The Daily Mail has recently run a couple of interesting reports, detailing how banks such as Santander and HSBC, among others, are tightening up the security obligations they place on their customers. These obligations are meant to ensure that customers adequately protect their personal information, reducing their risk of falling victim to fraud, but of course there are two sides to every story they also leave the door open for banks to refuse compensation payouts in cases where the customer is deemed to have fallen foul of the new rules.
Among the customer responsibilities that the financial institutions will now insist on are:
- Use a separate PIN for every bank card
- Ensure that no one can watch you at an ATM or hear your phone conversations with the bank
- Shred your bank statements and receipts
- Never click on links in emails received from your bank.
- Lock your mobile device with a PIN if it is used for banking
While much of this is entirely sensible in terms of personal security, some of it could prove to be counter-productive and much if relates more to problems that would be best solved by the financial institutions themselves rather than pushing the obligation to the customer.
If you would like your customers to use a distinct PIN for every bank card, then simply withdraw the function that allows users to change their passwords. Oh and while you’re at it, please make cards that support longer PIN length and enforce it. Of course making this change will have the unfortunate side effect that many customers will resort to writing down their PINs in order to keep track of them all…
If you want to make it difficult for others to see PIN details being entered at ATMs, then redesign your ATMs! They are currently operated in full public view with no shielding whatsoever over the PIN entry pad.
If you want to reduce the risk associated with telephone banking being overheard, then allow all sensitive information to be verified using the keypad of the telephone and do not allow your customer service team to ask for that information to be given verbally. It makes me uncomfortable that I am divulging it to anyone at all, let alone that someone might overhear.
If paper statements pose a risk, then stop issuing paper statements, if a customer is obliged to shred them anyway then they serve very little purpose. If receipts pose a risk, then ensure that no sensitive information is contained on them. Shredding receipts suddenly doesn’t seem so clever when you have to return faulty goods.
Never click on links in mails from your bank. This is absolutely correct, but wouldn’t it be nice if your bank actually stopped sending you mails with links in them? Are you listening Marketing departments?
Finally, mobile banking… This one’s quite a can of worms. Over the years, banks have steadily introduced more and more security mechanisms to counter online account fraud; first it was username and password in full, then it was selected characters, then on-screen keyboards, then 2nd factor authentication tokens, now some banks have thankfully introduced transaction verification technology. All because they recognise the risk from fraud. However, now banks are introducing mobile payment apps and mobile banking apps, how are these secured? Simply by entering a PIN in full to unlock the app. How have all these important authentication lessons been forgotten?
When you consider that it only takes about 13 minutes to get past a 4 digit PIN on most mobile devices then it’s apparent how woefully inadequate this device PIN should be seen for protecting access to your bank account and we all know the perils of entering a password in full, anywhere.
While the guidance given by banks is entirely reasonable it seems that there is much more that banks could and should be doing to assist their customers in remaining secure through changes to in-house procedure and technology.
In the case where your bank refuses you compensation for fraudulent transactions, remember this, the bank is obliged to investigate every claim of fraud individually. They must provide you with any evidence of negligence if they are refusing your claim and they must prove that you are at fault in order to be able to refuse.
Image Credit: redpotted’s Flickr photo stream, used under Creative Commons