"You Rang?" notification from Customer Services


(Tim Stamp) #1

A common tactic used by nefarious individuals (Private Investigators, Hackers, Debt Collectors, News of the World) to find out more about a person is to impersonate them on the phone, and try to extract information from customer services.

The person calling might have already done their ~Facebook~ research and already knows the Monzo user’s date of birth, place of birth, and first cat’s name, for example, in an effort to correctly answer security questions.

The information they might be after would include:

  • Direct Debit info (which would include account/agreement/policy numbers),
  • Latest transaction information (which provides approximate geographical location of the user)
  • Current balance (which can be used to gauge financial status)

When a successful social engineering attack like this happens, typically the user has no idea, and neither do customer services.

However.

What I propose is that when a customer calls up purporting to be a Monzo user, you add a notification into that user’s Monzo feed, saying a call was made to customer services by you.
Perhaps add some response options to the notification:

  • “THIS WASNT ME WAT IS GOING ON OMFG”
  • “Oh that’s cool, they notified me that I called them, Ok.”

If this notification is sent at the beginning of a call, then the victim has a good opportunity to interrupt the social engineer before the call is complete, by responding to the notification.

I’m aware of the existing Monzo customer services challenge-response mechanism, which is for the user to read back a secret value from the Monzo app screen, but this would be a nice casual addition to that, and a defeat for the “I don’t have my phone on me” excuse.


#2

Better still, get Voice Security like First Direct when you call them. All I do is give my surname and postcode and I’m in. Anyone trying to impersonate me wouldn’t pass security. I set it up a while ago and it’s great, no having to remember the 4th & 8th character of your password!!

Maybe something else for Monzo to consider, but I do like yours as an alternative.


(Tim Stamp) #3

Unfortunately that security model only works if nobody has a recording of you saying your postcode and surname, which are both things you say to pretty much every company you speak to on the phone.
Voice security generally only should be applied in an in-person scenario, or as another factor in a multi-factor authentication process. Because it can be defeated trivially if you know beforehand what it’s going to ask you to say.


(Adam Williams) #4

Phone security is always scary, IMO. It’s crazy to think how easy it would be to impersonate me when calling e.g. Virgin Media (thankfully my account there is closed).

What I’d like to see is something like a push notification (a la Duo) or TOTP support PIN (think Namecheap) that I can give to staff to confirm that I’m me and not someone else. This wouldn’t be susceptible to social engineering and intelligent guessing in the same way that “What’s your postcode?” and “How do you pay your bill?” are. SSE actually let me guess my address line-by-line on one occasion (I haoppened to get the county wrong).

Obviously if you’ve lost your phone you’re kinda screwed. In these circumstances it should be possible to freeze the card. but not do anything else.


(Andre Borie) #5

Whenever possible Monzo should confirm the identity of the user by for example sending them an email or a push notification with a code - only “emergency” actions like blocking the card should be allowed (the user might’ve been robbed and lost the card and the phone so it makes sense to allow it without phone verification).


#6

Similar to the 2 factor authentication I have with my Google account??


(Andre Borie) #7

Yes absolutely !

20chars


#8

I think this is a good idea.


#9

A few days ago I needed to call Halifax for an account I have with them. It went like this.

Me: hi, I’m nanos.
Halifax guy: hi, can you confirm your full address and mobile number?
Me: sure, it’s…
Halifax: do you have your mobile with you?
Me: yes
Halifax: great, I’m gonna send you a OTP by text message. Please read it out to me when it arrives

I was so impressed. The best telephone security I ever experienced.

I know this is not ideal (I’m very aware that ss7 is vulnerable and that there was almost certainly a fall back for “I don’t have my mobile with me”) but it’s very much better than “confirm your name and address please. Oh, sure, this must be you, since noone else ever will know your address!”

Incidentally another thing I liked was this: towards the beginning of the phone call the guy said “I can hear a lot of noise in the background. Are you driving?” - “no, I’m walking”. This is the sort of thing that might come across as condescending to some, but I felt it was great attention to detail.

So, overall this was one of the most pleasant telephone experiences I have had in a long time!


#10

I had similar from EE a couple of weeks ago.


(Sam Watkin) #11

This is a really cool idea!!

Customer service is somewhere that we believe we can be significantly better than what already exists. The market leaders in customer support aren’t in banking, they’re people like Amazon where you can click a button and get a call back.

We’re massively focusing on and investing in customer support, because the real test of any company is how well they react when you have a problem.

And because Monzo is app based, we can keep all of our contact through that, totally avoiding you having to work out if that call really is from your bank :iphone:

We’re clearly not fully there yet, but its a massive area of focus for us :muscle:


(Hugh) #12

Maybe I’m weird but I’ve always found Amazon customer service (especially the chat!) atrocious. Especially in the app where you first start with a conversation with a robot disguised as a human before you get the option to talk to an actual human.


#13

You may wish to reassess that.

  • Amazon customer service is extremely poor.
  • First Direct customer service wins awards.

(Sam Watkin) #14

Yep, I definitely didn’t intend to say they get everything right, but they are widely considered by customers to be pretty good. Some of the things they do, such as refunds without returns, and always shipping replacements by the next day, demonstrate a way of thinking which is at least aware of customers.

When people think of Monzo we want them to think of amazing customer service, and it sounds like that’s not quite the case with Amazon, but I think it’s a good place to start in terms of thinking differently, and challenging the ways that customer service is traditionally offered.

Btw, my love of First Direct is on show elsewhere in this forum too :wink:


(Hugh) #15

But I’ve also had terrible customer service from them when it took forever to sort out charges they’d applied to my account (wouldn’t have spotted without Monzo) after I’d returned items to them (refund without return).

I don’t think they are that aware of their customers to be honest.


(Max Walker) #16

I’ve always found their chat fairly long-winded and far too scripted. Basically it tends to go like this:

  • Hello, I’m INSERT_NAME_I_CANT_PRONOUNCE, is this MY_NAME speaking

  • What is your order number?

  • What is the problem (fairly consistently it’s them failing to deliver something on time)

  • Please accept my apologies, I will pass this onto the relevant department to ensure it never happens again.

  • I explain that this is probably the 9th+ time in the last few months that they are late delivering and despite their promises to pass the problem on, I never hear anything and it keeps happening.

  • They offer me a month of prime

  • Repeat…

Tbh I’d rather they just worked properly, the worst bit is the complete lack of feedback or flexibility. I’d much rather they said it would take two days for things to arrive than make “guaranteed delivery dates” and break them.

One of the main things that I love about monzo that sets it apart from Amazon is that they hold their hands up when something goes wrong and give you feedback about how they plan to fix it.

Agreed, big corporate monster


(Tom ) #17

For me, Amazon customer service is the best I’ve ever encountered. It’s what keeps me going back, despite my reservations about the way they do business.


#18

For me it’s First Direct customer service everytime. Their customer service is so good that in 10+ years I’ve been with them I’ve had cause to ring them 2-3 times, and that was due to human error (mine!). Calls answered by at most the 2nd ring, and by people who can sort my issue first time everytime (and they have).

Calling them is a pleasure if a little dull, as they just get it sorted for you, and that’s such a surprise these days.


(Max Walker) #19

I must say, they are great at picking up the phone and sorting out problems.

The thing that I find odd is that First Direct are great at simply getting things sorted but HSBC (their owner) seems to be quite the opposite, an example being the need to use paying in books or having to make an appointment in branch to make relatively small account changes (such as providing documents). Maybe its just my local branch.


#20

No I think it’s just HSBC! Thank heavens they just left FD alone to get on with things. HSBC come across like a car crash in comparison. Probably outsourcing call centres hasn’t helped them.

I don’t care what HSBC do, so long as they leave FD alone.

Monzo and co could learn lots from FD regarding overall customer service and satisfaction. Top of the table for customer service for as many years as it’s been running. Not a bad effort really.