NeoPost: This is how you DON'T do PIN security
What's more secure than a PIN? Three for one device? Er, no, says Reg mobile man
There is something very proper about the Royal Mail. It has the word “Royal” in it after all, reassuring users of the postal service's integrity. You particularly wouldn’t want anyone stealing postage, so a franking machine has to be super secure – which is perhaps why my shiny new machine from NeoPost needs three PINs.
Setting up a basic, entry level NeoPost franking machine is not the work of a minute. This is puzzling as you give the firm your billing information when you order, so theoretically it could come configured, with credit and ready to run.
Ideally it would have 802.11, and all you’d have to do is plug in the power and enter your Wi-Fi code. But no, the device comes as a kit of parts.
First of all, you need to insert the ink cartridge. You wouldn’t want the ink drying out in shipment – not when a cartridge, or in NeoPost speak a “headset”, costs £80 a pop. Then you must insert the security module. While the mobile and banking worlds are happy with smart cards as security, postage needs a module the size of a small hard disk.
RTFM? It didn't help
The manual warns you to write down a code from the back of the module – describing the format of the number to look for – because you will need it later. The manual is wrong, both in describing the number and in that you need to write it down. Being wrong about the format is interesting because there are three separate strings of numbers on the module, none of which conform to the described format. There are copies of the correct number on the copious paperwork.
Maybe this is supposed to be fun, like a Zork puzzle you're supposed to solve. I mean, you wouldn’t be doing this just before the post has to go, would you?
The next step is to connect the RJ45 lead, because you really want to put your franking machine close to the hub and power. The instructions tell you to connect a USB lead and install the software on the supplied CD.
This is another one of those puzzles. You actually want to connect either the Ethernet or the PC but not both. Still if I had got this right I would have missed one of the joys of the software. If you’ve told the franking machine to talk to the Ethernet port rather than serial port, the software complains that the “media” is wrong. According to NeoPost tech support, “media” is a perfectly valid term for a connection. Which is odd as nowhere in the FAQs or by searching the NeoPost website is this stated. Try to find out what the error message means by "media" without phoning the support line and you are lost.
All you have to do is call... hang on...
To change the setting on the machine to correct the “media error”, you need the Supervisor PIN. This is not contained in any of the paperwork, perhaps for security reasons. But you can get it from customer services. It’s easy for them to tell you as every machine of a particular model has the same supervisor PIN. And you can’t change it. This is the security model known as “leaving the keys under the mat”.
Paul Gilbert from Neopost told us: "You have one of our IS-240 machines and the purpose of the Supervisor PIN on this model is to ensure that the machine configuration cannot be changed unless you access the machine menu using the PIN.
"As this is its purpose, our IS-240 / 280 machines share a common number. Once again, knowledge of this number is not considered a risk. Higher level machine models in our range have Supervisor PINs which are individual to machines, can be locally managed and secure the more specific functionalities related to those machines."
Still you do need to access the website because this is the start of the PIN fun. You need an activation PIN. To get this you need to find the right one of the myriad account numbers you’ve been sent and type it into the NeoPost website. Not in the place the manual says to look for it – that isn’t there. Nor can you search for “Installation PIN”, or even just “PIN” on the website you need to go to support and then dig through the FAQ to find where to access the PIN generator.
It’s long. Too long to remember as you walk from the computer to franking machine. So you’ll print it or write it down. Still, scraps of paper left lying around are nice and secure. Make sure the machine is in a good well-lit place because the cheap, non-backlit monochrome display (which is too small for the menu structure) isn’t the easiest to use.
NeoPost will argue that it’s a one-time PIN, indeed when questioned, Gilbert said: "As a self-install machine, this PIN number is used to register the meter and once this is undertaken has no other purpose and is not used again. Writing this number down therefore presents no security risk."
OK, you're hooked up to my bank account...
And then comes the important bit of the security: the money bit. Again, you need to use an online account and pay money into a NeoPost account. This doesn’t credit the machine – that needs to then be asked to go and suck the money out of the account, which means lots of making sure you know which amounts are where.
NeoPost has clearly got a poor deal with its credit card company as customers are charged three per cent. A high volume, secure business should be able to get the rates down to half that.
Still the credit in the machine is nice and secure. I was sent two letters by NeoPost on the same day. One was a welcome letter and the other had the PIN for the top-up. It was securely printed, just like a credit card.
This makes sense except that in my call to Customer Services, without prompting for it, I was told this PIN over the phone. I suspect that every customer has the same one.
Again Gilbert explained that this was down to processes:
Postage top-up PIN number (Credifon PIN) – Once you set up an online account with us, this PIN number is no longer required regardless of whether you make future top-ups over the phone or online. As the only purpose of this PIN is to facilitate initial access to your account, it’s security is not considered to be a risk. Your Credifon PIN was sent to you in a secure postage envelope and this "security" aspect relates to older, non-SMART machines where the topping-up process requires different protocols.
What we can learn from this is that there is a huge difference between security and perceived security. While three different PINs might seem secure, if you make the experience of setting the device up such a nightmare you will have to use default PINs all over the place to ease configuration – making it a lot less secure. ®