Wednesday, April 18, 2007

Will the banks ever learn?

The original event that prompted me to start this blog had to do with bank procedures...or should I say outdated bank procedures and stupid customers (myself included). You can read that post here. The point I was trying to make was that outdated procedures open customers up to phishing and identity theft through the use of social engineering.

It seems my bank here in the UK is trying to prove me right and further highlights that banks need to change the extremely insecure, unsafe way they conduct business when they call customers. They called me earlier today and it went something like this:
Bank: "Hello Mr Yip, this is (Bank X) calling. It's nothing urgent, just a routine service call. Do you have a few minutes to talk?"
Me: "Yep sure."
Bank: "Now Mr Yip, to validate you are indeed who you say you are, would you mind telling me your full name, address and date of birth?"
Me (Keeping in mind my previous experience with one of my banks in Australia as per the aforementioned blog post above): "What is this call in regards to?"
Bank: "I'm sorry sir, I can't tell you until you verify your information."
Me: "In that case, can I just call you back? I don't think it's secure giving my details away simply because you claim to be my bank."
Bank: "Sure sir. You can call our customer service number and they will be able to help you."
Me: "What do I tell them when I call? I don't know what this is about."
Bank: "I'm sorry sir. As I mentioned before, I can't tell you."
Me: "OK that's fine. I won't bother calling then."
Bank: "That's fine sir. This was just a service call. Nothing urgent."

What's just happened here?
1) My bank has me thinking it has poor security and stupid procedures. My confidence in them has been tainted.
2) They've just lost a sales opportunity to have me sign up to whatever additional service they were calling me about.
3) I've lost the opportunity to potentially benefit from a service that might have been useful.
4) I'll probably take my business elsewhere if I ever need that service because I'm not aware my bank provides it.

If anyone from a bank is reading this and has some say in security procedures, FIX IT! For the rest of us, just refuse to deal with the banks this way. Insist they verify and validate themselves to you first (they probably won't be able to because their staff are unlikely to be trained appropriately - no procedure means no training). If that doesn't work, call them back. If they can't give you a good reason to, then just ignore the fact they ever called. They were probably trying to sell you something you don't need anyway.


Chris said...

or 5) It wasn't your bank, just someone socially engineering you?!


Ian Yip said...

Yeah that too. Maybe I'm too trusting. In my defence, they did have my phone number...which I haven't given out to many people yet.