A letter to The Co-operative Bank — a rant

Dear Sir or Madam,

First of all, please accept my apology for the fact that I have been so curmudgeonly of late. I attribute this to an ear infection that has been causing me grief for the last few days.

I originally chose, some years ago, to open an account with you because of your admirable attitude to conducting an ethical business.

I was chatting with my brother just the other day about this. We came to the conclusion that organisations that strive for better ethics are hampered by this very attitude: those with whom they compete whose priority is profit and greed will benefit from greater resources. Such is life.

In recent days this lack of resources has become evident to me, as a customer of yours, in several ways. To take the most important and urgent first:

Fraud alerts

In recent weeks, I have been targeted by scammers pretending to be from ‘Amazon’, ‘Microsoft’, and ‘BT Internet’. Fortunately, I am wise to these (largely due to the admirable efforts of Jim Browning, whose YouTube ‘Tech Support Scams’ videos have helped increase my awareness). So these days, when I get a call from a number I don’t recognise, I am immediately put on my guard.

Yesterday morning, I received an SMS message from +447786209942 – a number unknown to me – purporting to be from ‘The Co-operative Bank’. It quoted various details that served to suggest its legitimacy. However, your own advice is to be wary of this (my highlighting):

Scam messages can be very convincing and are popular with fraudsters. Fraudsters will deliberately mimic the contact details of the Bank, Police or other trusted companies to hide their true identity.

Scam messages will often imply a sense of urgency encouraging you to act fast, e.g. to call a phone number included in a text message to stop a fraud payment or include a request for personal information, or banking details such as password or security credentials.

[…] 3. Never respond to an unexpected message from an unknown source. Always avoid clicking on links or opening attachments contained in messages. Never log into online banking through a link in a message.

[…] If you think that you may have revealed your security details, fallen victim to fraud, or notice any unusual activity on your account, please contact us immediately on:
For current account customers – +44(0)3457 212 212

Source: The Co-operative Bank ‘common-fraud-threats‘ page

During that morning, I received several telephone calls on both my dumbphone and landline from 02081254051– another number I didn’t recognise – with a recorded voice warning me of possible fraud on my account and urging that I respond immediately.

When calling the number your ‘common-fraud-threats’ page advised, I initially received the following, very abrupt, message:

Service is closed

I called the number again, and, this time, it was answered by your automated service – which advised me that I should expect a thirty-minute wait. While waiting on hold, I did some checking on the numbers:

• SMS message (+447786209942)
  • truecall-ua.com reports this as a Vodafone number
  • who-called.co.uk is on the fence about its safety
• Recorded voice calls (02081254051)
  • who-called.co.uk advises ‘there is a high probability that this is a bank scam!’

Eventually, my call was answered by a real-life human (or very reasonable facsimile), who confirmed that both of these numbers and their related messages were genuine and advised that I should respond ‘Yes’ to the SMS message. When I looked at that again, I found the language used was confusing: it invited a ‘Yes’ respons– but without actually asking a question.

Oh: and for some reason the subsequent message inappropriately used a capital ‘F’ for ‘fraud’ – I’ve seen this kind of thing many times before; in my experience it’s an indication that the writer considers their field of expertise as being of greater importance than absolutely anything else in the known universe and really needs to get out more.

Software design flaws

In the past week, I chanced upon a facility in your online banking system that I hadn’t previously noticed – perhaps it has just recently been implemented? – the ability to amend the payment reference of a transaction. Something that, in fact, is most welcome, long overdue, and currently entirely absent from other banks’ online banking systems (*cough* NatWest *cough* Nationwide).

Unfortunately, this (new?) facility has a flaw.

When attempting to change the payment reference in a transaction for an existing recipient, your system insists on (re-)verifying the user. (I’m not at all clear why it should have to do this for what would seem to me to be such a trivial issue, but then I’m not an expert in banking systems; I’m just someone who’s been using computer systems for more than four decades and can recognise poor coding, especially when I’m frustrated by it. Oh, and I have a degree in computer science, too, by the way.)

The immediately obvious flaw is that whoever has put the ‘Verify it’s you’ system in place has disobeyed one of the main tenets of software engineering, to wit: re-use code wherever possible. The interface employed is similar to the initial login one, but its execution is entirely different.

Specifically, there are two problems with the current iteration of the ‘Verify it’s you’ module as implemented by your code monkey: both of these relate to the input of the ‘security code’.

1. Existing, proven code (as employed on the initial login screen) is not reused: the user is instead offered a drop-down digit list. The initial login screen, quite appropriately, does not do this: a) the user ought to know that the code is numeric; b) that same user used that code only minutes before in order to log in; and c) if, for some bizarre reason, it is deemed necessary to provide the user with a hint that they should only use digits at this point, a far simpler way to achieve this would be to precede the input fields with the text “Reminder: your security code is comprised of digits”.
2. The values of the two required input digits default to ‘0’. This is clearly indicative of poor design, since zeroes are legitimate digits; there should be no default, these values should be ‘null’. (I think it may even be possible that the ‘security code’ could even be all zeroes – though maybe that isn’t allowed when setting up the code? – opening the possibility that this ‘security’ feature could be bypassed!)

I have screenshots I can provide you with to illustrate. Please let me know if you would like to see these. (In fact, I already gave you these screenshots, via your ‘secure message’ system, but those messages have mysteriously gone astray….)

‘Secure message’ system problems

I composed a message detailing exactly how to reproduce the ‘Verify it’s you’ error I encountered (detailed above). This took me quite a while, largely because when I reached the end of the permissible message length (itself a thing that wasn’t well displayed) I spent ages editing the message to make it fit. (In retrospect, what I should have done was to simply put ‘continued in next message…’ at the foot of that message and continued in another one. Mea culpa!)

The second, and by far more serious, problem with this system is that the response I received to my initial message revealed below it a message on the same subject; but this was not mine: it had been written by another of your customers! Both of the messages I had spent time composing on the subject had vanished. (Perhaps they were present in this other customer’s ‘secure message’ area?)

‘Give feedback’ failure

The home page of your website prominently features a link labelled ‘Give feedback’. Excellent! Far too few businesses these days proactively seek feedback from their customer base. Less excellent, however, is the current behaviour of this facility, which takes the user to a blank page – one that’s not even on your domain, though at first glance it appears to be as it bears your corporate livery – that informs the user of a wasted click:

Sorry, this survey is now closed. Thank you for your time.

Source: edigitalsurvey.com, 13Feb2021

Suggestions

Here are my suggestions regarding these matters:

1. Publicise, on your website, the telephone numbers that you use to get in touch with customers to alert them to potential fraud issues to enable easy verification of their legitimacy.
2. Please get someone who has a good grasp of the use of the English language to check the SMS messages you send out. Hints: a) when the answer is ‘yes’ or ‘no’, the prompt ought to be a direct question, one that ends in a question mark (‘?’) and b) the word ‘fraud’ is not a proper noun and therefore does not deserve to have a capital letter unless it begins a sentence.
3. Please reduce the volume of the ‘on hold’ muzak on your telephone answering system, as that is deafening compared with the volume level of the interminable “please continue to hold” messages, which means that I take it off ‘speaker’ – and so can barely hear the other stuff (which, who knows, could be important), and risk missing the point at which a real person finally picks up the phone at your end.
4. Employ more staff to answer telephone calls so that your customers don’t have to wait on hold for so long.
5. Investigate how a ‘secure message’ system can get its knickers in such a twist that it loses a user’s messages – and, still worse, replaces them with another user’s message!
6. Make it clearer in your ‘secure message’ system how much text the user is allowed to enter in each message. Perhaps detail this maximum just before the input field, and make the all-but invisible character counter at the bottom right more visible when this limit is being reached/ exceeded (maybe have it turn red when there are only a few characters left?).
7. When the survey to which your ‘Give feedback’ invitation links is inactive, replace the page with a standard message form to allow the user to have their say anyway (and not instead get frustrated by being presented with a ‘sorry’ message that, in the circumstances, feels all too insincere).
8. When a link goes to a site other than http://www.co-operativebank.co.uk, warn the user that this will happen. You could employ the standard information emojiℹ️, perhaps with a mouseover ‘tooltip’ (as I have done on that link). Alternatively, take a look at the icon that Wikipedia and WordPress use (a small blue square with an outward-pointing arrow – it’s a pity that that’s not a standard emoji, in my opinion).

Thank you for listening.

Yours faithfully,
A customer