What One Bank Thinks Makes You Safe Can Drive You Crazy.
How far would you go to get online access to your bank account?
Scenario: A user needs to set up online access to his long-term bank account so he can check his statements, and transactions, make transfers and pay his utility bills from the comfort of his home. He has an existing long-standing bank account with a public bank. He has been visiting his home branch which is a 5-minute walk for him and so has avoided the need to go online. But ever so reluctantly, and at my insistence, he decided to sign up to get access online.
This is a true story. It begins when the above user makes the request, and the bank insists that they will give him online access only if he visits the branch with his identification. He has to make five visits to get it right.
The first time, the bank gives him a temporary PIN and username in a carbon-inked secure pack to use to log in at home. But it does not work and the site says these are invalid credentials. The bank does not know why. (Ahem, it might be because the passwords may have expired and the bank has given him an older unused pack. )
The second time, he gets a new credentials pack, and it also doesn't work. The bank official is clueless and blames it on backend issues.
The user gives up on seeking access as he had been reluctant, to begin with, perceiving it as unnecessary.
When Covid hit, the user revisits his approach.
So, for the third time, the user visits a branch.
But this time, he is in a different city from his homeCity. Let’s call it AwayCity. He goes to the AwayCity local branch and is treated very nicely by the staff there. As this is a national bank with many thousands of branches all over the country, he is given some support with his immediate banking needs.
But he is on a mission to get online access too. This time, the user is assured of a new process (after relating his previous woes) and that he can now use his mobile to get a new password online with the username they give him. When he returns home, he tries it for 2 days, and it still doesn’t work.
He returns, for the fourth time. Now, he is told he needs to make the request in person at his home branch in homeCity even though the bank’s tech team sits in a third city, let’s call it FinTechCity, and can just as easily fix the issue if the AwayCity branch tried to get help.
He decides, once again, he doesn’t need online access and gives up. (would you blame him?)
A few months later, he receives a vague automated message at 8.30 am from the bank via SMS asking him to confirm that the cheque he had issued in “Some Random Name,” he didn’t recognize was going to be honored that day unless he reported to them that it was fraudulent before noon the same day. He saw the message at 11 am but it was a bank holiday.
He calls the customer care center and they ask him to go to the bank in person because they are an outsourced call center and do not have access to his records to affirm the details. This was their only recommendation even though it was a bank holiday and the bank itself had given a deadline that was to end in 30 minutes.
Sorry, the call center could not help. (Turns out, the national call center is set up as a help center to answer queries from customers akin to an FAQ and is not staffed to support any banking transactions and have no access to view accounts (perhaps due to fear of fraud))
Now, the user understood the value of having online access to his account.
So for the fifth time, he returns, this time, to a larger branch at AwayCity, to request online access to his bank account. This is what happens next!
The user is given 5 pieces of information written on a white piece of paper and pasted to the back of his account statement booklet — a user id, password, mpin, profile password, and a 6-digit number that is not labeled.
The user navigates to the bank’s website, clicks on Personal Banking, and is prompted for his username and password.
He is now prompted to verify his email id. He clicks Verify. (Err, shouldn’t he have been prompted to change his password first?)
He is then prompted to enter a “Profile password” though he has already logged in using the user credentials the bank gave him and has access.
When he tries to register to receive account statements, from the sidebar action he can still take in parallel, he is notified that he is already set up to receive statements by email. Yet, the bank site suggests he must “Verify” his email id.
Anyway, he enters the new Profile password given to him by the bank on the same piece of white paper.
He is asked to enter an OTP or a one-time password that the bank sends to his email id. (Yes, this is a best practice called two-factor authentication and most leading businesses send the OTPs directly in the body of an email.)
He checks his email id.
This bank has sent him two attachments with a body of text in the email. One of the attachments is simply the bank’s banner logo image file. The other is a PDF.
The email text is a set of instructions on downloading the PDF using Adobe Acrobat Reader version 6.0 or above and using a password to open the PDF and get a 6-digit code i.e. an OTP.
The email lists the date and time of interaction on the bank site and steps to unlock the PDF using a sample password (Basically, to enter his 10-digit mobile number).
The user downloads the PDF on his laptop (imagine doing this on a mobile!) enters the mobile number as the password, and retrieves the 6-digit OTP that the bank needs to verify his email id.
He returns to the webpage and enters the 6-digit OTP into the bank site’s prompt field.
The site then now prompts for a second OTP. This time, it wants the code it has just sent to his mobile number as an SMS. Yes, the same number he used to unlock the PDF to get the OTP to verify his email id which then is now to be confirmed by another OTP sent to the same registered mobile number.
He opens his SMS app, retrieves the OTP and enters it on the site.
Voila! He has finally verified his email id that the bank had already on file and was using to send him statements and transaction alerts.
The morale of the user: Poor!
For the visually inclined, here is what this process looks like in summary.
Now that he finally has access, he discovers that the process to get an OTP will continue in this fashion every time he has to do an online transaction. He also has to clean up his drive by deleting (and emptying the trash bin) all the PDF downloads for the temporary passwords he received. He also has to repeatedly delete multiple emails with the PDF and bank logo banner image attachments that he receives in his Inbox.
Summary — Does user experience matter?
Five visits, a hard copy handed by the bank with all user credentials, the online banking site’s failure to prompt for a change in any of the two passwords or user name that was chosen for him at the bank, continuous prompts for multiple passwords, and multiple OTPs from multiple registered ids, and devices in a never-ending loop for even the most basic transaction of verifying an email id.
What further experiences are in store for the user when he begins to use this hard-won online access to his account for his daily needs?
If you were an interested observer, what advice would you give this user and the bank?
How would this advice change if you knew that the user was a senior citizen, and the bank was on the list of Forbes Global 2000 of the world’s largest and most powerful public companies?
What if you also knew that its total asset base is over $650B and that it is a profitable bank, with approx. net profit of $2B/quarter?
Note: Cybersecurity is a real need. Follow the most up to date best practices if you are a business or a consumer.
A variation of this article was first published in Bootcamp, Mar 15, 2023.
Have a interesting user experience story to share?
"If you were an interested observer, what advice would you give this user and the bank?"
Based on the above and my own experiences as the more I deal with banks, vendors, government, etc. over the last few years, I think his best bet is to store his money under the mattress and deal only with hard cash! ;-)
Cybersecurity should be both an imperative and a protection. I have been repeating this to many friends and acquaintances for years, but it seems that sharing information is much more important than keeping it safe. It is incredible how difficult it is for users to understand how dangerous it can be to give out personal data.