Silicon Glen, Scotland > Web usability

Email security and issues with online banks


Banks and email security

One thing that annoys me is organisations, particularly banks, going to all the effort of setting up an online presence and then still forcing me to use the phone because their so-called Internet presence only offers a limited subset of functionality.

The Royal Bank of Scotland have an online banking facility for instance, but their "contact us" feature isn't for account banking correspondence. With other banks, I can log into the site, access my account, send the bank a mail from their website if I have any queries, yet they have no online facility for me to receive an answer.

Why? It wasn't a requirement to have a phone to send the enquiry in, why should it be a requirement to have a phone to hear the response? After all, I might have sent the enquiry from the other side of the world whilst on business. I might happen to work in a particularly noisy environment where phone calls are difficult. Of course if you look after young children, you might get an odd free moment here and there, enough over time to compose an email but constantly being disturbed like that is going to make a phone call quite impractical, particularly if there is a long queue to speak to the bank's call centre.

The argument often raised as to why you have to call the bank is because of "security". Here is a quote from Egg.

"When you send us a secure e-mail, we can ensure no information will be seen by anyone other than ourselves. When we send an e-mail response, it is passed from our systems to your e-mail provider's systems. As we're unable to guarantee the security of their systems, we don't send any account specific answers via e-mail."

Nice intentions, but lets look at this in detail and get more of a big picture

When I send them a secure email, they can't ensure that any information will be seen by anyone such as themselves, since TV licence detection equipment and similar can view my screen at a distance, something which Egg have no control over. Anyone determined to get my account details could use this technology.

Get this in context guys. Whilst conventional email might not be 100% watertight, for my purposes it's as good as. In 19 years of email, I've never had a security breach caused by someone reading my mail. At about 30 mails a day average in that time, that would seem to be odds of at least 208,000 to 1 of a mail being intercepted.

Furthermore, email is significantly more secure than the post (let's face it, who hasn't had items go missing in the mail) and it's also a good bit more secure than phoning from an open plan office where everyone can overhear what you are saying. Can either of those methods offer odds as long as 208,000 to 1?

They are claiming that all email sent to an ISP is potentially insecure. Perhaps true, but given the billions of emails sent every day and the exceptional steps taken to protect the many private emails being sent, do you not think the biggest problem would be even finding my mail let alone being interested in its contents? Do you not think we'd know about it by know if there was a problem with email and security? Perhaps this attitude is simply to service the paranoia generated in the media that the Internet is fundamentally insecure.

Banks can't guarantee the security of the post. Nor can they guarantee the security of the post once it reaches its final address where I might share a flat with various people, any of whom could potentially open my mail. Some banks don't even print a full first name on correspondence, meaning that a parent could open their child's mail by accident if they have the same initial. (Even worse, my chemist prints "C Cockburn" on my daughter's prescriptions for instance so I can't tell my medicines from hers). But I digress. None of these "security" concerns seems to prevent the post being used to send secure information.

Some possible solutions:

  1. Create an area on the bank's website where they can post responses to me, either via the web or via POP3. Intelligent Finance have such a secure messaging area, unfortunately it's never worked when I needed to use it.
  2. Encrypt email using public/private keys, technology which has been freely available for years.
  3. Accept that when I say I'm happy to take the risks then they should take this into account and relax their procedures accordingly. After all, it's my personal data and if I chose to take extremely marginal risk indeed that the mail might get intercepted then why can't I? Are they really saying that I could have my phone on speakerphone for all to hear and they would tell me the information, yet over email only ever likely to be read by myself, they wouldn't?
  4. Be a bit more clever about what is sent. In Egg's case they refuse to send any information pertinent to an account by email. But in my case my question was whether I had received a refund in the last 6 months from a particular merchant. They could have simply sent a reply "In response to your recent question, the answer is yes". How does this comprimise anyone's security?

Just think what would happen if all the bank's customers took the same attitude towards security. I would say to the bank "Sorry, I can't accept any emails from you because they might not be secure. You're going to have to log into my website, figure out how to use it, and enter your response on my webform instead. Hope you don't mind taking 10 minutes or more figuring out how to do this and waiting for my busy website to respond". Don't you think the banks would find this just a little bit inconvenient. How then do they think their customers feel?

More importantly, as a requirement for disability access, how is a banking website going to deal with people who can't speak or who find it easier to type than speak? This might include anyone ranging from people who have had throat cancer to those with disability problems related to movement, such as those encountered by Professor Stephen Hawking. Not everyone with his condition has his speech generator. How does your banking site deal with people who can type but who can't speak clearly or at all? Are they expected to walk to the post box to post a letter because your web site discriminates against these people by forcing them to use the phone even though they may have extreme difficulty in doing so? How about deaf people? Maybe they find typing easier than using a phone as well?


Craig Cockburn created this page on 5-Nov-2003 at 21:22:50