“Security” and User Experience

I've come to the conclusion that the banking industry, at least in the US, needs to collectively back up a bit. Yes, mobile payments and mobile access to my accounts are nice and potentially exciting. Yes, they can enable a lot of new use, and can provide differentiation.

But the foundations are crumbling. They've noticeably gotten worse, in the interest of "security." I put that word in quotes because the increased problems are causing users to work on shortcuts to bypass the increased security.

Case: I have my bank web bill pay site (I think run by CheckFree) set up to fetch my Chase credit card bill. But it's failed each of the past three months. Somehow or another my user id or password got hotlined or something. So I've just been paying the amount that I think is due on the day I think is due. Why? "Security."

Case: I have a budgeting site set up to fetch transactions from all my bank accounts and credit card statements. This has been failing; first it was just one account that suddenly needed me to type my mother's maiden name for each transaction; now it is two or three accounts. Why? "Security."

Case: I have a company credit card that I use for (gasp) company expenses. Like my trip to London next week. So they hotline my card, in the interest of "security." But not all transactions are declined, just some of them. And they do not bother contacting me in any way. Finally, after a week or so of being unable to reliably make purchases, I call them. I invest 30 minutes of my time, have to tell them my DNA sequence (um, not really), talk to two different people, and review every transaction for the past week and a half. I now have a note on the account so I can travel to London this year. But if I want to travel internationally next year, I have to call again. For each trip.

In NONE of these cases did the bank EVER contact me. Not once. Never mind the fact that they have my mobile phone number, my email address, my physical address. No. They just started denying me access to my information.

So, let's get the basics right. You have a computer system that detects unusual activity. You have the user's phone number; increasingly you have the user's mobile phone number. Put the account in front of a security call center representative. Have this person call the user. Then fix the problem.

Oh - and USAA Bank actually does this. I've received that call. On my mobile. Better still would have been a text message while I was still at the counter.

I'll be changing credit cards again. I have a growing list of banks with whom I will not do business.