Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()
 

 Saturday, July 14, 2007
« Internet + TV = New and Improved SetTopB... | Main | Speaking in Microsoft TechED 2007 Asia (Kuala Lumpur, Malaysia) »

So, I have 2 bank accounts that I usually do transactions in. One is the Development Bank of Singapore (DBS) and the other is United Overseas Bank (UOB). I was on an overseas business trip and then I had to check my account balance with DBS online. Then I realized that I cannot because I did not bring the DBS 2-Factor Authentication (2FA) Physical token, also known as hard-token with me. I ended up not doing what I need to do and had to return home to check my account balance.

I was initially irked when DBS took matter into their own hands and decided what is good for their customers BUT this incident blew my top. A quick look at their FAQ reveals the below snippets

dbs2fafaq.JPG

As you can see from here, "DBS decided to go with ...". I am surprised that for a world-class bank that prides itself on customer-standards, they are taking matters into their own hands and deciding for the customer. Shouldnt the customer be able to decide this for themselves ?

By the same token (pun intended), let us take a look at UOB's FAQ below:

uob2fafaq.JPG

A-HA ! A choice was not made but given. Customers are given the choice to deicde what they want. If they prefer not to carry too many devices with them (God knows how many we have to carry these days - USB Thumb Drives, iPods, mobile phones, keys, etc) and prefer to leverage on what they are already comfortable in carrying, they can choose their mobile phones to receive the One-Time-Passwords (OTP) va a SMS. If they are going to be in a country whereby their auto-roaming GSM doesnt work (such as the different networks in Japan or Korea), they can opt for the hard-token.

To cut it short - No decision was made for the customer. Instead, a choice was given to the customer. In other words, UOB empowers their customers, unlike DBS, who thinks they are better themselves by making a decision for the customer. Shame on you. In these days of social computing, networking mashups, Web 2.0 communities, etc, user-empowerment is key. It is sad that DBS has not understood this point fully.

While I have some suspicions that cost (of sending the SMSes) may be a determining factor, I dont see UOB relenting on that point and they dont own a telco either. They have perfected the art of: If you keep your customers first, their money will come in.

This issue, by no means, has got anything to do with security. Both banks are practicing it - by making sure there is another authentication factor before logging for banking transactions. This is about choice, empowerment and delegation. In short, it is about being customer-focused, in every sense of the word. UOB's FAQ details very well about the operations of both sets of authentication so that the customer can make a right decision for themselves. Bravo ! They know the customers who bank with them can think. Kudos to them !

UOB went even one step further. If you are left stranded with no means of a second factor of authentication (like I was while overseas), check out what is on their FAQ above and I quote:

openquotes.png What if I have enabled Two-Factor Authentication but do not have my mobile phone or Token Device with me; and I urgently need to use Personal Internet Banking?


In this case, you will be able to login to UOB Personal Internet Banking using your Username and Password to perform balance enquiries only. You will not have access to perform transactional activities. closequotes.png

... you can still login with very minimalistic rights such as checking on your account balance. You cannot perform any banking transactions neither can you see your bank account number or other sensitive information.

This is what I mean by being customer-oriented. It is very obvious UOB has put much thoughts into this and must have done their field test first with their customers' subsets. They understand that there may be instances whereby customers may have no means to access any sort of tokens but still would like to login with minimalistic rights to do minimalistic activities. They must also have consulted with their security consultants to make sure all security points are covered to finally propose this capability. Excellent thinking and a definite A+ point in design and usability with a fine engineering compromise that many companies can learn from.

In the past few months, I have recommended my customers / friends / colleagues who are here doing business to set up their bank accounts with UOB. I have also moved the bulk of my transactional funds to my UOB account so I can better work when I am overseas, with only my mobile-phone.

Good work, UOB ! DBS and the other local banks have a lot to learn from you, in terms of being customer-oriented and customer-focused.

Saturday, July 14, 2007 9:55:11 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions