Some banks demonstrate behaviour that I find very odd. These are peculiar security measures that some creative security bright sparks must have thought of.
I think there is an important role for information security professionals to play, but sometimes they overdo it, or don’t seem to think through practical consquences thoroughly.
Its when banks do unique things in their process, is probably when common sense alarm bells should go off. Here are soem examples.
1. Standard chartered PH requires a mobile pin (which they call an eTAC code) even for internal transfers. And its a very long code. 10 digits
2. Metrobank PH – on most pages, copy pasting is disallowed. Even for enrolling credit card numbers for payments.
3. HSBC US blocks online internet transactions on debit cards and requires the customer to call back customer service/security department.
– customer service is only available to receive calls 9am to 5pm
– if you happen to be elsewhere around the world at the time, calling customer service may require an international call.
– HSBC US claim they have a collect call service but it doesn’t work 99% of the time
– the combination of having to call during working hours of customer service, and having to make an international call probably should have set off usability/practicality alarm bells
3. Citibank’s internet banking messaging system disallows most symbols and punctuations.
– the reply function will include original text, but the system will complain if you hit send because the system crafted original text portion has characters that it does not like
– the message is limited to only a certain number of characters, so often a message trail cannot be maintained
– the system does not store sent messages
– the system does not help the user with an indication of what the invalid character(s) are
These are just some fails I have encountered in bank security policy/processes. Have you had similar experiences?
Seems Citibank Philippines’ online banking site is acting up again. Last week it was very slow. Now you can login and it seems very responsive, but as soon as you try to do anything it kicks you out. Either responding with: You have attempted to access a restricted page (which happens if the messages function is selected) or You have been inactive for too long (which happens on accessing any other function even if I was quick to perform my online activity).
The messages function is also quirky. It will kick you out for using an “invalid character”. The set of characters that’s valid is anyone’s guess. So far, it seems the only safe characters are the numbers and letters and the space, period and comma. If I have only that and nothing else except for quoted text which it supplies automatically on reply below my newly composed response, it still kicks me out.
Has anyone else encountered similar problems with Citibank?
If you need to call Prime Water, a Manny Villar company, don’t waste time like I did calling the number printed on the bill. Instead call this number – 02 7279173. And if you wish to pay the bill online, don’t use the account number field of the bill. Instead, use the ATM reference number.
You can also get an electronic copy of your bill by sending an email to firstname.lastname@example.org. Provide them your account number and they will reply back. One is only left to wonder why they don’t make this a proper online electronic bills service rather than something adhoc like this and using a gmail address.
They also clearly want to make payment painful if you are paying late. Bills cannot be paid online if you are paying late. There is a workaround however, if you realise the last 4 digits of ATM phone reference are month+date of bill due. You can tweak the last 4 digits so they are a future date in case you want to pay prime water bill online. Tested working via Citibank PH online bill payment.