The problems with banks

Accessing your own money

After explaining the problem of having my card rejected online, the cashier behind the screen went and asked someone more senior, who invited me to sit in her little office and go over the problem with her with a computer and phone in front of us. This turned out to be useful, or at least necessary to fix my problem, but I also suspect that part of the motivation for getting me sitting down is so that I could be subjected to a long sales pitch, which I will come to later. The nice lady cashier did at least want to help me get my card accepted online, and explained that as a “security feature” for my benefit, the bank had stopped me accessing my own money. Admittedly the transfer was to a company in a different country, but it was a company I had used before and for an amount of money which banks are happy for your card to give out without even using the PIN. I almost wanted to say “What is the point of a bank that won’t let you access your own money?” as that seems at least as bad as a bank that lets the wrong people access your money too, as at least that way you’d get to share your savings with criminals, rather than letting the criminals, err, I mean bank, have exclusive access to it.

The process for re-enabling my account was even more farcical than the reason for blocking it, though. Apparently when the transaction had been denied, the bank had made an automated phone call to me to verify that I wanted it to go through, but unfortunately they had used an old number which I don’t have direct access to. I think I asked whether I could set what the criteria are for the bank calling me like this, such as the amount involved or whether I had dealt with the company before, but if I did ask that, the answer was no. Still, the cashier assured me, she could reproduce the automated call and I could provide my answers and re-enable my account. Sure enough she dialled some numbers into the phone and put it onto speakerphone. “Hello, we are calling from your bank. Your card was recently used to try to make a purchase and we need to confirm that this was by you. Please answer the following questions.”

I sat there, shocked, while it asked me to enter my year of birth, my mind desperately trying to work out the security implications of doing this. What if she had typed the wrong number? What if she wasn’t supposed to know this information? More importantly, why would anyone in the right mind give away their personal information to an unsolicited robot call like this? It was obviously no reassurance to me that the recorded message included the line “For your peace of mind, we will never ask for any sensitive information like your name or account number.” I’m sure that right now there are phone scams with recorded messages saying “For your peace of mind, we will always ask you to confirm your sensitive information like your name and account number.”

The phone robot gave me four choices for my year of birth, and I selected it correctly, then it asked me to enter my day and month of birth as four digits. I went ahead, but I asked the cashier sitting next to me if she was happy that her customers were expected to hand out personal information like this without any verification of who was calling them. “That’s bad security practice.” I said, to which she replied “You really think so?” in a way that barely masked her disdain at someone daring to question the wonderful system that her bank operated. I asked “Couldn’t I tell the bank a password which you could use whenever you called me, so I knew it was safe to hand out my personal details to this unsolicited caller?” to which I’m sure she wanted to respond “It doesn’t work like that.” but, possibly thanks to many hours of training, she managed to find a different wording for that sentiment.

Also for your security

After providing my full date of birth, and having the robot list my recent transactions over the phone so I could give my approval, the cashier told me I could now go back home and attempt the same purchase again, and this time it would be accepted. She could tell I cared about security at this point, which is presumably a rarity among account holders, so she tried to sound knowledgeable to reassure me. “Yes,” she said, “people sometimes worry when we call them and say ‘This is the bank’ and don’t specify which one, but that’s because we want to help you keep the existence of your little side account hidden from your wife, who might answer the phone.” That’s not really the threat model I want them to be focusing on defending against, but it was an interesting case nonetheless.

She also told me that their phone banking system and their online banking system and their mobile banking system all had different authorisation credentials, so that if an identity thief managed to get the information needed to empty your account one way, they couldn’t empty it in three ways at the same time. That didn’t particularly impress me, and I thought it was more likely that the bank just couldn’t write software clever enough to keep credentials in synch across the various systems. Trying to impress me even more, though, she said “For online banking we actually require two passwords,” and managed to avoid continuing “which must make it twice as secure!”. I also managed to avoid saying that, despite wanting to bait her into agreeing.

If I wasn’t already late for getting back to work, I might have tried wasting my time explaining to her about “Verified by Visa”, the online “security” system which encourages you to type an extra password into an iframe on every website you use your card on, which is necessary for the transaction to go through. Nothing says “online security” like an iframe, and just for good measure it also requires JavaScript to be enabled for it to work. I imagine that if I had mentioned “Verified by Visa” I would have heard some helpful comment like “Well, if you see a little padlock, that means it’s secure.” or “You’ll know it’s really Visa, because it has their logo on.”

The sales pitch

I didn’t even attempt to talk about two-factor authentication, but she was happy to segue the conversation into things the bank could do to make my account more secure. “You wouldn’t want anything to happen to the money in your account, would you?” she threatened, “Why don’t you get a credit card from us, at very reasonable rates, and then if a criminal clones it, which is slightly harder than cloning a debit card, you will be protected from any losses.” I tried to propose another product they could provide, a sort of credit card where you couldn’t go overdrawn, so you never had to pay any interest, but again I found her lips reaching for the words “It doesn’t work like that.” It was clear that she was not in the business of giving customers what they wanted, but rather convincing customers to take up the inconvenient, insecure, and financially burdensome products and services her bank offered.

Probably what I wanted was a second account with a block on overdrafts, that I could transfer money to online, possibly an Islam-compatible account. Alternatively the bank could offer me a prepaid debit card which I could buy for a one-off (even extortionate) fee, and keep charging up whenever I wanted to make online or foreign purchases, as these are apparently the two types of transaction which are the most suspicious. If I could opt out of the “security check phone call” policy for this card, knowing that the most I could lose was the amount of money held on the card, then I would be satisfied with that.

The time I spent listening to her sales pitch wasn’t completely wasted though, surprisingly, as she noticed that my account was the “Default” (name changed to protect the guilty) type, and she could give me a free upgrade to the “Default + Actually beneficial” type. “See,” she said, “so it has been worth your while coming in today. That’s why we recommend our account holders visit us once every 12 months, so that we can make sure we are giving them the best deal.” This wasn’t quite the whole story, though, because when I probed her for the details, it turned out there was no disadvantage to the upgrade, so no reason to be on the “Default” account. I explained that if the bank upgraded all of their customers tomorrow from the first type of account to the second, none of them would be losing out, and most of them would probably benefit. She countered that this would be impossible, as the bank was not allowed to change the terms and conditions for an account without explicit authorisation, even if the change was in the customer’s favour, apparently. She didn’t say, however, what would happen if the bank wanted to discontinue the upgraded account type and whether they could force me to switch back to the old type.

Finally the sales pitch reached a climax, or at least got as far as I would allow it, when she started telling me about the bank’s ISA scheme. She told me how other banks try to trick you with some variable rate or something, but I told her I really wasn’t there to make a decision about an ISA. I was too polite to remind her that the actual reason I was there was that the bank had forced me to come in, because I couldn’t access my own money, and that I had been subjected to a sales pitch which I didn’t want and included more examples of how unsafe my money was with them, and now they were asking me to lock away even more money with them. The lady flirtatiously explained that the sales pitch was so that they could “reward” their “valued customer” and to try to build a “long-term relationship” with me, but it felt like they were trying to extract every possible bit of money out of me in as many subtle ways as they could, while trapping me into using their services so that it was difficult to switch to a competitor.

How hard is it to start your own bank?