Tuesday, May 12, 2009

Psychology in Security - Impact of Bad Banking Processes

Quite a few of my recent posts have had to do with visits to the local bank. This morning I made a quick trip to the local branch to carry out some wire transfers. So I sat down at the Foreign Transaction counter and was asked for the following:
  • Form providing details of wire transfer, amount etc. (no problem)
  • A proof of transaction, i.e. an invoice etc. (ok)
  • A blank cheque, with nothing but my signature/stamp on it. Nothing in the to field, nothing in the amount field. (WHAT!)
At this point, I couldn't help stare the bank employee in the face with the most ridiculous look and inquire about whether they also encourage customers to fund Nigerian officials in need.

Eventually after realizing that I didn't have much of a choice and adding a "Not above RS. xx" statement, I conceded and started to leave the bank. At this point, the bank employee left my blank signed cheque on top of her desk while she walked away for a cup of tea!

Sure, this might not be the most dangerous scenario since there are security cameras all around and the bank's employees have undergone background checks and are well trusted. However, Banks need to realize the security has as much to do with process audits and security cameras as it has to do with customer's psychology. It is important that as responsible organizations, we send the correct message to customers about what is acceptable and what is not in-terms of security. Banks need to realize that if you encourage customers to give blank signed cheques, you are telling them that it is acceptable practice.

It is processes like this one that let users believe that this sort of behavior is acceptable or safe. No wonder hotels and other organizations ask you to provide credit-card details over the phone/email, while the person on the other end writes them down.

This particular incident reminded me of another instance where I have seen something similar.

Another Bank where I have an account constantly sends me e-mails with new offers that have links like "offer_name.bank.com". I think it is a horrible idea to tell you users that it is OK to click links with "xyz.bank.com" as many phishing scams provide links like, "xyz.bank.malicious.com/bank.com" etc which might not look very different to a non-tech user.

Banks need to realize and carefully analyze the psychological impact of their processes on what their customers deem to be acceptable or not. Proper and well thought out processes and policies could in the long-term be the difference between whether a user clicks a malicious phishing link or reports it.