I used to think that Trust was the USP for banks that others would find hard to match but the banks have failed quite badly to cope with the internet and companies such as Airbnb (2008) and Uber (2009) have appeared from nowhere over the last few years to an extent that I believe they are more trusted than a typical bank some with histories going back to the 17th century (Barclays and Coutts).
The days of calling into the branch and talking to the manager are long gone, you must do it on line and often the only way is a phone call and I’m sure I’m not the only one that dreads the ensuing battle of wits to get to somebody who can actually get anything done. That of course assumes you manage to get through the security checks which could be so easy but are in practice badly constructed. Having queued to get through, then battled through the questions to be told you have failed security at which point you are disconnected is the best way of infuriating any sane customer. I doubt they have heard of UX so I’ll spell it out – ‘User Experience’. There is an argument that banks as we know it may be on a path to extinction, some bankinterneto is surely going to take over. Who would you rather deal with, your bank or Amazon?
I have been concerned for some time over the banks attitude to Authorised Push Payment (APP) scams where in my view they have lost sight of conventional security concepts and yet they are happy to pass all the blame onto their customers, but first let’s look at an erroneous push payment created by a customer’s own bank.
This story relates to an article in the Sunday Times Business Section (Question of Money, Jill Insley, 5th August 2018), it could be fake news but somehow I doubt it!
A bride to be had deposited £7,000 in her TSB account to help pay the forthcoming wedding bills. Some time later she noticed that the £7,000 had been withdrawn. On contacting the bank after a 2 hour queue she was told the payment had been authorised via a phone to a local company that she had transacted with previously for £60. The victim pointed out that she was the only one with access to her account and that she hadn’t made the payment. The bank eventually phoned back saying that TSB would not refund the payment.
The bride to be then descended onto her local TSB branch where the manager was able to confirm that the local company had indeed received the unexpected £7,000 and had contacted its bank (NatWest) where its fraud department had taken control of the funds. NatWest advised the TSB manager to do a faster payment recall which he did and the lady was told she would get the money back in 10 days.
After 2 months there was no sign of the money even after visiting the branch and making 26 phone calls.
The Sunday Times took over and contacted TSB and after 2 days the money was refunded. At no stage was there any apology from the bank. The bride had also approached the Financial Ombudsman who told her that the bank’s IT issues had affected a lot of people and ordered TSB to pay £530 compensation again with no sign of an apology anywhere. Most people seem more than a bit unhappy with the Financial Ombudsman’s treatment of TSB, so no help there then.
I find this story a sign of the times, banks have lost touch with their customers, no modern company can treat people like this and survive. It was the bank’s error, the money always belonged to their customer and yet the customer was wrong. I’ll bet 50 years ago I could have walked into a bank branch and had that corrected while I wait. This of course is not an isolated case and is my first example for why people no longer trust the banks.
The second case study comes from The Guardian (Anna Tims, 30th April 2018) about Virginia who lost her mother’s life savings in an APP scam. When you start reading these cases you do feel that these newspapers have far more clout than any Financial Ombudsman and do want to help the consumer to get justice.
The story is an example of an Authorised Push Payment (APP) scam. This is where a bank account customer is duped into making a payment to a hoaxer. It is tempting to think that the victims are being stupid to be caught out but in truth these hoaxers are very good and it should be clear that the typical bank customer has little knowledge of how banks work nor do they understand the underlying technology.
Virginia (not her real name) received a call from the Royal Bank of Scotland’s fraud team who flagged up some unusual transactions on her account. Virginia has power of attorney over her Mother’s account and over the next couple of hours she was swindled out of her mother’s life savings.
The hoaxer’s call sounded quite credible, the caller ran through some security questions and then asked if she had made a large payment that day. She advised him that was not the case but was told that the account had been marked as frozen due to the unusual transfers. He promised to call back after she had had time to check her account.
The hoaxer did indeed ring back the next day by which time Virginia had been able to confirm that her account was indeed marked frozen and that the £18,500 in her mothers account had been moved to her account. The caller was also able to text Virginia with some superficially credible ID details. You know what is coming but in hindsight it’s easy to see the flaws and when you’ve just seen things happen to your account that the bank is apparently handling for you, well it happens to a lot of people.
The caller explained that to protect her funds they had set up a new account in her name and asked her to log into the account as normal and to set up a payment to Virginia X with a sort code and account number given on the call. Virginia made and authorised the payment as normal. When she called the bank the next day she discovered they knew nothing about it and all her money had gone.
Of course the stock answer from the bank is that you should never make payments on the basis of instruction given over the phone, we would never ask you to move money to keep it safe from fraud. To give you some perspective according to UK Finance 43,875 bank customers lost an average of £2,784 each to an Authorised Push Payment scam in 2017. So Virginia is hardly an isolated case.
I believe that the banks are obliged to protect their customers from inadvertently making fraudulent payments to a level quite a lot better than they do today. The banks in my view are guilty of providing inadequate security controls for a consumer operated electronic payment system. I’m afraid this also worked a lot better 50 years ago.
The Which consumer association made a super complaint to the Payment Systems Regulator (PSR) to which they are responding but from what I’ve seen so far they have also lost touch with how the internet world works.
The security issues in both these example are well known and are due to a single ended security protocol. To give you a simple example in the early days of ATMs a particularly well known product took the user details and sent them to the card issuer for authorisation. This message was cryptographically protected, unfortunately the response message was not, it was an unprotected yes/no. A hacker only had to intercept this message and a refused payout could easily be changed to a payout authorisation.
A phone call with the bank is an equally one sided operation, they are happy for you to provide your security data to authenticate your ID but how on earth do you know if they are authentic. This is a major conceptual failure in many such electronic payment/banking systems. It would not be difficult for the banks to provide a challenge response system so that you could validate their credentials before providing any sensitive information. This concept is not even on the payments regulator action list.
The first example is also the result of a protocol failure because the bank clearly had absolutely no evidence of how the erroneous payment was constructed and executed. They passed the blame onto the customer to hide their lack of controls. In any secure electronic transaction system it would be normal to apply some form of digital signature to such messages, in the event of a dispute you at least know where the message came from and it would be harder for the customer to argue they didn’t make the payment if the bank can produce such evidence.
Dr David Everett