Robin Wilton's esoterica

Among the various chunks of SPAM in my inbox today was an invitation to get a free copy of my credit report from Experian. I know this has been a legal right for a while in the States, but over here it usually costs money, so I went to have a closer look. Of course, the bait turned out to conceal a hook

Before I can see the report, I first have to supply various bits of personal information (OK, they have to do something to ensure that only the real data subject sees the report...), and the usual other bits of metadata (username, password, mother's maiden name, memorable word, memorable word hint, etc. etc. etc...). Then I have to enter my payment card details.

Huh?

It turns out that what I'm being invited to sign up for is a 30-day free trial of their CreditExpert service... after which it will cost me £6.99 a month (£83.88 a year). It was not clear whether the billing would simply start by default, or whether I would have to take some further step in 30 days' time to start paying. On that basis, I was not prepared to go any further.

A little more investigation revealed that for a one-off payment of £11.95, Experian's largest UK rival, Equifax, will send me a single report.

Irritatingly, both companies seem to think that, just because I want to see my own credit report, I also want a 'customer relationship' with them. I don't. I want a transaction, and that's not the same thing.

[Disclaimer: I have no professional or commercial stake in either Experian or Equifax... though their urlicon indicates that Equifax's website runs on Sun.]

I saw this in a recent newsletter from fastmail.fm, and went for a further look. It's good to see that, among the welter of webmail providers all eager to sell you convenience and free disk space, there is at least one which is thinking seriously about ways to mitigate risk for an increasingly mobile user population.

The options aren't necessarily new; for instance; one is to get a list of random numbers to use as one-time-passwords (OTPs). Users of German online banking systems will have been familiar with this in the form of TANs, or Transaction Authentication Numbers, for years. In some TAN implementations a PIN is also required; in the fastmail implementation they have added a "base password" to protect against the risk of losing your list of numbers.

Clearly, there are those who will not find it convenient to carry a piece of paper around with them just in case they want to check their webmail (paper... it's just so...biological...); for them, there's the option of an out-of-band OTP sent to your phone as an SMS.

The fastmail folks have also come up with some other sensible options; for instance, if you have authenticated using a one-time password, the default session length comes down to one hour - after that you have to re-authenticate (normally their default is to log off inactive sessions after a couple of hours). There's also the option to specify that, if you've authenticated using a one-time password, a number of housekeeping and administrative functions can be made inaccessible.

All in all, in these days where convenience is supposed to be the be-all and end-all, I find it reassuring to see that some service providers are prepared to credit users with a little more concern for security.

Disclaimer: I have no commercial or professional stake in fastmail, though I am a user.