http://www.contractoruk.com/news/004511.html
I'd be interested to know what a security consultant makes of Which's findings. They praise Barclays for having dropdowns where users select letters from a secret keyword. In order to implement this, the keyword would have to be held with reversible encryption or no encryption - I've always been told this is poor practice.
“The banks may say it’s the hidden security measures that count, but to have real confidence in an online account, customers need to see security in place," said their editor.
Erm, no, what matters is real security - not "security theatre", as encryption expert Bruce Schneier puts it.
