dutifully, and via PC World to address the inevitable empty printer cartridge, I did as I was told and posted the form.

A few days ago I received two letters, in identical envelopes, with identical plastic windows showing identical address formatting. Neither said NS&I on the outside, but they both evidently had the same sender.

One letter gave me my NS&I number: an eleven-digit identifier. My username.

The other letter contained, beneath a fancy-dancy pull-off plastic strip, an eight-character alphanumeric temporary password for my NS&I account.

So they sent separate letters for username and password for security, but in the same post so they’d likely arrive at the same time. Not particularly secure. Surely better, if they want to keep these things separate, to send them by different means: number by text message, password by post, or something. Anyway.

The password letter said I’d need to choose a new password for the site on first login. Helpfully, it gave the constraints:

The password you choose must have between 6 and 8 characters. You need to include at least one number, at least one special character, as well as a mixture of upper and lower case letters.

I understand the purpose of the character type constraints. Although enforcing a number and a special character reduces the total entropy of a password (an attacker knows that one of the characters has only ten possibilities — the digits 0-9) it increases the strength of the average password. It forces people who’d normally use “password” to use, say, “pAs5w.rd”. But I’d bet a large proportion of people stick the number and punctuation on the end, with an upper case letter at the start: “Foobar9!”. How much more secure is that than “foobar”? Not much. Users subvert constraints, because security trades off against usability.

To illustrate how likely this particular pattern is, the password letter includes this text just after the constraints:

An example is Uhsd895* (do not use this example for your own password).

In any case, a maximum length of eight characters for a password is, these days, laughable.

After ranting about this on Twitter, I left it a day or two. Yesterday I thought I’d try logging in.

Stand by your beds, I’m switching to present tense. It’s more dramatic.

On the first screen, the site asks for my surname and my NS&I number. OK.

On the second screen it wants two characters from my password (hopefully these are randomly chosen). Hmm. Presumably this is intended to defeat keyloggers (in fact it’s not usually much help), but unfortunately it also defeats password managers that like to fill in password boxes for you. And it might also mean NS&I is storing passwords in its database in plaintext.

Next screen: choose a new password. Here it doesn’t tell me what the password constraints are. I presume they’re the same as in the letter. I generate a random password in my password manager, limiting it to eight characters, and this is accepted.

Next screen: security questions. Five of them. All mandatory. Each with a separate picklist of choices. At least one of the available questions seems US-biased (wanting my “first-grade teacher”). Others are  ambiguous (“favourite sports team”) or easily discoverable (“university”) or can be socially engineered.

Right, done that, is that everything? No.

Below that, three boxes for security phone numbers. Thankfully only one is mandatory.

Am I done now? Not yet.

Next screen: I must select one from about eight or ten thumbnail images. My selection will be displayed on the login page as “reassurance” that I’m on the site I think I am.

Am I done now? Nope.

Below that: I must enter a “login phrase” as yet further “reassurance” when I log in. I enter something short and pithy.

And then, finally, I’m done. I have hauled my weary body through the maze of twisty passages all of limited utility, and have made it to NS&I’s secure website where I can claim my £50.

I click “Prize History” on the sidebar of the early-noughties design. I select my premium bond holder number from the list of two items (“please select” and my number). To select a date range there are two date pickers dug up from about the late eighteenth century which open actual new browser windows with ugly calendars. I decide to look between January 2000 and now, because, well, why not. (I don’t bother to read the text below, which nobody ever reads, and which says “We can only show prizes won since the online service for Premium Bonds was introduced. Click Info to find out more.”)

I click Next. There, in the world’s tiniest writing, several miles from the most appropriate place: “Please enter a start date bigger or equal to 01-01-2011”. (The Info popup says much the same thing, but in English.)

nsandi-1

Hang on. I won my prize in 2004. Are you telling me the unclaimed-prize checker you don’t need an NS&I account to use has more data, going back further in time, than the hoop-tumbling monstrosity that is the secure, authenticated account-holder site?

It’s at this point I realise I’ll be writing this blog post.

OK, I’ll play their game. I change the start date to 01-01-2011 and click Next. It whispers another error message: “ZTS90009 : Please enter a start date bigger or equal to 08-07-2011”. No reason given.

nsandi-2

This sort of half-baked rubbish no longer surprises me, so I change the picker to exactly that date. Here’s what it squeaks now, in that same tiny font, just as if it were an error: “ZTS90007 : There are no prizes to display.”

nsandi-3

Thanks for that.

How do I claim my £50? After much clicking around I find nothing on the authenticated site that lets me do that.

I log out, huff and puff, and hunt down the website’s feedback form. I keep my comments and my question short: essentially, “I’ve got an NS&I account. How do I claim an unclaimed premium bond prize?”

An hour or so later, I receive a reply by email:

To claim your outstanding prize please can you write to us quoting :

1. Your name and address

2. Your holder’s number

3. The prize details as stated on the website

To make sure that we provide the highest levels of security, we require the signature of the holder to enable us to issue any replacement warrants.

You know, something tells me they haven’t upgraded ERNIE since about 1964, and it’s still running their IT. And I suspect I might shortly be booking a very pleasant railway journey to NS&I Glasgow, armed with a pitchfork and a flaming torch.

Advertisements

15 Comments

Filed under Random

15 responses to “Tumbling through NS&I hoops

  1. Yes that is truly awful. I signed up for the online service a while ago, and went through the long process of buying bonds online, and of course it failed on the very last screen. Recently I logged in again but the requirement to put special characters into the password meant that I’d forgotten it in the meantime. When I finally got in I saw the ‘reassuring’ picture I’d chosen, which I had no memory of. Not so reassuring!

    On the plus side I tried again recently to buy bonds online and it worked this time.

  2. Jon Draper

    just tried logging in myself (logged in fine) tried to withdraw some funds… ‘Whats my favourite sports team’… err no bloody idea? maybe I would have chosen some where I lived; Southampton, Gillingham, England… perhaps… nope… the fact that I’m a self confessed surfer and computer geek with no real interest in football or rugby or any team sports. It all really makes that question a problem.. no idea what I put when I first registered… so instead had to press ‘forgot answer’ and they’re going to post a new password… I actually knew my password!!

  3. Spax

    I’ve landed on your blog post after Googling in desperation as to what special characters were allowed, the ones I used kept being rejected with a pop-up listing the disallowed characters which, incidentally, was almost all of them!

    My password generator eventually found something it was happy with only for me to then try and select 5 questions that anyone who has a basic grasp of modern search engines couldn’t find the answers to in 5 mins any way!

    I also had the same problems searching for unclaimed prizes, my limited date was some time in 2012 despite owning the bonds for nearly 10 years now.

    Thanks for the entertaining and totally relatable read!

  4. Mike

    Hi
    I’ve had the exact same experience with my bonds.
    Mine were bought for me in 1964 onwards to 1973. all are listed except one. I wrote to NS and I one and half years ago asking them to link my unlisted bond to my account. No reply. Just picked up this again and after many calls no one can tell me who to call to find out where my bond is or if its won a prize. Maybe you know how I can call some one except for a call centre in Blackpool.
    Thanks for your post.

    Do you know

  5. Dom

    Not quite the same experience but equally frustrating, nothing about this service from my initial painful purchase through to Customer ‘service’ to actually receiving a prize is customer friendly. In fact it must be as painful for the company as it is for everyone else so I’m not sure who wins here!!!

  6. mr_chaps

    I’ve held my bonds since 1975, and I can’t search before 05-08-2013? at first I thought it was asking me to search in 2 year blocks, but nope. only the last 2 years are visible.

  7. I asked them about the 8 char password limit on twitter, their response: “our password format has been selected to provide an optimum balance between security and usability”. What a joke.

  8. Celia Berger

    Celia!
    Help! I’ve already registered online and received temporaryt password. How do I get my new password? I have filled in the form (twice) and have seen tiny writing on the next page. What do I do with it?
    I am completely bewildered. Please do help.

  9. kevin penry

    I went through the password forgotten, letter sent with temporary password routine, I changed this temp password to one of my choosing which I wrote down (not the best idea I know) and then 3 days later when logging back in for the first time my new password is not recognised. No question of a mistake made of getting my password wrong.
    Set up a direct debit with national lottery instead.

  10. nick Clayton

    My experience entirely match the above..I only wanted Premium Bond wins paid direct to my account and received a grilling (in Scottish) suitable for getting a job at Bletchley Park. The worrying thing is that public money is being wasted on employing the poor souls who have to operate this labyrinthine security system. Who do we appeal to or when do we march?.

  11. Sir Henry

    I have an NS&I account and am quite mortified that the password limit is 8 characters. We’re not talking about rinky-dink throwaway forum accounts here – people potentially have thousands of pounds sitting in these accounts.

    Just out of curiosity I emailed NS&I and received an obviously stock reply – condescending nonsense about following the recommendations of their ‘experts’. Give me strength.

    I was going to email them back asking about the hashing/salting of their database, but thought ‘What’s the point’. It’ll just be more lame platitudes. I haven’t got the time to make a crusade out of this.

    I suspect the only thing that would make them get their house in order would be a compromise of the back-end database, which would throw a public spotlight on their 1970s setup. Until then, people with NS&I accounts, I suggest you change the piddling, puny, pathetic, peewee password as often as you can stomach.

  12. Rubena Truran

    After reading all the above comments re purchase and password for premium bonds, would it be easier to send a letter and cheque in the post? How secure would this method be?

  13. Sir Henry

    Hi Rubena

    I believe it’s not a requirement to set up an online NS&I account if you want to buy premium bonds. You can still use the letter/cheque approach if you want and just not have the online account.

    The main reason for having the online account is that you can then link it to your bank account, and then any premium bond wins automatically get paid into your bank account.

    Otherwise NS&I send out £25 cheques for each winning bond, which you then have to pay into your bank.

  14. Kathy Dobson

    Much the same bad experience but now they are sending emails with your account holders number and explain how to change your password online in detail at the same time the provisor states “we will never give details of your account”….doh!!!!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s