Security is about preventing loss. But be careful, as instituting poor security policies can drive away customers and impact your business.
This is a story of how a financial institution is doing security wrong.
I have been a customer of a local credit union for nearly 40 years. It has a few branches, online services, and prides itself on customer service. My account was open at a very young age and had since moved away but always kept my account active and enjoyed a number of the financial service offerings over the years.
The problem began in a benign manner. I recently moved and was changing my mailing address with my various financial, health, and business accounts. In today's web-centric world, it is pretty easy to accomplish. In every case except one, I would login to the organization's website with my credentials and provide my new address. In some cases I would have to provide additional information for verification, but the process was smooth. They quickly followed up with an email notification or a card in the mail at the previous address as a measure to detect fraudulent submissions.
Then came my credit union. Their website requires a User ID, password, and additional validation of challenge-response questions if connecting from an unrecognized or public PC. It even sports an anti-spoofing feature where an image previously selected by the customer is provided as part of the login. All wonderful security measures which I applaud. However, it lacks a friendly user interface to edit profile details. With no obvious way to change my mailing address online, I called the support number and was informed I needed to write a letter requesting a change of address, provide my account number, and signature, and send it via US mail to their offices for processing. Although inconvenient, I followed the instructions.
A few days later I received a voicemail at my home number, which was on record with the credit union, and was informed they received my written request but didn't believe my signature was authentic and therefore declined my change of address. What?
I called again and at their request provided my account number, date of birth, and last four of my social security number, home phone, email address, and mobile phone number to validate my identity. After providing all that was requested in addition to details about my account history which would not be on any recent statements, I explained my issue to the supervisor in charge. I was informed they could not readily locate my written request but reassured me it should be around somewhere and instructed me to either come into a branch, which is nearly 2 hours away, or photocopy my driver’s license and fax it in.
I refused to be a part of such "security theater" (as Bruce Schneier would say). I asked why all this is necessary to change my mailing address? With the information I provided on the phone or necessary to login online, I can electronically transfer funds to external accounts, receive a personal loan, reset passwords, request checks, and change all other contact data in my profile. Why the elevated security for a mailing address change?
Here is my favorite part. The supervisor, in his best authoritarian voice told me it is for my protection, that I probably wouldn't fully understand the security risks, and that is was 'required by law'. When I told him I am a security professional of 20 years, have consulted banks, and work as a computer security strategist for one of the most prominent companies in technology, his voice went soft. I explained how the additional controls provided no appreciable value and how the rest of the industry follows more rational practices. I challenged the representative to identify the regulatory requirement, because none exists which specifies a written and signed request or photocopy of a state identity as necessary to fulfill a change of address request on a basic consumer financial account.
In the end, we came to the obvious conclusion he was simply following the company's security policy, one created with the best of intents, but lacking both insight and effectiveness to reducing the risk of loss. It is in fact counter-productive, causing frustration on behalf of the customer and consuming employee resources for no appreciable risk benefit. Regardless of the absurdity, as good employees, they are bound to adhere to it. I don't fault them, rather the management who instituted the ill-advised policy. We were at an impasse, my stubbornness against their policy.
As I am a fan of economic models and democracy, I have chosen to vote with my wallet. I abandoned my goal of an address change and instead asked for two things. First, to close my account. Second, to provide me with the email address of the CEO.
I deal daily with the security industry and ecosystem. I have found in many cases the CEO's and CISO's are insulated from some of the choices they make and unaware of potential side effects of their security policy. The best management hunger to know of issues and is always looking to optimize their security practices. With this in mind, I wrote a friendly note which I emailed and also hand delivered (when I visited in person to close my accounts) to the CEO of the credit union to help in his awareness. Although he has not responded, I still have hope good security practices will prevail for the benefit of the remainder of his customers.
The lesson here is security controls must be consummate with the value of what is being protected. A proper, efficient, and effective security policy is a powerful tool in the hands of capable employees. But at the same time, poor security policies can have a detrimental effect on customer service, resources, and the business's bottom line.
- Beware of policies which provide no additional level of security. It does not make sense to require extra hurdles to protect less critical assets. In this case, current phone and online verifications, sufficient for more sensitive transactions, should have sufficed for a change of address. As an extra measure, consider a post transaction notification via mail, phone, or email, which is the accepted standard.
- Superfluous policies create inefficiencies and more unnecessary work for the employees and customers. There is always a cost to security. Squandering resources due to poor security policies is not good use of time, customer's patience, and employee effort.
- Any policy which unduly hassles customers, delays services, and potentially exposes private information to unintended parties should be revised. In this case, with the wrong address on file, upcoming tax documents would be sent to an address not that of the customer. Such policies must consider that 'failing-safe' may require a change in status-quo. Additionally, in this case, the policy called for the creation of more unneeded documentation with account information and potentially a photocopy of government issued identification (which likely would also contain unneeded personal information), and the apparent inability to manage the storage and destruction of aforementioned paperwork. Policies should not exacerbate or complicate identity and data situations.
Instituting the perfect security policy is difficult in every industry. We must however keep our eyes open and understand the unintended consequences in order to learn and adapt. An optimal security policy must align to the risk-appetite of the organization, meet legal requirements, and fit within cost considerations without jeopardizing the critical services to customers. When it fails, either too overbearing or too weak, it can fail big. I hope other organizations can learn from the viewpoint of their customers and the lessons of their peers. This is a learning opportunity for all.
I have intentionally omitted the name of the institution and parties involved, as they are not important.
..if the CEO does respond, I will update this blog and even post his response if he grants permission.