Silicon Glen, Scotland
Email security and issues with online banks
One thing that annoys me is organisations, particularly banks, going to all the effort of setting up an online presence and then still forcing me to use the phone because their so-called Internet presence only offers a limited subset of functionality.
The Royal Bank of Scotland have an online banking facility for instance, but their "contact us" feature isn't for account banking correspondence. With other banks, I can log into the site, access my account, send the bank a mail from their website if I have any queries, yet they have no online facility for me to receive an answer.
Why? It wasn't a requirement to have a phone to send the enquiry in, why should it be a requirement to have a phone to hear the response? After all, I might have sent the enquiry from the other side of the world whilst on business. I might happen to work in a particularly noisy environment where phone calls are difficult. Of course if you look after young children, you might get an odd free moment here and there, enough over time to compose an email but constantly being disturbed like that is going to make a phone call quite impractical, particularly if there is a long queue to speak to the bank's call centre.
The argument often raised as to why you have to call the bank is because of "security". Here is a quote from Egg.
"When you send us a secure e-mail, we can ensure no information will be seen by anyone other than ourselves. When we send an e-mail response, it is passed from our systems to your e-mail provider's systems. As we're unable to guarantee the security of their systems, we don't send any account specific answers via e-mail."
Nice intentions, but lets look at this in detail and get more of a big picture
When I send them a secure email, they can't ensure that any information will be seen by anyone such as themselves, since TV licence detection equipment and similar can view my screen at a distance, something which Egg have no control over. Anyone determined to get my account details could use this technology.
Get this in context guys. Whilst conventional email might not be 100% watertight, for my purposes it's as good as. In 19 years of email, I've never had a security breach caused by someone reading my mail. At about 30 mails a day average in that time, that would seem to be odds of at least 208,000 to 1 of a mail being intercepted.
Furthermore, email is significantly more secure than the post (let's face it, who hasn't had items go missing in the mail) and it's also a good bit more secure than phoning from an open plan office where everyone can overhear what you are saying. Can either of those methods offer odds as long as 208,000 to 1?
They are claiming that all email sent to an ISP is potentially insecure. Perhaps true, but given the billions of emails sent every day and the exceptional steps taken to protect the many private emails being sent, do you not think the biggest problem would be even finding my mail let alone being interested in its contents? Do you not think we'd know about it by know if there was a problem with email and security? Perhaps this attitude is simply to service the paranoia generated in the media that the Internet is fundamentally insecure.
Banks can't guarantee the security of the post. Nor can they guarantee the security of the post once it reaches its final address where I might share a flat with various people, any of whom could potentially open my mail. Some banks don't even print a full first name on correspondence, meaning that a parent could open their child's mail by accident if they have the same initial. (Even worse, my chemist prints "C Cockburn" on my daughter's prescriptions for instance so I can't tell my medicines from hers). But I digress. None of these "security" concerns seems to prevent the post being used to send secure information.
Some possible solutions:
Just think what would happen if all the bank's customers took the same attitude towards security. I would say to the bank "Sorry, I can't accept any emails from you because they might not be secure. You're going to have to log into my website, figure out how to use it, and enter your response on my webform instead. Hope you don't mind taking 10 minutes or more figuring out how to do this and waiting for my busy website to respond". Don't you think the banks would find this just a little bit inconvenient. How then do they think their customers feel?
More importantly, as a requirement for disability access, how is a banking website going to deal with people who can't speak or who find it easier to type than speak? This might include anyone ranging from people who have had throat cancer to those with disability problems related to movement, such as those encountered by Professor Stephen Hawking. Not everyone with his condition has his speech generator. How does your banking site deal with people who can type but who can't speak clearly or at all? Are they expected to walk to the post box to post a letter because your web site discriminates against these people by forcing them to use the phone even though they may have extreme difficulty in doing so? How about deaf people? Maybe they find typing easier than using a phone as well?