Telephone Identification (Was Re: Banking under Enduring Power of Attorney)

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 9 Apr 2009 11:16:54 +0100 

On 09 Apr 09, at 1023, Roland Perry wrote:

> In article <49DCCECA.8020506@iosis.co.uk>, Peter Tomlinson <pwt@iosis.co.uk 
> > writes
>> [1] But last week I moved money from a savings account into an RBS  
>> ISA,
>> and young man in the bank said that he could do that on-line provided
>> that I showed him some proof of my AND Mother's identity - which I  
>> did,
>> so he did the move.
>
> How can you "prove the identity" of someone who isn't there?

I had a major shouting match with one of the MNOs yesterday.

I'd bought a new phone for my daughter off their website, and for the  
sake of saving some typing I logged in as myself to do the job.  I  
already have a couple of phones, fixed broadband and mobile broadband  
from the operator, so it's not as though I have a small footprint.

The phone as delivered was faulty, so I phoned up to arrange a  
replacement.  That's where it all started to go wrong, because not  
merely did they want me to answer a security question (fair enough),  
they wanted me to KNOW WHAT THE QUESTION WAS.  When I'd signed up for  
the account, there was apparently a list of security questions; I was  
expected not just to furnish an answer I could later remember, but  
remember which question it was.  I couldn't: I'd opened the account  
some months ago.  This was all `for my protection', and my attempts to  
get them to explain to me the circumstances under which I would  
unprotected by the issuing of an RMA for a specified phone with a  
specified IMEI that had been shipped to me less than 24 hours  
previously went rather over my head.

It was when this was explained as ``Data Protection'' that I got a  
little non-linear, and started to work through supervisors and  
managers.   Eventually, I issued a 30 minute deadline.  Unless I spoke  
to someone within thirty minutes who could resolve the matter I would  
(a) go to trading standards and (b) go to my credit card company.   I  
would do (a) on the grounds of their refusal to honour their Sale of  
Goods Act obligations on defective products --- their need to get into  
my account to authorise the return is their process problem, not my  
legal responsibility.    And (b) on the grounds that they had made a  
fraudulent transaction by shipping defective goods which the merchant  
refused to rectify.

At about T-5mins, someone sensible phoned me back.  Who asked me the  
question, to which I gave the answer, and we all got along famously.

Their processes are monumentally screwed.  They have, apparently, one  
process for access to the account by the account holder (which  
requires the caller to answer the question) and one process for access  
to the account by third parties (which requires the caller to know  
both the question and the answer).  How, I asked, my heart sinking, do  
you know whether the caller is the account holder or a third party?   
Well, before we start, we ask them if they are the account holder!   
The people I had been talking to in the repair function didn't know  
this extra step, hence the silly conversations I'd been having.

After I'd organised the exchange --- let's hope it happens today, as I  
really can't face a repeat performance --- I asked how they validated  
the answer to the question `are you the account holder?' prior to  
asking them the security question that they weren't supposed to ask  
third parties.  There was a long silence.  Ah, I see your point.

Had I been thinking, I'd have suggested that they phone me on one of  
the other phones associated with the account.  But then I suspect  
they'd have told me they couldn't look up the other phones until I'd  
identified myself...

ian