Update: RBS have responded. The security issues apparently were some kind of system failure. I should have already been authenticated, using RBS specific questions, by the automated IVR you go through when you call – and I had gone through this. However, on my call, the system had lost this information somehow (there were computer issues on the day) and it wasn’t available to the agent. Normally, the credit check based public-data questions should augment the RBS authentication procedures and provide an extra layer of identity verification. They are not normally meant to be the only form of identity verification, as appeared to happen in my call. With regard to the issue of that credit check data being completely incorrect, RBS have offered to pay any costs incurred in dealing with the credit check agencies.
RBS Card Services seem to have brought in some kind of new system to verify your identity when you phone them up. They girl said it’s provided by 3rd party credit checking agencies. They ask you questions that are based on quite public information – which is daft, as RBS hold far more personal, private data on me. Worse, in my case, it seems this information is wrong. None of the questions had any answers that had anything to do with me.
So RBS apparently don’t trust the security of the personal data they hold on me, instead trust external companies to identify me using public information. That doesn’t sound like competent or acceptable security to me.
Below is my letter to them, which will be sent tomorrow hopefully.Customer Services Credit Card Services Royal Bank of Scotland 36 St. Andrew’s Square Edinburgh EH2 2YB
Ref: Credit card account xxxx-xxxx-xxxx-xxxx
Dear Sir or Madam,
I’m writing to you about my recent experience with your credit card customer service telephone line and the identity verification system you have put in place – which is new to me. While the agent I spoke to was friendly and as helpful as she could be, this new system was not helpful. I have a number of concerns about it which I wish to share with you, for you to consider as you wish, as well as a request which I believe you are required by statute to respond to, under the Data Protection Act. My concerns are:
- The apparent reliance on 3rd parties for my authentication to you, the detrimental effect this has can have on my experience as a customer of yours, and the apparent impotence RBS has when it comes to dealing with problems caused by this 3rd party.
- The inadequacy of this 3rd party system as a secure means of authenticating me, as it uses public data, and the ill-placed faith RBS has apparently invested in it – not a re-assuring thing to see from a party I have trusted my financial information and resources to. Particularly bizarre when RBS have much more personal, private and higher quality information on me – my credit card and banking activity!
I would be interested to hear your response to these concerns.
My Data Protection Act request is that you supply the information being used in these questions to me. If you respond that you can not comply with this request, then that raises a serious concern as to how I am supposed to fix this data so that I can do business with you. Indeed, it may then be cheaper for me to change bank than to try fix this issue. However, should you respond this way, note that I may well appeal your decision to the Information Commissioner first.
On the 8th of December, I rang the RBS Credit Card Services customer phone line in order to inform them I was about to travel. I have in the past had cards blocked when I used them abroad, and wished to avoid this happening. I typed my card details into the automated system. When the phone was answered, strangely I had to give my card details again, as well as my personal details, to the customer service representative (CSR) – the system hadn’t passed on the information I had typed in. I then explained the reason for my call to the CSR. She then told me she needed to ask me some further questions to establish my identity. After an initial foible where the system apparently had the wrong account, she proceeded to ask me questions, some of which roughly went like:
- “Which of the following Jakmas have you shared an address with?”
- “Which of the following addresses have you been associated with?”
- “Which of the following broadband or mobile operators are you with?”
In each case, several options were given as well as a “none of the above” option. In each case, I did not recognise any of the specific options and had to answer “none of the above”. Indeed, for the “Which Jakmas’” questions I told the CSR I was confident that these people didn’t even exist – my surname is relatively new and unique. For the “which addresses?” question, I was able to tell her both of the two UK addresses I have lived at in my adult life – neither of which were on her list of answers. After going through at least 5, if not more, of these questions, the CSR eventually insisted that the question on her screen had an answer other than “none of the above” and I had to supply it if she was to be able to continue with the call and help me. The question was the “Which broadband or mobile provider are you with” form. However, none of the options applied to me.
After this she insisted she couldn’t help me further, as I insisted their system was clearly misinformed. I asked that this data, which I knew to be incorrect, be provided to me under the Data Protection Act. I was informed RBS couldn’t help me with this request, as the data was provided by 3rd parties, such as Experion, Equifax, etc – though she could not tell me specifically which 3rd party provided the information used in this call. I was then passed to, presumably, a supervisor who was able eventually to agree to make note of my travel plans. Though, he could not reassure me this would be taken into account were my card to be subject to a block when I used it abroad, if I remember correctly.
Overall, this was an extremely unsatisfying customer experience, as I explained to the supervisor. I also made clear I did not feel the CSR or the supervisor were responsible for this shockingly poor service, but the system they were forced to apply.
The Outsourcing of Authentication
I am concerned that RBS has apparently outsourced authentication to a 3rd party, and in such a way that RBS apparently has no control over mistaken data held by that party, and how that affects my ability to do business with RBS. From what the CSR told me, RBS expects me to fix this problem myself, by going to the various credit checking agencies. She was not able to tell me specifically which ones, but suggests ones “like” Equifax and Experion.
These companies, it seems, charge money, often not a trivial sum (£10 to £20) in order to interact with them, review the data they hold and correct it where necessary. As I gather there are at least 4 such agencies operating in the UK, that implies I may have to spend £40 to £80 contacting these companies, in order to fix RBS’ inability to authenticate me. Further, there isn’t any guarantee this would even fix the problem, as the CSR couldn’t tell me exactly which company the data was coming from!
This is an extremely unsatisfying state of affairs. RBS Credit Card Services it seems now refuses to believe I am who I am, even though I furnished information which must be on your system, because of some arbitrary, vaguely specified 3rd party. If you believe this is an acceptable way to interact with customers, then I wonder how many customers you will retain.
The inadequacy of public data as a means of authentication
I have major concerns about the suitability of this system as a means of authentication, regardless of who operates it.
Questions about my kinship are insecure. One of my relatives has genealogy as a hobby, and they have documented a lot of our family tree online. I’m sure I’m not the only person for whom this is the case. Indeed, as my surname is fairly new and unique, hence there are few people with this surname (they’re all no more than 4th cousins of mine), and so this type of question is particularly insecure for my case. Further, even if this were not the case, genealogical information is a matter of public record, and easily available.
Questions about which mobile or broadband provider I am with are extremely insecure. You can determine my broadband provider by retrieving an email of mine, of which there are many archives online through public mailing lists I have used. Alternatively, someone could determine this by emailing me and getting a response from me. My mobile provider could also be determined by examining my mobile number (which has been made publically available in the past), or by using social engineering to get me to visit a web site using my mobile.
Questions about my address are also insecure. They’re a matter of public record (electoral roll, Whois data for domain name registrations) and an item of data I regularly I have to give out to people. Further, this is data RBS must have already – why use a 3rd party to ask me my past or current address?!
I find it bizarre that RBS would outsource authentication to a 3rd party, to a system that is based on widely available, public data, when RBS holds much more personal, better identifying data on me: my banking and credit card data! Rather than asking me for me for my address, or my broadband provider, why not ask me to confirm recent credit card or banking transactions? Or ask me how much my monthly mortgage payments to RBS are? (I realise RBS internally is quite compartmentalised, Credit Card Services, personal banking, and mortgages often seem to treat each other as completely different companies, incapable of providing joined-up banking as banks I’ve used in other countries can do – but that’s yet another problem which RBS really should fix).
That you choose to ignore this highly personal, private, secure data, and choose instead to use an outsourced, 3rd party system which is based on quite public data to identify me makes RBS seem somewhat incompetent at security. This is not a quality I like to see in my bank.
Data Protection Act Subject Access Request
I would like you to provide all personal information relating to myself which you process (e.g. hold or have access to), and which you use to authenticate me to you. I am willing to go to a local RBS branch to review this information, for security purposes. Indeed, this would be preferable to you putting this information in the post.
I do not accept what your CSR told me: that, because RBS has contracted with a 3rd party for the processing of some aspects of this data, that RBS has no responsibilities under the Data Protection Act to me for accessing and correcting this data. RBS has commissioned the processing of this data, and RBS staff have access to this data, thus I believe RBS is subject to the Data Protection Act. If you argue to the contrary, I am very likely to appeal this matter.
I also would like to have access to any notes made to my file with you in relation to my phone call on the 8th of December.
I hope to receive a timely response from you in the New Year.