A letter to The Co-operative Bank — a rant

Dear Sir or Madam,

First of all, please accept my apology for the fact that I have been so curmudgeonly of late. I attribute this to an ear infection that has been causing me grief for the last few days.

I originally chose, some years ago, to open an account with you because of your admirable attitude to conducting an ethical business.

I was chatting with my brother just the other day about this. We came to the conclusion that organisations that strive for better ethics are hampered by this very attitude: those with whom they compete whose priority is profit and greed will benefit from greater resources. Such is life.

In recent days this lack of resources has become evident to me, as a customer of yours, in several ways. To take the most important and urgent first:

Fraud alerts

In recent weeks, I have been targeted by scammers pretending to be from ‘Amazon’, ‘Microsoft’, and ‘BT Internet’. Fortunately, I am wise to these (largely due to the admirable efforts of Jim Browning, whose YouTube ‘Tech Support Scams’ videos have helped increase my awareness). So these days, when I get a call from a number I don’t recognise, I am immediately put on my guard.

Yesterday morning, I received an SMS message from +447786209942 – a number unknown to me – purporting to be from ‘The Co-operative Bank’. It quoted various details that served to suggest its legitimacy. However, your own advice is to be wary of this (my highlighting):

Scam messages can be very convincing and are popular with fraudsters. Fraudsters will deliberately mimic the contact details of the Bank, Police or other trusted companies to hide their true identity.

Scam messages will often imply a sense of urgency encouraging you to act fast, e.g. to call a phone number included in a text message to stop a fraud payment or include a request for personal information, or banking details such as password or security credentials.

[…] 3. Never respond to an unexpected message from an unknown source. Always avoid clicking on links or opening attachments contained in messages. Never log into online banking through a link in a message.

[…] If you think that you may have revealed your security details, fallen victim to fraud, or notice any unusual activity on your account, please contact us immediately on:
For current account customers – +44(0)3457 212 212

Source: The Co-operative Bank ‘common-fraud-threats‘ page

During that morning, I received several telephone calls on both my dumbphone and landline from 02081254051– another number I didn’t recognise – with a recorded voice warning me of possible fraud on my account and urging that I respond immediately.

When calling the number your ‘common-fraud-threats’ page advised, I initially received the following, very abrupt, message:

Service is closed

I called the number again, and, this time, it was answered by your automated service – which advised me that I should expect a thirty-minute wait. While waiting on hold, I did some checking on the numbers:

(Redacted) SMS message from +447786209942 (a number that was verified as being from The Co-operative Bank)

Eventually, my call was answered by a real-life human (or very reasonable facsimile), who confirmed that both of these numbers and their related messages were genuine and advised that I should respond ‘Yes’ to the SMS message. When I looked at that again, I found the language used was confusing: it invited a ‘Yes’ respons– but without actually asking a question.

Oh: and for some reason the subsequent message inappropriately used a capital ‘F’ for ‘fraud’ – I’ve seen this kind of thing many times before; in my experience it’s an indication that the writer considers their field of expertise as being of greater importance than absolutely anything else in the known universe and really needs to get out more.

Software design flaws

In the past week, I chanced upon a facility in your online banking system that I hadn’t previously noticed – perhaps it has just recently been implemented? – the ability to amend the payment reference of a transaction. Something that, in fact, is most welcome, long overdue, and currently entirely absent from other banks’ online banking systems (*cough* NatWest *cough* Nationwide).

Unfortunately, this (new?) facility has a flaw.

When attempting to change the payment reference in a transaction for an existing recipient, your system insists on (re-)verifying the user. (I’m not at all clear why it should have to do this for what would seem to me to be such a trivial issue, but then I’m not an expert in banking systems; I’m just someone who’s been using computer systems for more than four decades and can recognise poor coding, especially when I’m frustrated by it. Oh, and I have a degree in computer science, too, by the way.)

The immediately obvious flaw is that whoever has put the ‘Verify it’s you’ system in place has disobeyed one of the main tenets of software engineering, to wit: re-use code wherever possible. The interface employed is similar to the initial login one, but its execution is entirely different.

Specifically, there are two problems with the current iteration of the ‘Verify it’s you’ module as implemented by your code monkey: both of these relate to the input of the ‘security code’.

  1. Existing, proven code (as employed on the initial login screen) is not reused: the user is instead offered a drop-down digit list. The initial login screen, quite appropriately, does not do this: a) the user ought to know that the code is numeric; b) that same user used that code only minutes before in order to log in; and c) if, for some bizarre reason, it is deemed necessary to provide the user with a hint that they should only use digits at this point, a far simpler way to achieve this would be to precede the input fields with the text “Reminder: your security code is comprised of digits”.
  2. The values of the two required input digits default to ‘0’. This is clearly indicative of poor design, since zeroes are legitimate digits; there should be no default, these values should be ‘null’. (I think it may even be possible that the ‘security code’ could even be all zeroes – though maybe that isn’t allowed when setting up the code? – opening the possibility that this ‘security’ feature could be bypassed!)

I have screenshots I can provide you with to illustrate. Please let me know if you would like to see these. (In fact, I already gave you these screenshots, via your ‘secure message’ system, but those messages have mysteriously gone astray….)

‘Secure message’ system problems

I composed a message detailing exactly how to reproduce the ‘Verify it’s you’ error I encountered (detailed above). This took me quite a while, largely because when I reached the end of the permissible message length (itself a thing that wasn’t well displayed) I spent ages editing the message to make it fit. (In retrospect, what I should have done was to simply put ‘continued in next message…’ at the foot of that message and continued in another one. Mea culpa!)

The second, and by far more serious, problem with this system is that the response I received to my initial message revealed below it a message on the same subject; but this was not mine: it had been written by another of your customers! Both of the messages I had spent time composing on the subject had vanished. (Perhaps they were present in this other customer’s ‘secure message’ area?)

‘Give feedback’ failure

The home page of your website prominently features a link labelled ‘Give feedback’. Excellent! Far too few businesses these days proactively seek feedback from their customer base. Less excellent, however, is the current behaviour of this facility, which takes the user to a blank page – one that’s not even on your domain, though at first glance it appears to be as it bears your corporate livery – that informs the user of a wasted click:

Sorry, this survey is now closed. Thank you for your time.

Source: edigitalsurvey.com, 13Feb2021


Here are my suggestions regarding these matters:

  1. Publicise, on your website, the telephone numbers that you use to get in touch with customers to alert them to potential fraud issues to enable easy verification of their legitimacy.
  2. Please get someone who has a good grasp of the use of the English language to check the SMS messages you send out. Hints: a) when the answer is ‘yes’ or ‘no’, the prompt ought to be a direct question, one that ends in a question mark (‘?’) and b) the word ‘fraud’ is not a proper noun and therefore does not deserve to have a capital letter unless it begins a sentence.
  3. Please reduce the volume of the ‘on hold’ muzak on your telephone answering system, as that is deafening compared with the volume level of the interminable “please continue to hold” messages, which means that I take it off ‘speaker’ – and so can barely hear the other stuff (which, who knows, could be important), and risk missing the point at which a real person finally picks up the phone at your end.
  4. Employ more staff to answer telephone calls so that your customers don’t have to wait on hold for so long.
  5. Investigate how a ‘secure message’ system can get its knickers in such a twist that it loses a user’s messages – and, still worse, replaces them with another user’s message!
  6. Make it clearer in your ‘secure message’ system how much text the user is allowed to enter in each message. Perhaps detail this maximum just before the input field, and make the all-but invisible character counter at the bottom right more visible when this limit is being reached/ exceeded (maybe have it turn red when there are only a few characters left?).
  7. When the survey to which your ‘Give feedback’ invitation links is inactive, replace the page with a standard message form to allow the user to have their say anyway (and not instead get frustrated by being presented with a ‘sorry’ message that, in the circumstances, feels all too insincere).
  8. When a link goes to a site other than http://www.co-operativebank.co.uk, warn the user that this will happen. You could employ the standard information emojiℹ️, perhaps with a mouseover ‘tooltip’ (as I have done on that link). Alternatively, take a look at the icon that Wikipedia and WordPress use (a small blue square with an outward-pointing arrow – it’s a pity that that’s not a standard emoji, in my opinion).

Thank you for listening.

Yours faithfully,
A customer

About peNdantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in ... wait, what?, Business, Communication, Computers and Internet, Critiques, Phlyarology and tagged , , , . Bookmark the permalink.

8 Responses to A letter to The Co-operative Bank — a rant

  1. I remember receiving a similar text a year or so ago. Like you, I figured that my bank doesn’t communicate through weird texts like that. I think I receive a subsequent call and voicemail saying the same. It sounded like anyone could do it. I won’t just call a random number back and give them all my info. So, I called my bank. Turned out – texts and calls were legit.

    Recently, I went to the bank to withdraw some money. I arrived at the teller window with my ATM/Debit card, swiped it, entered my pin, showed my ID, and then… I was asked to read a secure number that was sent to my phone to prove I was authorizing the transaction. WHAT? What if I didn’t have my phone with me? What if the teller went rogue and was doing something to my account I wouldn’t approve of?

    It all just seems so backward.

    Liked by 1 person

    • pendantry says:

      ‘Backward’ is a good way of describing it. Some years ago, not long after online banking was introduced, I was talking to someone at my bank and they were trying to persuade me to open an online account. I resisted. When asked why, I responded “Because I know too much about computer systems, and how poorly they’re often designed and implemented.” The guy probably thought I was nuts.

      Since then, I’ve come around (I persuaded myself that I’d allowed enough time for everyone else to do the beta-testing, and for any major bugs to be found and fixed) — and I’ve found that it’s just so damn convenient to be able to manage a bank account via the Internet rather than having to traipse into town every month.

      But part of that reluctance I once felt is beginning to rear its ugly head again. Without wishing to cast too many aspersions on youngsters, they are cheaper to hire than folks with decades of experience, you know the ones I mean; those who have seen how things can go wrong. It seems to me that the new crop of ‘software engineers’ just lack that essential knowledge. Well, that’s my explanation for why after all these years things don’t seem to get much better: half-arsed, crappy, non-user-friendly and sometimes downright broken computer systems and ‘upgrades’ are foisted upon us — and we have no say in the matter.

      O.0 that was a bit longer than I intended it to be :D

      Liked by 1 person

      • I’m not big on banking technology, either. I remember going into a bank a couple of years back and being greeted. “Can I help you with anything?” The man in the lobby asked. There was a person or two waiting in line for the teller. “No, I’m good. Thank you.” I answered. “Well, what are you trying to do?” It was something simple, so he asked if he could show me how I can do the same at the ATM. I politely declined and told him that I’d rather do it the face-to-face way if I have the ability. He looked at me funny, too. Some of his arguments included “you can almost do anything there and with no wait,” “it’s secure,” “I use it all the time.” Didn’t convince me much. Of course, now, with the pandemic, they took the opportunity and close most of the branches leaving only ATMs open…

        Liked by 1 person

  2. I know I am late to comment but as you learn from reading my own blogpost I, too, have now learned a ton of things from being scammed eight days ago!

    Liked by 1 person

  3. Dr Bob Rich says:

    Did you really send that brief message to your bank?

    Liked by 1 person

Comments are closed.