iooiuk wrote:Great post.
But I think we have too many diffrent passwords etc in this product. Hence why people will think they are entering a correct one, but possibly are thinking of another one.
To me 2 is more than enough.
I certainly don't agree with a max of 12 not being secure. Security in a pass is down is user choice of letter/number combinations.
Sure longet apsswords take longer to force crack, but that is not done very often... It more phishing that gets details....
So to me it's education of users and that fact a finanical co WILL NEVER ask for PIN or full passwords via email or such.
I fully agree, two strong passwords is more than enough and obviously don't assosciate them with any personal details. I would hope that everyone would be fully aware now of phishing emails and be intelligent enough not to give any security information away and to just simply delete them.
iooiuk wrote:Sadly not.....I speak to far too many people who are not even aware of phishing emails......
Or that you should NEVER give your PIN to anyone who call's you. No matter if they say they are from the bank.....
Even your bank staff do not know your PIN or even have any reason to know it.
I work in a bank myself and I find it's mainly the older generation who fall for the emails and, sadly, the phone calls.
Interesting replies, everyone. Cheers 
A point regarding the comment about someone needing to know the O2 Portal credentials *plus* lots of personal info... The O2 Portal actually displays lots of personal info itself... Not just the name, address, DOB, phone number, and email address, but also the security answer. So if someone did have access to your O2 Portal account, they'd have all the information they needed right there...
Displaying most of it in your account details isn't an issue, but I do think it is a mistake to show the full security question *and* answer. Seriously, how many other sites actually show you the security *answer* when you look at your account info? I can't think of any myself, offhand.
Anyway, aside from that...Back to the wallet...
Even accepting that a 12 character password is sufficient, I still believe that the following are issues that should be corrected:
1) When changing your main O2 password, you should be required to enter the current password. [you do at least get an email already]
2) When the O2 Money (Wallet) password has been changed, you should receive an email informing you that it has been changed.[you do at least get asked the current password already]
3) When changing your O2 Money Pay password, you should be required to enter the current password. And when it has been changed, you should receive an email informing you that it has been changed.
4) Adding a new payee (or doing something else major) should require additional verification, such as via having to enter a code sent to you via SMS. SMS verification is a common form of additional verification used by other financial websites (such as Santander) along with Google, Yahoo, PayPal, and various others. It is also already used by O2 Wallet when activating the mobile app on e.g. an iPhone, so why not extend it further to provide real protection for adding a new payee and so on?
I'm not particularly confident about trusting non-trivial amounts of money with a service that IMO not only does not have the same kind of security as "proper" bank websites, but also doesn't even match what you would find with some other non-banking sites and services.
Anyway. Apparently my concerns have been passed on, so we'll see if anything does happen eventually...
