Hacker News new | past | comments | ask | show | jobs | submit login
Banks help scammers with their bad UI (zainrizvi.io)
96 points by ZainRiz 5 days ago | hide | past | favorite | 76 comments

I'm sorry to say but this isn't a Chase specific problem. Chase is required by law to make the funds available after a couple days, just like all other banks. The OP's sister fell for a common scam that's been going on since forever, and Zelle warns you fairly explicitly to never send money to a stranger or else things like this could happen.

Of course Chase isn't going to eat a $3,000 loss because a customer fell for a common scam and ignored Zelle's warnings and didn't even do a cursory look through the bank agreement which clearly explains how checks clear.

The difference between the other services "taking responsibility" and "not shaking down their customers" and Chase Bank is that unlike a checking account, credit card transactions can be easily reversed. Once you send the money through Zelle, it's gone.

That your sister was victimized is clearly terrible, but it doesn't change the fact that her negligence caused her bank to lose 3 grand, and your father is liable as a cosigner as well. She is reasonably expected to recognize that Craigslist arrangement as too good to be true, and she ignored Zelle's admonitions not to send money to strangers.

Ok but part of the reason people lower their skepticism is because they see their bank’s UI heavily implying that the check has cleared. The main point of the post is that banks’ UI about whether a check has cleared is very misleading and really needs to be changed.

Yup. I think this is true for all sorts of aspects on the UX of financial related institutions. Not just banks, but anything you use money on.

My mortgage is paid through something that frankly looks like a scam site. You connect to it with an odd domain. When you login, it hops all over the place changing domains and forwarding you repeatedly. The UI is old, odd, and breaks with modern and safe UX patterns, like password managers (can't paste). When you finally land on the site to enter your payment information, it no longer matches the domain you went to.

I don't think a single one of my online payment hubs for standard bills like mortgage, utilities, loans, etc don't at least have one glaring pitfall that helps to introduce confusion to uninformed customers. Hell, i consider myself reasonably informed and i still fear i'm logging into a poorly thought out phishing attempt every time i pay my bills.

We've given very little consistent information to the average person about how to safely interact with the web. And that's just obvious issues, not even straight up incorrect data like what the OP seems to describe.

I have the same problem with my mortgage bank. Not to mention the emails and physical mail I get from them, which I don't even consider until my mortgage agent confirms they're legit.

Hilariously, the best online credit payment I've used has been Synchrony. I got their card when my wife had laser eye surgery because it came with a nice deal. Then I got another card for a deal at the auto mechanic's. It was so simple to go to their website, log in, make payments or change autopay, see my balance, anything. It took barely any time to tweak uMatrix so it worked. And I've never been surprised by them.

I swear I'm not being paid for saying this.

Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?

The only sites I visit frequently that do the domain forwarding and have ancient designs are local government sites (for paying taxes and fees).

"Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?"

I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage.

I have seen this and can give you a few concrete examples:

- Log onto unionbank.com. Mortgage payment is done through "my mortgage portal" which jumps you to unionbank.customercarenet.com.

- Log onto tiaabank.com. You are quickly redirected through the first third party domain which goes by too fast to copy/paste then you are redirected to cibng.ibanking-services.com, where you do your TIAA banking online (!)

USBank bounces you around weirdo domains as well. FWIW, I have never seen wells fargo do this.

This is a phishing nightmare and it is right at the crux of high-consequence interactions (your mortgage, your banking) and barely technically literate users.

It is unbelievable that they do this.

> I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage

Actually i think it's slightly different (in my specific example). It looks and feels just like you describe, but i get the impression that it's all the same bank. For some reason the application operates on multiple domains.

My old credit union was the same way. I'd log into `someCU.com` and be forwarded to `secure.CUentry.com` or w/e (i forget the specifics). Both domains were the same CU entity, i imagine, but the pattern we should be telling the "average person" to look for is to always find `foo.com` in the address. If you're not connected to `foo.com` then it's evil. However when sites forward you to likely safe but alternate domains entirely we erode this trust in fixed domain names.

Next time a user clicks on an email to `scamCU.com` and don't think anything of it, since `someCU.com` already has multiple domain names.

But yea, you hit the nail on the head with the root problem. It's gross.

I think I have it. I just haven’t encountered that with my banks. There may be some requests that cross domains, but none of them drop me on a payment page that looks suspect.

> Is your mortgage held by some fly-by-night bank

Even if it's not, it might be if someone decides to sell it. years ago, I went with a well known company, and in the disclosures they have fine print saying "we may sell this". 2 months after closing, they sold, and the new servicing company required $5 per payment 'fee'. I never agreed to that, but... essentially have no choice in the matter. Options? Spend another 4 figure amount to refinance and hopefully get a different servicing company?

Interesting. My mortgage has always gone the other way - initiated someplace small and unheard of, and then bought by a name-brand bank. Just luck or the draw, I suppose.

Yup. I was warned, not even in fine print, that it was almost assured that the mortgage would be sold one or more times. I'm on my 2nd, currently.

Those fees are usually illegal but good luck fighting it

Speaking of bill pay, there seems to be some contractor that provides the Bill Pay software for banks because the UI looks nearly the same between my Schwab and BofA accounts and its always on a subdomain of its own.

Under the More -> Charities tab, one of the 9 charities in the world they have chosen to preload as defaults is Focus on the Family, a notorious anti-LGBT hate group.

That's because anti-LGBT hate and its proponents have a plurality in opinion polling.

This exactly. I get that banks have to release the funds by law, but they should show the status of the checks to their customers in a way that shows the potential risk those customers are taking on

Somebody who uses/deals with cheques in this day and age though kinda deserves it in my books. Cheques are themselves bad UX today.

> Somebody who uses/deals with cheques in this day and age though kinda deserves it in my books. Cheques are themselves bad UX today.

Nobody deserves to get scammed. This is puritan thinking, to blame the victim. People aren't supposed to understand every single thing and systems, and banks should do a proper job at educating their clients, if they care about good PR. Obviously, Chase and many more do not.

Local/county governments and landlords tend to pressure people to use checks in my experience (northeast US). Property taxes where I live, for instance, you can pay with a credit card or EFT but the fees are absurd. I don't know why people don't want to at least take an e-check, but that's the way it is.

In the United States, cheques remain the most reliable free-to-the-user way to move amounts of money above about $2000 from one individual to another. There are a bunch of companies that effectively give you ACS access, but they tend to have low limits due to KYC concerns. There's wire transfers, but those are pricy ($50/transaction is normal) unless you have very large deposits with the bank. Most banks will let you do transfers online, but often only to other account holders at the same institution, or else with Zelle or one of its clones, usually with the aforementioned ~$2k limit.

The use case here is paying rent. I write exactly one cheque a month, and I haven't found a better way to do it that wouldn't either be expensive or require action on the landlord's part to set up a portal or something.

> There's wire transfers, but those are pricy ($50/transaction is normal

Holy crap Americans are getting scammed ( for reference, bank transfers in the SEPA space are free). How the heck did N26 and others fail at such a broken market where the competition is stuck in 1995?

Please don't blame the victim.

Just because the law forces them to make the money available doesn't prevent them from putting a big warning on the associated transaction.

Clearly, the bank knows how cheques work and how they can bounce 6 months down the line. They should make it clear to the user with a warning explaining "we are required to make this money available to you by law now, but this money can be taken back at anytime if the cheque ends up being fraudulent, and this can happen for up to 6 months down the line".

The bank also knows (doing otherwise would make me doubt their competence to operate a bank) that this is a common scam and should similarly warn their customers about it. They also know (and have the data) to prove that a lot of people fall victim to this scam suggesting that there is a lack of knowledge in the majority of people when it comes to how cheques work and how they can bounce down the line after the money has already "cleared".

Finally, when it comes to the law, the law was most likely drafted at a time where 1) there were no easier ways to transfer money instantly while making sure it's actually legitimate, so it was a necessary trade-off and 2) there were similarly no easy ways to irreversibly transfer money out of the country in an untraceable fashion, so that the majority of occurrences of such scams would also give better chance to law enforcement to actually trace the funds and make the victim whole, so the fact that someone could temporarily end up out of pocket was also not a big deal.

Nowadays that particular law is clearly inadequate and is doing more harm than good, but laws take time to change (and no doubts there are vested interests at play that would want the system to remain as-is) and there's nothing preventing the banks doing their own part to "patch" the bug until a proper fix can be installed (by deprecating the whole cheque system altogether).

It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.

There are far too many scams based on someone thinking they've got money they haven't, whether it's person-to-person because of weirdness about reversible money moves or someone successfully abusing some sort of chargeback or dispute mechanism against a merchant. It's not as if these things aren't well known by the industry. It just chooses not to do anything about them, and to continue to rely on fundamentally insecure and unreliable methods of moving money around when it is perfectly capable of implementing better ones.

> It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.

Certain countries have done so; look at Faster Payments in the UK for example. There's technically nothing preventing FPS to be used right now in place of the majority of card transactions. All it needs is better UX and a standard, like a fps://<sort_code>:<account_number>/<reference> URL that can be either put in a QR code for in-person payments or a clickable link online. Mastercard, Visa and plenty of other companies that make their $$$ off card payments in one way or another (whether supplying overpriced card terminals or selling fraud detection services) wouldn't be too happy that their entire industry is obsoleted by a feature everyone has by default in their bank account that is no longer earning them any fees.

I'm pretty sure any effort to improve the payments system and fix its inherent flaws would see pushback (either obvious, or behind the scenes) from a (big) industry which makes its money on patching symptoms one by one instead of fixing the root cause of the problem (as an example, the fraud detection systems for online card payments - they need fraud to exist and be possible because otherwise if the system is bulletproof in such a way that fraud is technically impossible they wouldn't have a business).

I'm in the UK, and yes, Faster Payments are clearly an improvement and more like how things ought to work. But they only work for payments to others in the UK.

Elsewhere across Europe, SEPA provides a similar facility, but again only "within its own walls".

I would love to see the sort of alternative payment methods you mention taking off as a replacement for card payments. That is exactly what needs to happen. But as you say, there are some very powerful organisations with a vested interest in preventing or disrupting any such change.

>It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.

It's called cash, maybe you've heard of it?

If you want an electronic system that's exactly like putting cash in an envelope and handing it to someone, Zelle etc. represent that system. A wire transfer is basically the same, only with greater formality, complexity and cost.

By and large, consumers don't actually want that. They like protections such as being able to chargeback if services they've paid for don't get delivered; goods are defective or counterfeit and so on. Yes, this can make life hard for merchants: on the other hand, they are free not to accept credit cards. Most do, because it's a price of doing business.

By and large, consumers don't actually want that. They like protections such as being able to chargeback if services they've paid for don't get delivered; goods are defective or counterfeit and so on. Yes, this can make life hard for merchants: on the other hand, they are free not to accept credit cards. Most do, because it's a price of doing business.

That's the problem. You're free not to accept credit cards, but only in the sense that you're free not to be able to actually sell anything to a large number of people in some very important markets. It shouldn't be a "price of doing business" to accept chargeback abuse, and it shouldn't be OK for the financial firms that permit chargeback abuse using their systems to wash their hands of the resulting liability. But right now, in practice, it is.

> It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.

Did you ever wonder why many transactions will accept money orders, but not checks?

The system is in place, and has been forever. It just isn't checks.

The problem is widespread around the world, and exists in different variations in different countries. And then even more variations if you're trying to transfer money internationally.

Part of that problem is the continued existence of insecure-by-design systems that should have been forcibly retired many years ago. Another part is that even where safer alternatives exist, as this very story unfortunately demonstrates, it's all too easy for an honest person to be misled about whether they are using one of them.

Both of these problems are directly attributable to the financial services industry, which continues to make a fortune from the status quo even as lives get ruined and businesses go under as a result of preventable crime. Sadly, I can't see this changing until someone in a national government grows enough of a spine to regulate the industry properly, by which I mean setting out a realistic timetable for fixing the problem and then imposing crippling fines on any banks and other professional actors that don't step up.

We have this system though, it's just we also still support systems that should have deprecated a long time ago for being insecure.

We have this system though

Are you sure? You're certainly correct that many popular payment methods are well overdue for being discontinued, but many methods of transferring money that you might think are permanent or even immediate can, under some circumstances, subsequently be reversed.

Unless you've been the victim who sent money to a scammer, of course, in which case all too often it mysteriously turns out that the method you used doesn't suffer from such a limitation. It's almost as if there's a whole dark industry of people who know which methods can be exploited like this and use it to abuse innocent people who made reasonable but incorrect assumptions about the competence and security of the financial services industry.

In the EU we have Instant Payments powered by SEPA[1], which requires banks to confirm payment is sent/received in under 10 seconds.

So yes, it's certainly available and possible, and incident of fraud is very low by all accounts.

[1]: https://www.ecb.europa.eu/paym/integration/retail/instant_pa...

SEPA is certainly one of the best options for a payer-originated transfer. We have something similar here in the UK as well, the Faster Payment system.

On the other hand, SEPA Direct Debits can be involuntarily refunded up to 13 months after the payment goes through if the payer claims the charge was unauthorised. From bitter experience, some customers are quite willing to lie about a legitimate charge being unauthorised in order to take their money back retrospectively.

In the spirit of the original article here, I wonder how many people appreciate the profound difference between those two methods of transferring money, both commonly known as SEPA.

Have you ever heard of a money order or wire transfer being reversed?

No, I haven't. On the other hand, I don't think I've ever made a payment either way, and I'm not even sure that my bank account has the facility to do so. They're certainly no use for things like purchases in a typical online store.

We don't have such a system in the US as far as I know. Wire transfers would be the closest fit but 1) they are artificially made expensive and 2) they are not instant.

While all of these things may be true, how does this stop Chase from implementing a new cheque status?

This scam is so incredibly common and effective that I think we have to move beyond blaming individuals for making a mistake, and consider implementing a fairly simple safeguard.

It depends on what the definition of stranger is. At the point she sent the money she had entered a relationship as an employee. Granted, it was a new relationship, I think it is easy for most people to now think of this entity as no longer a stranger -- even though they probably should.

As noted in a below thread, the solution can still be to make the funds available, but to note clearly that the actual funds may not really be there.

As you note, this scam has been going on forever, and some simple UI changes could make it harder to execute, while not hindering the common case (non-scam).

True, but--the bank should communicate clearly when the check has cleared, and display an intermediate icon that says "per the law/policy, you are allowed to access these funds now, but payment processing is not complete. if the payment does not clear, you must repay these funds."

Also, if the bank really wanted to help, they could offer the services of its fraud unit in attempting to identify and have the check writer prosecuted.

Honestly, it's time to kill checks. They have no place in today's world and can only cause problems.

I get what you’re saying, but the main complain I have is that Chase gave no indication that the funds were not guaranteed once the check appeared to have cleared

The law only forces them to make the funds available, not to pretend that that funds cannot be reclaimed

If the true status of the check had actually been made visible, then yes, Chase would have a much stronger position to claim their was irresponsible

> a customer fell for a common scam

No, the bank fell for the scam. They cleared the fraudulent check. But their TOS says their customers are on the hook for mistakes made (and hidden - there's no way to tell if a transaction really cleared) by the bank.

This is such a common scam that I really think it should be taught in schools.

Whenever you hear someone propose to give you a check in return for you depositing your cash directly somewhere, it is always a scam, always. There is no legitimate reason anyone would ever do this, and I've seen it happen multiple times to multiple people, and even to small charity organizations that almost went bankrupt because of this.

We need some sort of anti-scam class in like high school or something. Just the ability to recognize the most common scams in the world would protect a lot of people.

The other huge bright red, klaxons-blazing warning sign is the overpaying part. There is literally no reason at all to overpay for something when you are writing a check. It’s a psychological trick, like the door-to-door sales trick of giving someone a bottle of soap so that the mark feels like they owe something to the salesperson/scammer (or they are getting one over on the scammer), just a ploy to exploit human emotion.

I bought a computer with a certified check that was too large once, and eventually I did get the store to take it, and promise a refund from their central office. I think it was months later and I had to call them up to get my refund, but it did actually work out. That was in the 90s and of course I would never do it again. It clearly was a well known red flag even back then.

Civilization is built on trust. "Just stop trusting people" isn't a solution.

Whilst the suggested UI fixes will help, this seems less of a UI problem, and more of a checks are inherently insecure problem.

Most western countries have moved away from checks - with the exception of bank cheques or money orders for certain, specific cases.

I am 33 and have never even seen a cheque, nor would I have any idea what to do with it. I am in EU though.

32 in the US and I still have to write fucking checks, most commonly for paying rent. No landlord wants to eat the ~3% fee for taking a credit card. The other day I had to pay for some trees to be cut down and pruned in my yard, cost a couple grand which I am never going to have in cash on hand - same deal, the landscaper does not want to pay the 3% fee so it’s cash or check only.

Why would you ever involve a credit card processor in this? Can't you just do a wire transfer?

Yeah, and it happens but wire transfers can be a real pain depending on the bank. And you need to get the account number of landlord, and now you don't have a simple way (the canceled check) of proving you paid rent. While less than ideal, checks often have the most upside, which is why they still get used.

Another way of looking at it, a check is more or less a form of wire transfer using the ACH system. I just wish there was a way to remove the paper check aspect of it, in a way that is commonly accepted by private individuals + small business in addtion to big outfits.

This. The other thing is property taxes, in my area they generally let you pay by modern methods but charge ridiculous fees, so a paper check is the only sensible method.

That's fine. Checks are risky for the receivers not the sender.

Yeah, this whole thing seems almost impossible with SEPA bank transfers since the order is the other way round.

The sender tells their bank to send someone money, the bank checks the sender's funds and notifies the receiver's bank of the transfer, then the receiving bank notifies the receiver they got the money.

This whole thing used to take 2-3 days in the days of paper giros, but it's pretty much instantaneous now.

I completely agree that checks are inherently insecure.

That said, getting rid of checks completely is a much harder social challenge than updating the UX to show the right status.

UX updates are a practical recommendation that a few engineers at a bank could actually implement

> Chase customer support had one clarification to make. I'd originally said it might take, weeks for the check to clear, but the explained it could actually take more than six months. And you'll have no idea when that magic moment occurs.

Good lord, I had no idea this is how bad things are. Haven't used checks in a long time and happy I haven't. The privacy trade-off for cards is concerning but the convenience is hard to give up.

> privacy trade-off for cards

A check literally has your full address and bank account number on it.. doesn't get much worse for privacy.

> check literally has your full address

Really? I assume you're talking about the US? Because that's certainly not the case in many other countries that I have worked/lived in.

Yeah, I don't know if it is an absolute requirement (probably not) but all the checks I have been issued by the bank and almost all the ones I have received from others have it.

For personal checks, I think the store usually checks that the address matches your photo ID--for corporate checks the address is usually just a P.O. Box. I think the address is also used to look up people in the check acceptance risk system (certegy, chexsystems, etc).

Back when checks were a lot more prevalent, some people would list a PO Box on their checks, either out of privacy or necessity (mail service didn’t go to their street). I was one of the people who did it for privacy, using the box my small business received mail at.

Around the late 90s, a whole lot of places stopped accepting checks with a PO Box address printed on them, ostensibly due to “fraud concerns” (it was really that the government offices that do debt collection for “hot” checks wouldn’t accept non-physical addresses).

There’s not really a point to this story, I suppose, except that privacy has always been hard to maintain.

Banks are required, by law, to make funds available for checks within a few days.

Marking the funds as unavailable would cause great issue for people using checks. For example, a rent check would only be good on six months?

Who would accept this? The law was initially written to protect consumers from having their money unavailable

They could show it in their UI:

- Pending

- Pending with funds available

- Cleared

Exactly. A check from my dad or my employer -- I'll spend that money as soon as its available. The check from the Nigerian prince -- I'll wait until Cleared before I send the money.

The other problem with this approach is that some proportion of perfectly legitimate funds likely will remain in pending for an inordinate amount of time, which dilutes the strength of the indicator in the first place.

Not necessarily. In most cases people won't check the status. As noted in the story the sister actually checked because there was some suspicion. In this case she would have paid more attention to the status and possibly could have said, "its still in pending... can't transfer yet". Of course the scammer would have a well-rehearsed reply, but it at least moves the level of suspicion up a notch.

So let's say banks do display 'funds available, but subject to recall if check cannot be collected'.

A year later, the internet will have thousands of threads on various sites with people complaining that their (real, legitimate) paychecks still show the indication weeks after depositing.

People who are so wishful-thinking that they think someone is paying them a 10% commission to deposit a check will still be wishful-thinking, and will continue to accept statements like "this is normal, you'll see it all over the internet" at face value.

Perhaps that would be the sort of customer dissatisfaction that would move the needle to something less Rube Goldbergish.

As I understand it, there is literally not a "transaction complete" message in the ACH protocol. After enough days without hearing an exception, you assume it went though.

U suspect this comes to the implementation model-- since it's so much based on batch files and potentially offline processing at the destination bank, they probably don't want the overhead of composing and returning a success response for the 95% of transactions that behave normally.

The real answer is to reform how checks are processed. With the interconnectivity that exists between banks today, there is zero reason (other than laziness on the part of banks) to have a delay of weeks or months to confirm funds availability.

Frankly no bank will display this data voluntarily, because in being transparent, it would gain a reputation as a less reliable place to deposit checks than other banks - customers would shoot the messenger. This is exactly the type of thing a “Surgeon General’s Warning” regulation/law could enforce, and sidestep the prisoner’s dilemma here. But absent regulation I doubt this will ever become common knowledge.

This is really a problem with the US banking system as a whole, the check-prevalent culture where people are still willing to deal with such ancient financial instruments, plus the US society where people live paycheck-to-paycheck.

When you do an ACH pull or a check deposit, it generally takes several days or even weeks for the transaction to clear. (But when you do an ACH push or Zelle, the transaction may be irreversible.)

Would you be OK if your bank waited a week or two until clearing the check? Or the banks getting rid of the whole idea of personal checks?

When I saw the title, my first thought was that banks’ janky non-standard and often-changing login flows make it easier for sloppy phishing attacks to work.

Coincidentally, my son was recently scammed on Roblox with a similar scam. And what's crazy is that Roblox seems unwilling to fix it, or to rectify the situation, even though the complete paper trail is in their system and all of the currency/items are within their system. They could easily reverse it, like credit card companies do.

It's amazing how little effort these institutions put into trying minimize damage to good customers.

How much do you spend on roblox pay their staff to work on this?

How much money does Roblox make from these scams? Probably a lot due to customers having to re-buy their inventory.

I’m sure similar scams existed long before the advent of online banking. I wonder what warnings, if any, existed back in the days of paper and pen? Bad checks were much more common decades ago and I think people were more wary.

Younger people don’t have the same knowledge about checks. Banks are outdated in their assumptions of consumer knowledge. But I also think a certain level of common sense also applies here.

The real scandal here is that anyone is still using checks at all. Maybe we should be talking about why the US banking system is so far behind the rest of the developed world.

I live in the EU and I don't think I've seen a check for about 15 years.

UI? I'm still waiting for _any_ Canadian bank to offer 2fa.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact