Wednesday, 28 November 2012

Barclaycard security: setting a good example?

Good advice used always to include 'tell your bank when you go on holiday abroad' but this doesn't include Barclaycard, apparently.

Last October, I took a trip from the UK for a fortnight in L.A. so thought it would be a good idea to warn my bank and credit card issuers to prevent any embarrassing moments. I visited the various finance web sites and used secure messaging facilities to tell most of them, or, in the case of MBNA's way of actively encouraging such messages, I told them via SMS.

I thought nothing more about those messages, nor expected replies. I had a few acknowledgements. Good. I had no problems using a new Saga card whilst abroad.

I was puzzled, though, by messages from Barclaycard I found on my return, telling me I didn't need to give them notice about holidays because their policy was that if there were any suspicion of a fraudulent transaction, they phone cardholders. Why couldn't they just say "Thanks for letting us know and have a nice trip"? Surely this information would help them make an informed decision before deciding to phone a customer. Something flagged potential fraud by their systems may obviously not be. Or they can ignore messages customers send as a matter of courtesy and accepted best practice, it is their choice.

What do your customers think?

Barclaycard, I don't want you phoning me on holiday because I just bought breakfast in Sylmar Denny's or had a doctor's appointment on Venice Beach. I may not want to take my smartphone on a sandy beach and I may want to buy souvenirs. I also would not appreciate the cost of roaming charges, nor the fact you phone me from withheld numbers and demand security information about my account before you'll discuss anything. I have told you to phone my number to speak to me. Who else sounding like a grumpy man of 57 is likely to answer my phone? Why on earth don't Barclaycard understand that when someone phones me, it is ME who needs to identify THEM. When they compound that problem of identification by not showing Caller Line Identification at all: I have no way of telling THEM from Adam. Should I believe anyone phoning me who claims to be Barclaycard is Barclaycard? And no, I don't want to phone you back on a number you want to tell me now. I will phone the number on my card. It's there, right?

In my correspondence with various Barclaycard people, they seem to miss the entire point about their security behaviours setting their customers a Very Bad Example.

Imagine you receive a phone call with no Caller Line Identity and the caller says they are Barclaycard Security and they want to verify a transaction. They ask if you know about the card being used in Toronto for can$500. You say 'no'. Then they ask for your passwords to confirm your identity and to stop the transaction need your card details for good measure.  They say thanks, hang up, and run off to empty your account. It wasn't Barclaycard.

This a fictional representation of how a fraudster may try to obtain all your card information. How does it differ from what Barclaycard does? Well, Barclaycard never ask for your entire password(s) or your card details. But that's all. Is that different enough? If you didn't know that - or have forgotten - and have a Barclaycard or two you may agree it could be easy to inadvertently give out the whole lot . . . and have that horrible sinking feeling in the pit of your stomach as you hang up, staring at your phone which just says 'Unknown'. But it would say 'unknown' even if it was Barclaycard calling you. Wouldn't you expect a gazillion-pound business to sort out something as simple as getting its own Caller Line Identity correct?

What should you do?

Please, never give your security information to people who phone from unknown  numbers, even if they claim to be Barclaycard. And come on, Barclaycard, I worked in retail banking for 25 years but it doesn't take that experience to know that your security policies need a major overhaul. If you ever want to telephone me please ask and I will send you a 36-letter password from which you will be asked for four letters when you call me. Currently it is: "Gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!"

The best I can extract from Barclaycard and their CLI shortcomings is that "I have also given these comments to the relevant department as feedback". Well, that's ground-shaking stuff which'll bring any meeting to order. Not.

The stupidity and irony of this whole business was lost on their handlers. They kept on phoning me about this complaint from an unknown number and wouldn't discuss it until I divulged security information. Dozens of unknown calls went unanswered. Boy, did they persevere? I am going to call this phenomenon "how to amplify a complaint": Customer complains about security flaw in bank's communications with customers; bank uses that method to try and contact customer about it. It almost defines recursion. They phone me dozens of times over several days: they are obsessed with gaining confirmation that they have dealt with a complaint well. Barclaycard, you haven't. You don't understand it or how to behave towards customers. For one thing, if I write you a secure message I expect your to reply in kind, not to bombard me with phone calls which don't stop until I shout. For another, you don't understand that your sloppy security practices rub off on your customers.

What should Barclaycard do?

Okay, Barclaycard Relevant Department, I challenge you to enable your phone systems so that any outgoing call from any Barclaycard office gives out one phone number as its CLI, being the cheapest one to call back and which is also prominent on your statements and on your cards. Until you have this sorted out, never waste your time or my battery trying to phone me again.

In the meantime, please also go away and learn the phrase "Thanks for letting us know and have a nice trip". It would have saved so much time. Customers are not interested in being lectured about your internal policies. You only have to tell us what we need to know and make an effort to understand when what you are doing is silly and counter-productive security-wise.