Wednesday, September 27, 2006

Ulster Bank Online Banking - asking for your password over the phone

Information must be the keyword of the week.

Paper, email, podcast, Tivo recording overload leaves little time to keep finances in order and keep on top of those pesky bank statements. So I decided to take action and sign up to get online access to my Ulster Bank account.

I opened a current account with the Ulster Bank as a student. Like thousands of other freshers in Belfast each year, I selected a bank in the university area and haven’t moved since. The Ulster have been pretty ok as far as local banks go. Other friends and colleagues have experienced much greater incompetency with the Northern Bank and the Allied Irish Bank (AIB, hence I abbreviate Alan in Belfast to AiB).

There have been a few weird moments in the last couple of years.

  • An increasing number of marketing calls in the early evening trying to sell extra financial services.
  • Going into the city centre Belfast headquarters branch to lodge a cheque in Euros only to be told that I could only lodge foreign currency in my own branch. Though they photocopied the cheque and posted it up the road for me.
  • And I couldn’t cancel my Ulster Bank Visa card from a branch - had to do it over the phone.

So I filled in the Anytime Banking application form, handed it in to the branch Monday week ago, and waited for the process to begin.

Now online banking is all about trusting that bank system is secure, and feeling that the service is reliable.

On Friday I got a letter welcoming me, stating my customer number, and telling me to read the enclosed registration guide for the next steps. Guess what? No enclosed guide. And the website is a prime example of security by obscurity. Nothing in the online help to explain about registration.

On Saturday I got another letter - identical except for the date - welcoming me, stating my customer number, and telling me to read the enclosed registration guide for the next steps. Guess what? No enclosed guide.

Failure in the reliability stakes. Duplicates and missing information.

Walking past a branch on Monday I wasted my time enquiring. Telephone helpline only. One of their identification questions is to ask you to state a recent direct debit from your account. Difficult unless you’ve got a statement from a hole in the wall machine recently. Precisely the reason I wanted online banking! So I asked asked a colleague what the monthly union subs were and phoned back - this time able to confirm my identity.

Call centre: What would you like your password to be?
Me: Pardon?
Call centre: What would you like your password to be?
Me: You’re not really asking me that over the phone. It’s standard advice never to tell anyone your password. Particularly not for something as important as an online banking service.
Call centre: It’s only for the first time, so we can set it. And your phone line’s very secure.
Me: No. There must be some other way. Can I set a temporary one and then change it?
Call centre: Well I need to set one before I can put you through to the automated system to get your shared secret. [It’s a one time code to log in the first time.] And you’ll be able to set your password after that.

So I made up a throwaway password, got the shared secret from the automated voice, logged in for the first time, and was prompted to set a password.

What a strange set up. An online bank that expects you to tell them a password over the phone. Lacking in the security stakes.

It’s tipped me over the edge - something that’s happening a lot recently. Must be a sign of the stress levels. I’ll be looking into Smile.co.uk and the Nationwide’s offering and switching my account. Time to desert the sinking ship. And write them one a parting letter to question their approach and commitment to security.