There’s Being Secure, And Then There’s Being Insecure

As a bank, we take security very seriously. We have two levels of authentication that callers must go through to speak to a representative out of a choice of three: voice recognition if they’re signed up, confirming digits of a number they made up that we do not see, or security questions.

A caller is screaming and crying because she’s able to get through by ONLY using the two levels of verification. After somehow managing to calm her down, I decide to be nice and add a note onto the account that she would prefer to do all three types and then proceed to go through the questions with her even though I know it’s her. She isn’t happy with this.

No, she wants for someone to send in an IT ticket to get her specific account updated so that no matter what, she will have to go through all three authentications, and only on the automated line as she isn’t confident she’s speaking to someone who works for the bank, even though she is the one who called us.

Me: “I can’t do that, ma’am. Every customer is treated the same.”

She is adamant. Then, she breaks down in tears.

Caller: “My ex-husband hacked into my account and stole my money years ago and I’ve been really paranoid it’ll happen again!”

I feel bad for her but I cannot do what she wants me to do, nor can a manager, nor can IT.

Me: “Ma’am, there is something we are advised not to do unless the customer really wants it, which is to permanently lock all accounts so no one can access them over the phone and any query has to be dealt with face to face in a branch.”

She goes quiet for a few moments and I think at first she’s hung up, but then, I hear this in the background:

Caller: “They can’t do more than you can. Why did you tell me they could?!”

That’s when the penny drops; she is already in a branch speaking to someone about it. She isn’t happy with their response and has called us to see if we can do better.

Other Person: “I’m sorry if it came across like that, but I did say they might be able to do something else, not that they will.”

Caller: “But why can’t they? Anyone can access my accounts!”

Other Person: “You can have voice verification, you can have a unique number for yourself, you have security questions, and the only other option is to lock your account so anything has to be done face to face—”

Caller: “But why can I only have two?! I want all three, and not the last option, as that’s not convenient!”

Other Person: “I cannot change the entire security policy, I’m afraid, so unfortunately, those are your options.”

Caller: “Well, they’re not suitable if I can only have two, so lock my accounts. But how do you know I’m me?”

Other Person: “We always ask for ID, so we know it is definitely you—”

Caller: “But anyone can fake my ID and put makeup and a wig on to look like me, and they can then access my account!”

After this, she let out another loud sob before hanging up on me, leaving me stunned. I took a note of the account number and checked it two hours later to see what option she went with. If the notes the person in the branch left are to be believed, they offered to upload a bunch of random questions and she had to answer every one of them.

There are fifty questions. I feel for the poor person she next speaks to.