
A bank security check that leaves you guessing your own name - BerislavLopac
https://www.theguardian.com/money/2020/sep/06/who-am-i-a-bank-security-check-that-leaves-you-guessing-your-own-name
======
inopinatus
It's never wrong to review that famous and ever-relevant essay, _Falsehoods
Programmers Believe About Names_ , and for which there has been oodles of
prior discussion on this forum:

[https://news.ycombinator.com/item?id=1438472](https://news.ycombinator.com/item?id=1438472)

[https://news.ycombinator.com/item?id=12450825](https://news.ycombinator.com/item?id=12450825)

[https://news.ycombinator.com/item?id=21492464](https://news.ycombinator.com/item?id=21492464)

Original at [https://www.kalzumeus.com/2010/06/17/falsehoods-
programmers-...](https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-
believe-about-names/)

~~~
BerislavLopac
And many other similar "falsehoods", collected at
[https://github.com/kdeldycke/awesome-
falsehood](https://github.com/kdeldycke/awesome-falsehood)

------
phaedrus
Turo was using out-of-date info to validate my driver's license; I had to
guess that it wanted the expiration date from before I renewed my license.

An identity check system used for VA loans uses your credit history to come up
with secret questions. It's multiple choice and they auto-generate convincing
other answers and/or some questions are completely auto-generated "ringers"
which you must answer none of the above.

(The questions are things like "Which of the following banks have you had a
car loan through?" "Which of the following addresses have you had?")

Problem is, I have very little credit history, so the likelihood of getting a
question I can answer is near zero. On the other hand, whatever source they're
using also has some assumed-real but actually incorrect associations for me
(again, because I have little real credit history, the credit check system
seems to be "grasping at straws" to generate a report on me).

So I couldn't just answer "none of the above" for all of the questions,
because at least 1 out of each batch of 4 was not an auto-generated made up
question but a real question asking me to guess what mistaken answer to it
they have on file. After several tries / refreshed batches of questions that
were all unanswerable, it locked me out of the system.

~~~
tzs
Suggestion: get and save a copy of your credit report from each of the major
credit reporting agencies. They are required by to give you a free copy of
your report if you request it, and you can ask for a copy annually [1].

Then when you get a question and you aren't sure if it is one of the "ringers"
or one of the ones that comes from errors on your credit report, you can check
the reports to help decide.

I've got a similar problem, due to the post office trying to be helpful.
Briefly, a neighbor with the same last name as me got married, changed her
last name, and her husband moved into her house. Years later they moved and
submitted a change of address form. The PO noticed the name on the form did
not match the name in their records for that address, but did match the name
on my address, assumed I was the one moving, and so it was my address that got
changed, not my neighbors. We got it straightened out, but now my credit
reports show me being at that other address for a few weeks.

[1] [https://www.usa.gov/credit-reports](https://www.usa.gov/credit-reports)

~~~
jsmith99
It's a catch 22 - in the UK at least, answering those questions is how you
sign up for a credit report in the first place.

~~~
tzs
Same in the US. In the US it helps that there are 3 major credit bureaus. When
you ask for your free annual report, you have to answer the questions for
each.

Unless there is a lot of wrong information in your report, there is a good
chance at least one of them won't use the wrong information in their set of
questions.

Once you've got one downloaded and saved, you can try again with the others,
checking any questions you are unsure about against the first download.

------
peteretep
The Thai version of this doesn’t require you to enter the recipient name, you
just enter a number and a bank ... and it tells you the recipient name for you
to check. Pretty fool proof except that it leaks names for bank account
details

~~~
irjustin
Seems like a good way to get war-dialed account numbers.

~~~
scrollaway
In most countries, bank account numbers are not sensitive information. That is
an american oddity.

~~~
vageli
> In most countries, bank account numbers are not sensitive information. That
> is an american oddity.

They're not really secret in America either. I mean, the account details are
on every check for instance.

~~~
yandie
Yeah, but I dare you give out your account number to a random person. The bank
security system here is ridiculous.

I always stick to cashier's check for this very reason (and for accounting
purpose).

~~~
cortesoft
I have written quite a few checks to people I don't know. I don't think too
many people think twice about it.

~~~
fishywang
My understand is that in the US system anyone can initiate transfer out of
your account with your routing and account numbers (both are on the check
itself so they're not really "secret"), but if they are doing it without your
consent they'll get into legal trouble and you can get your money back (but it
_might_ take some time to get your money back). As a result most people just
shrug it off.

~~~
njarboe
"they'll get into legal trouble"

They may get into legal trouble. My mom had her checkbook stolen that was in
her luggage and the person used the checking account to pay for an electricity
bill. She reported it to the police, but they had more important things to
spend time on. When you can use someones else's checking account number to pay
for a utility at a fixed location, you probably aren't worried about legal
trouble when you are doing it.

------
roobs
This is one thing the Japanese banking system actually handles pretty well.
When you send money, you enter the bank name, branch and account number and it
will give you the reading of the name on the account (Japanese names/words can
be read in many ways). If you keep trying this on different accounts your bank
will disable this functionality and require you to enter the reading on the
account to send money to it, until you go into a branch to reset it.

There is definitely similar Japanese-specific issues with specifying readings
(especially for foreign names), but this works far better than requiring
someone to specify the name exactly on the account to see if it is a match or
not. I'm not sure if that would work well in the UK given how much more larger
the Faster Payments infrastructure is.

------
hatenberg
Singapore has this figured out, it's not THAT hard, especially when you have a
solid national identity / SSO design _.

You can use phone number or national ID number to register and that's all that
is needed but you can set a display name freely if you don't want your name to
leak via reverse lookup.

Generating QR also is available right in app and accepted pretty much
universal via the same app you can check in for contact tracing or logging
into government services or banks. Opening an account now is as simple as
confirming a personal data sharing request sent to your app - no more paper
forms

_[https://www.straitstimes.com/tech/singpass-to-be-upgraded-
to...](https://www.straitstimes.com/tech/singpass-to-be-upgraded-to-nrics-
digital-equivalent)

~~~
ascorbic
This is a different issue. It's not about verifying your own identity, it's
about verifying the account number when making a payment to somebody else. The
name on their account must exactly match the one that you entered or you get a
warning.

~~~
hatenberg
It solves the same problem by using national identifier/phone number and
displaying the nickname which can be easily verified.

The national ID has a checksum letter appended so simple typos are not very
likely.

~~~
cutemonster
Cannot someone else use the same nickname?

------
supernova87a
At least this is explainable by designers not anticipating hard cases.

I remember the shittiest app from HSBC (who, by the way, seem to be
sleepwalking their way through retail banking, with no direction from anyone
who cares), which asked:

"What is the answer to your chosen secret question?"

~~~
Splognosticus
It's dumbfounding how awful bank websites are at security. They started with
the stupidest conceivable way to implement two-factor--a second clear-text
password that is an answer to a very small number of secret questions. Then
they limited the secret questions to things people could find out about you on
Facebook, then on top of _that_ added secret questions about esoteric crap
like your father's mother's childhood neighbor's dog's name, secret questions
that have answers that vary over time like your favorite song, secret
questions that have ridiculous length or punctuation requirements,
authentication by SMS, authentication by robocall, and on and on and on. The
only thing they absolutely refuse to try is an actual friggin' two-factor app!

There's security theater, and then there's Punch and Judy security puppet
shows.

~~~
stubish
Our banks in Australia try two-factor apps. Every bank has their own unique
one, so phone only and the expected app pollution. And then they push you to
using a different app on the same phone for your banking (say by having unique
features such as push notifications of credit card purposes), which completely
defeats the purpose of the TFA app since you can drain the accounts with
nothing but the phone and (if you are lucky) a PIN number.

------
AMD_DRIVERS
We have a very similar system in Canada called Interac, which works well
enough. All you need is the registered email or phone number of the recipient
and it will grab all the rest of the info, no matter who they bank with.

~~~
MattGaiser
There are a lot of issues with fraud on Interac though, even if it is just
customers doing foolish things.

[https://www.cbc.ca/news/business/rbc-customer-out-of-
pocket-...](https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-
e-transfer-fraud-1.5128114)

~~~
gruez
This is clearly a usability vs security decision. The advantage here seems to
be that you can receive payments without registering your email, which seems
like a nice feature to have. I wouldn't have to keep track of yet another
money transfer service (there's already paypal, vemo, zelle), and it's one
less account that could get hacked in the future. Also, considering that the
recipient's email was probably hacked (how else were they able to get ahold of
the email?), even having a mandatory email registration system wouldn't
necessarily prevent the fraud from happening. The attacker could re-register
your email address to his account, and since he controls your email, he could
also approve any verification emails.

------
suspectdoubloon
Australian banks have a system called osko/pay id. You register with your bank
a phone number or email I think. And when someone transfers money using your
phone number you get a confirmation of their name.

~~~
wfreeborn
And it's so good! Really love the work the NPP are putting into building the
new payments infrastructure.

------
svrb
Time to add a Falsehood[] Programmers Believe About Names: that it's even
remotely possible to "match" them. That's just not how names work, frankly.

~~~
Spivak
As a sanity check it’s not a bad system. If you’re expecting you send money to
a John Doe it makes sense to be able to tell the bank this so they can compare
and come back with “uhh this account is owned by a Mary Sue, are you sure?” As
far as catching mistakes I’m sure it’s fantastically good. The odds that a
mistyped account number happened to land on someone with the same name is
probably vanishingly low.

And that really seems to be all this is except that it uses the naivest
process to do the check.

~~~
hakfoo
As a sanity check it's awful flow, though.

If we're willing to deal with the 'wardialing account numbers' factor, I think
the right flow is "enter account number, SHOW associated name, and make
customer confirm it (i. e. by transcribing it off the screen if it's a huge
transfer, or just click "Yes, I meant to send to Scamco Ltd.") That avoids the
usability nightmare of "the name on file is wrong but not in a guessable way."

I have pretty close to the simplest case for Western-style names-- no middle
name, no hyphenation, no suffix or odd prefix, short, common first name,
dictionary word last name. The number of times it gets recorded wrong is
unbelievable.

~~~
svrb
> no middle name

Sorry, this form requires a middle name.

~~~
jpindar
I've heard that if a recruit doesn't have a middle name, the US military will
assign them one: NMI, which stands for No Middle Initial.

------
dmje
This. It's a pain in the ass and I've been bitten by it several times. Most
recently, trying to transfer funds _to my own son_. It's a great example of a
"good in theory, devil in detail" system.

Barclays does it well: they check and warn but still allow a transaction if
names don't match. Santander does it badly: they check and fail, with no way
to get around the system if names don't match.

Barclays generally does great UX and Santander sucks, so the above comes as no
surprise whatsoever...

------
jeffbee
I've just internalized over the years that my last name isn't my father's
name, it's actually "JTWROS".

~~~
Stratoscope
Ah yes! I remember the first time I opened a Schwab account and saw that on
their letters addressed to me.

I had no idea that it meant Joint Tenants With Right of Survivorship. If I did
know that, I probably wouldn't have known what it meant.

Oh wait. I think it actually said JT TEN WROS. I still don't know the
difference between that and JTWROS.

------
Thorrez
Hmm, although it sounds like this was intended to prevent fraud, to me it
almost sounds like it was intended to prevent accidental missends, like this:

[https://news.ycombinator.com/item?id=21729875](https://news.ycombinator.com/item?id=21729875)

> “I lost my inheritance with one wrong digit on my sort code”

~~~
notimetorelax
Now I understand, this is done to protect the banks from the legal fees they
might have to cover. (In the linked story bank paid thousands in legal fees).
The warning during the transfer also makes sense now. I.e. we provided you
with means to check the identity and warned you when we couldn’t confirm it,
so the erroneous transfer is now on you.

So the main user of that feature is the bank, not the bank customers.

------
pixelcort
Japan's banks have a similar system, based on half-width katakana. Fortunately
most banks can fetch the name from each other, but sometimes transfers fail
due to issues similar to those found in this article.

~~~
patio11
They're fun, too, in that the ultimate authority for setting the recipient
name is on the sender but the ultimate authority for accepting a transfer is
the bank of the recipient, which can result in that failure-to-sync causing
someone to input a name which cannot be reconciled with the account's owner.
(This is particularly common in consumer-to-business payments because even
with great attention to detail if you're not doing this frequently the error
rate will be a few percent.)

The pull system works in a different but similar fashion, and will (notably)
fail if the information submitted with an incremental pull fails to match the
name which was handwritten onto the document which sets up the pull (which is
circulated at both financial institutions). A gym once received, and I was (in
the literal sense) CCed, an icily polite letter from my local bank saying that
the bank had no knowledge of a Mr. (close misspelling of McKenzie) and that if
the gym had business with customer of the bank it should due him the common
courtesy of getting his name right.

------
stubish
For comparison, the new system setup in Australia allow you to send payments
using lots of unique identifiers using a registry. So most banks let me link
my bank account to my mobile phone number with various confirmation steps, and
that number is all that is required for someone to send me funds. Email
address is similarly possible for people (although I haven't seen a bank that
has implemented that yet), and business numbers for businesses.

------
pieterr
In the Netherlands, the various banks have aligned on the IBAN Name Check
originally developed by RaboBank. This system works pretty well.

[1]
[https://www.rabobank.com/en/press/search/2018/20180523-ibann...](https://www.rabobank.com/en/press/search/2018/20180523-ibannaamcheck-
banken.html)

~~~
eythian
Yes, I find the way ABN Amro implements this to be quite useful. If there's a
mismatch between the name I entered and the account name, IIRC I'm required to
confirm it before continuing. But it'll never stop me outright as mentioned in
the article, which seems like generally wrong-headed approach.

------
bb123
This feels similar to the other irritating assumption banks in the UK and EU
make - that you have your phone on you and able to receive messages every time
you make an online transaction. Every time I want to buy something online I
have to walk down the street to get enough signal to receive a text message.
There is no alternative or opt-out. Infuriating.

------
dredmorbius
"Who are you?" is the most expensive question in information technology. No
matter how you get it wrong, you're fucked.

[https://old.reddit.com/r/dredmorbius/comments/3mo7l6/that_go...](https://old.reddit.com/r/dredmorbius/comments/3mo7l6/that_google_identity_thing_again_who_are_you_is/)

[https://old.reddit.com/r/dredmorbius/comments/7qya12/informa...](https://old.reddit.com/r/dredmorbius/comments/7qya12/information_security_peps_podesta_who_are_you/)

[https://old.reddit.com/r/dredmorbius/comments/2w618r/how_to_...](https://old.reddit.com/r/dredmorbius/comments/2w618r/how_to_kill_your_google_account_access_it_via_tor/)

------
TedShiller
I'm experiencing a similar problem at Citibank here in the US. When I add a
new bill payee, it tries to verify that I am really me. The website does this
by asking me specific questions about my past (gleamed from various records)
that, presumably, only I would know the right answers to. Among those
questions are things like "In what city does your mother live?"

It sounds like a good idea, until I found out that the correct answers are
considered to be incorrect by their system. I'm sorry, but I know where my
mother lives, and she has lived there for decades. You got your data wrong,
that's not my fault. When I answer the question correctly, it therefore locks
me out of my account entirely, and I have to call Citibank to get my account
unlocked. Helpfully, when you get locked out of your own Citibank account,
anytime you try to log in the website delivers a plain-text "HTTP 403 Error"
without any explanation. I had to deduce myself that it was because I
"incorrectly" answered the question about me correctly.

I asked Citibank's customer service how to resolve this. I was eventually
routed all the way to the top of their organization. Their best answer was
that I should file a request with LexisNexis, the huge corporation that
aggregates these data records on people using automated tools, to have the
"official" answers changed.

That made me laugh. They want to place that burden on me?

So now I just do the whole dance every time I need to add a bill payee. Answer
their questions correctly, get locked out because they think it's incorrect,
then call customer service to get my account unlocked and to add the payee
manually.

Does anyone know a good alternative bank?

