Thursday, 20 September 2012

Financial Security

Credit Crunch
One of the main reasons we keep our money with the banks is security. We can keep it under our mattress, we can keep it under a loose tile, but most of us deem the banks to be safer. They usually are; I had multiple opportunities of witnessing ANZ take proactive measures to ensure the safety of my account. On the other hand, I had appalling firsthand experience with American Express. This taught me to direct my activities in the direction of the banks that seem to know what they’re doing, security wise, and away from the more casual ones. In this post I will discuss one such case of a bank that seems to take things rather too casually, Bankwest.
As far as I am concerned, Bankwest has had its three strikes when it comes to security. Strikes one was already reported here, when the bank claimed to have never received application forms we posted them. (Note that original post referred to the bank as Westbank; I assume my intention was clear.)
Strike two came a month or two ago. One evening I found myself unable to login to my account, receiving constant “you got your user name/password wrong” error messages. After some attempts I was locked out and had to call the bank, where I was told they are working on their website. They reset my password and I was able to access my account again.
Until the next morning, that is, when the whole affair repeated itself. Only that this time, resetting my password did not work. After multiple goes the problem was found: the new password I was trying to use was too long for the revamped website to accept. It also used special characters (i.e., non-alphanumeric characters) which the site claims to accept but in practice doesn’t. Note I wasn’t told of these problems when I first typed my new password; my nominated password was accepted. It was only when I logged off and in again that I found myself unable to access my account.
The main point, though, is that the newly revamped website forced me to lower my password standards, both in length and complexity. A great move for security, isn’t it? And just in case one comes up with the excuse of my problems being due to Bankwest’s work in progress, my answer would be: please test your work in progress before you implement it to your production systems. That’s basic IT, guys.
Strike three came shortly after. My wife wanted to access Bankwest’s phone banking facilities for the first time, which requires a code the bank posted us shortly after we opened our account with them. That’s great, but due to us moving houses we weren’t able to easily find that code. Bankwest’s phone representative was resourceful: he let my wife access the services after she provided her date of birth and email address.
Yes, you read it right: full access to a person’s financial facilities was granted on the basis of information that can be easily retrieved from numerous locations, is often public, and at least in the case of the email address is easily guessed. Great security showmanship!
But wait, I have myself a fourth strike, too. The other week I received a call to my mobile from someone claiming to be from Bankwest. His first question? He asked me to provide my password so he could verify my identity. I didn’t know whether to be angry or LOL, so I did both; in return for my explicit contempt at the request I was given a reference number and told to contact Bankwest.
Contact them I did. It took Bankwest some time to figure out what’s going on, but it did seem as if the call was genuine. After the matter at hand was sorted out, I expressed my complaint: Bankwest should not contact people the way it does; instead it should leave a reference number and ask for the customer to call back. I was then informed this type of cold calling that I’ve enjoyed follows the bank’s set procedures, to which I answered that perhaps these procedures should be updated; I was then told most people are happy to be approached this way. Well, mark my words: if most people are happy to accept such business practices then most people are dumb. I severely doubt the bank’s representative’s claim is true, though.

I will conclude. Given those four security strikes, all of which took place within the span of less than four months, I conclude Bankwest’s approach to matters of privacy and therefore security is far too relaxed for me to consider them reliable. I am actively limiting my interactions with the bank, and I advise everyone else to keep their distance.

Image by bitzcelt, Creative Commons license


Uri said...

Wow. It’s like a textbook phishing scheme. And it was real? Wow.

Moshe Reuveni said...

After tweeting of this incident I was actually contacted by a local newspaper. They obviously agreed with us.

Moshe Reuveni said...

Here's Cory Doctorow agreeing with me: