Agree there should be a way, perhaps, to recover from a bad situation.
As a follow-up to my experience, I guess I should expand on the consequences for us. The bank admitted fault, but to protect themselves from a bad employee doing it again in the future, now when we call we have a special voice-only password and PIN, and we have to answer a battery of questions that are clearly pulled from a credit bureau (you know, the types of questions like "You had a mortgage in 2005, what was the street the property was on" and such things. Takes 10 minutes to get to "Thank you sir, how can I help you today" if we ever have to call customer service.
Based on that experience, I think perhaps the bank should make that the answer to recover a deeply lost account. They gave a stranger the credentials to our account -- not just the password, but they had to tell them the login, and disable two-factor authentication (because the login is built from a PIN and RSA code) based on a plea for help. I can see forgetting your password, but who forgets everything? That should be a huge red flag.
I could rant for a long time. I had a pointed discussion with a manager at the bank about how getting five repeated, fruitless requests to change credentials on an account didn't somehow trigger any protective response. How hard would it be to implement a counter that says "okay, after the second attempt to gain access by voice to an account that is denied for lack of authentication, all future calls for this account go directly to the security department for personal attention"? I got no good answer other than a lot of "yes sir, this was completely wrong, sir, I'm sorry, sir" etc.
I don't really disagree with any of that. I was just making the point that there are tradeoffs and the nature of those tradeoffs are going to depend on the situation.
Obviously, access to a banking account should have a pretty high bar even if that means some people may well end up in difficult situations where they've lost access to their money and the bank can't/won't do anything about it based on a phone conversation.
As a follow-up to my experience, I guess I should expand on the consequences for us. The bank admitted fault, but to protect themselves from a bad employee doing it again in the future, now when we call we have a special voice-only password and PIN, and we have to answer a battery of questions that are clearly pulled from a credit bureau (you know, the types of questions like "You had a mortgage in 2005, what was the street the property was on" and such things. Takes 10 minutes to get to "Thank you sir, how can I help you today" if we ever have to call customer service.
Based on that experience, I think perhaps the bank should make that the answer to recover a deeply lost account. They gave a stranger the credentials to our account -- not just the password, but they had to tell them the login, and disable two-factor authentication (because the login is built from a PIN and RSA code) based on a plea for help. I can see forgetting your password, but who forgets everything? That should be a huge red flag.
I could rant for a long time. I had a pointed discussion with a manager at the bank about how getting five repeated, fruitless requests to change credentials on an account didn't somehow trigger any protective response. How hard would it be to implement a counter that says "okay, after the second attempt to gain access by voice to an account that is denied for lack of authentication, all future calls for this account go directly to the security department for personal attention"? I got no good answer other than a lot of "yes sir, this was completely wrong, sir, I'm sorry, sir" etc.