BNZ specifies an interesting use for your Eftpos card PIN that’s not permitted in their newest card terms and conditions – using it for the lock code on your phone.
1.5 PIN selection … Your PIN should not be used for any other purpose including your lock/unlock code for your mobile phone.
In the new card letter they also make an interesting comparison of PINs to electronic signatures. But I think their next sentence shows why this is a potentially confusing example to give:
“When selecting a PIN please remember that this is your electronic signature. You must not keep a written record of your PIN, give your PIN to any other person or select a PIN that can be readily associated with you such as birth dates, addresses, parts of telephone numbers, car registrations, sequential numbers (eg 1234, 9999) or any other easily found personal information.”
Signatures are often written down, given away and are made up of personal information. Perhaps there is a better comparison available?
Update 28 September 2012: This post was written before I started working for a bank (who I love dearly), and at least some views expressed in this post have changed since then (eg. case-insensitive passwords (and ASB isn’t the only bank that does this) are irrelevant when users are locked out after three incorrect login attempts–Facebook does something similar to this, accepting the actual password, the password with the first letter capitalized (to account for automatic capitalization on mobile devices), and the password with the case of letters reversed (to account for the caps lock key being on), and that a charge for a bank cheque is not so unreasonable in the context of a lot of bank cheques being for a large amount). Also some bank policies have changed since this post was published (eg. ASB no longer charges $2 for automatic payments added/amended online–progress!) There is, however, no way of getting around ASB’s $0.20 fee for a Netcode over-$500-transfer-authorization if you don’t have a token–it is charged even if you call the 0800 number and ask them to release the payment. Except for a note regarding the previous sentence, this post hasn’t been edited from the original form.
And useful (see: next day bank transfers).
I’m with ASB and they are great, however no one is perfect. Here’s some things that I hate about banks in New Zealand. Many of these problems are shared by the entire industry.
Or the fact that ASB keeps trying to convert me to one even though I’m not allowed one.
Here’s mailer number one, received the week of my 17th birthday:
And mailer two, from today:
Irrelevant: check. Impersonal: check. You know how to make a guy feel special ASB. (Case in point: I’m not 18 so they couldn’t give me my own credit card even if they really really wanted to).
This is upsetting because I have a feeling tertiary accounts have less fees than youth accounts. At least, it isn’t emphasized that service fees apply to tertiary accounts like it is for youth accounts on ASB’s fee exemption page. Service fees apply for everyone, see comment from ASB below.
Stupid bank fees
ASB isn’t the only bank that charges stupid fees, but here are some examples of theirs:
$2 to set up or amend an automatic payment or add a person you might want to transfer money to again (like the power company, or mum). Online. On the internet. Changing an entry in a database. By yourself.
20 cents for each time you use Netcode, ASB’s text verification service, which you can choose to happen on login. Google, who isn’t even in New Zealand doesn’t charge for this (see below). Probably get charged 20 cents again by your mobile service provider for receiving the text. Some sort of verification is required for some transactions that take you over a $500 daily transfer limit, or if you’re sending money overseas. Alternatively, you can ring their call center to get transactions verified for [email protected]!! I wonder if the time of the person you speak to on the phone is worth less than 20 cents?See update at top of post–20 cents is charged even if you call the 0800 number.
Alternatively you can pay $12 a year for a physical Netcode token, which you’d need if you are regularly out of cellphone reception and probably if you travel overseas. RaboDirect provides these for free. BNZ provides the NetGuard card for free.
5 cents for each email alert. For the virtual stamp. Or the person who licks it. Or something.
20 cents for text alerts and text banking. I think they charge you when they receive a text banking message from you. Plus you probably get charged to send texts to them by your service provider. In contrast, Westpac provides a certain number of text alerts free per month as long as you log in to online banking that month.
$5 for bank cheques. Plus because you probably have an “electronic” account, and if you’re not a youth/student, a fee of $3 because that’s a manual transaction.
“Please note, your password must be eight characters long, and contain at least two letters (a-z) and at least two numbers (0-9). For example, redbus73 and 8cube224 are valid passwords.”
This is ASB’s. I assume other banks are as ridiculous. Would you like a nine character password? YOU CAN’T. MUST BE EIGHT.
Microsoft’s (now defunct) password checker says both of their examples are weak. ASB lets you use both of their examples as real passwords, because security.
Here’s an entry form I picked up from BNZ’s tent at The Show:
Note the classy clause at the bottom: “By providing your details, you consent to use contacting you about our products, services and promotions, from time to time (including via text message without an unsubscribe facility).”
Once you’re in, they have you.
I guess if you rang them they’d remove you from their text messaging scheme, but really, why not let people unsubscribe via text using common keywords like stop, or unsubscribe?
Visa Debit cards
And their annual fees. $10 a year for having the card. National Bank got half of the memo and isn’t charging the annual fee if you have their Freedom account. But you have to be earning $30k+ a year and pumping it into that account. Anyway, I like the image they’re using in their ads for it (see top image).
Sure, debit cards are great if you are under 18 or don’t trust yourself with a credit card. But really, if you can, you should just get a credit card.
Banks (looking at you Westpac and BNZ) seem to love converting people to these debit cards, even if the person already has a credit card with the bank. I don’t understand. Family members have received Visa Debit cards in the mail from Westpac, even though they have a credit card with Westpac. If you already have a Visa or credit card, why would you want a Visa Debit?
It’s a bit of a have, because people naturally think this is their replacement EFTPOS card and start using it, probably not realizing that once they start using it they’re going to be charged an annual fee. If they’re lucky, maybe the fee will be waived for a year or two!
When you go into BNZ to request an EFTPOS card, the tellers like to order you in a Visa Debit card instead*, because, you know, they know best.
*May have happened just once.
Lack of security
That’s Google’s 2-step verification programme.
There’s a number of ways to use it. I have the Google Authenticator application on a couple of devices (it works without needing an internet connection), I can get a code sent to me by text (for [email protected]@) if the application isn’t working, I can use the backup codes if I have to, and I can tell Google that it doesn’t need to ask me for a verification code on the computer I’m using for another 30 days if I trust it.
It works, it’s good, it’s free. And it’s not even protecting my money.
Side note: security has to actually be built-in by design and be compulsory for it to be useful. Kerry Thompson points out that security conscious people probably have limited use for 2-factor authentication systems, because they already take precautions. The people who aren’t security conscious are also the people who don’t think they need 2-factor authentication, they think they’ll be covered by the bank, or won’t use it because of the cost (hi ASB’s 20 cent per text charge).
See also: Google doesn’t have an eight character password policy and Google gives a detailed account of recent account activity (ASB shows the last time I logged in, but I rarely look at it, and out of context it’s kind of useless).
How about encouraging people to set up an automatic payment to a savings account every pay period and sign up for Kiwisaver?
Also, you would think an application that consists of one button would be easy to set up, but Westpac’s Impulse Saver requires you to apply to use it, and makes you wait for a callback from a customer service person.
Phone banking on mobiles
Westpac and BNZ seem to be the only two banks who try to ban calls from mobile phones to their phone banking numbers. It’s trivial to get around this with Westpac, just call their main 0800 number and press one to get to phone banking. On BNZ it seems like that works too, at least after their call center hours.
Visa and MasterCard undermining credit card PINs
Visa and MasterCard aren’t banks, but whatever.
McDonald’s, in association with Visa and MasterCard has the policy of not requiring a PIN or signature for credit card transactions under $35.
How they can guarantee security, I’m not sure, because they just took away the only security of a PIN or signature. I’m not sure why Visa and MasterCard don’t make this opt-in or opt-out.
Zero liability can’t apply if you don’t realize there’s a fraudulent charge on your statement, so good luck everyone.
Next day bank transfers
Or please stop relying on a cron job for transfers.
10 years after one-off payments were introduced, they still take up to the next business day to go through to accounts at other banks. I realize this might require some consultation with the People In Charge Of The Money, but can we please get rid of this? Thanks. Also, could we please do transfers on non-business days to accounts at other banks and get rid of the 10pm cut off for not-my-bank transfers?
Today in the post we received New Zealand Post’s “lifestyle survey”, a controversial data collecting tool that’s recently been in the news because the information collected is used to market your address to other companies. The survey is sent to 800,000 households by post and 125,000 by email and asks 56 questions about various things, split into sections on your interests, vehicles, home, finances, shopping habits and travel. New Zealand Post sells names and addresses of respondents, “but not the information they provided in the survey”, for companies to use once. Information is also used to furnish New Zealand Post’s direct marketing tool named Genius which says it helps clients “gain deeper insights and understanding into your customers, particularly around wealth, life stage and lifestyle”.
Reports ordered by the Privacy Commissioner concluded that the 2009 version breached privacy principles and violated marketing industry standards for not providing “adequate, non-misleading information about the survey’s (primary) nature and/or purpose” and asking respondents to answer questions about their partners”. Professor Malcolm Wright, head of communications, journalism and marketing at Massey University say that it shouldn’t be called a survey but “an opportunity to join a direct mail database”. Auckland University former marketing lecturer Linda Hollebeek says that a lot of people won’t be aware that New Zealand Post is shifting into a more commercial strategic direction including the compiling of databases for on-selling to marketers.
Wave around a chocolate bar (or $15k) to get what you want
Privacy Commissioner, Marie Shroff argues that people are often dazzled by competitions and giveaways and might foolishly give away personal information. I think this has been shown to be true by numerous research projects where people are happy to hand over their passwords for a chocolate bar, pen or for the chance to win a trip overseas. Close Up in conjunction with NetSafe offered a Moro bar up for grabs for anyone on Auckland’s Queen Street who was willing to answer a short survey, of which the first question was “what is your password?”. 59% of people gave their password (about half of people use the same password everywhere) and those conducting the survey said that the answers to other questions suggested the majority of passwords were legitimate. You can watch the full video here (apologies if it’s blocked in your country). The shorts for tonight’s episode of Fair Go (22nd June 2011) shows a man on the street asking people personal questions, which I’m guessing most people answered. If you’re interested in the New Zealand Post survey it will probably be interesting to watch.
New Zealand Post thinks they’re being clear
John Tulloch, New Zealand Post’s communication manager said the survey states numerous times that it’s optional and the information “could be used by other companies”. I call bullshit.
(I’ve uploaded the full version of the survey here (pdf).)
Spot where New Zealand Post states “numerous times” that the information could be used by other companies. Hint, about once.
The top paragraph states: “New Zealand Post wants to help you receive more relevant mail. We invite you to complete this voluntary survey and tell us about you and your household, so we can help tailor the messages that you receive. These messages will be from companies with products and services related to your interests” (emphasis is theirs).
I’m not counting this one because I don’t think this is clear that companies will actually be given your information. For example, Fly Buys forwards material on behalf of places you’ve shopped at, but the shops never see your personal information. Nor am I counting the text at the bottom of the page: “in addition to receiving selected offers addressed to you through the mail…” as this doesn’t state at all that those offers won’t be from New Zealand Post.
The one time I’m counting (and only other time in the whole form sharing of information is mentioned) is the fourth small print bullet point under “Here’s how it all works” which states:
Privacy: If you participate in The New Zealand Lifestyle Survey, your name, address and other information you supply (including your email and telephone numbers if you tick the boxes below), may be provided to companies and other organizations from New Zealand and overseas to enable them to provide you and/or your household with information about products and services relevant to your responses to this survey. New Zealand Post may also use that information for the same purpose.
Sure I’ll give them that they’ve made it clear that the survey is voluntary (mentioned about four times on the front page). But they only say that information may be provided to other companies, even though that’s the primary purpose of the survey. There is no mention of the information being sold in the whole form.