GonzoBanker’s Online Banking Applicant Screening Questionnaire

“button your lip don’t let the shield slip
take a fresh grip on your bullet proof mask
and if they try to break down your disguise with their questions
you can hide hide hide
behind paranoid eyes”
–Roger Waters (Pink Floyd), Paranoid Eyes

GonzoBankers, it seems that everywhere you turn, there is talk about security breaches, lost tapes chock full o’ credit card and Social Security numbers, illegal spankings, wire fraud, stolen passwords for Internet banking. Wait a minute… stolen Internet banking passwords?? Holy chicharon! That means consumers are sure to start flocking from Internet banking or at least slowing down on their adoption rates… so, the lines in our branches will expand by miles… and we’ll have to build more branches to handle the droves… and that’s going to cost a lot… and we can’t afford new branches or more tellers this year…. and I don’t want to deal with headlines or regulatory scrutiny!!!!!!!!

OK, deep breaths, GonzoFreaks. Repeat after me: It is not time to hit the panic button on Internet banking. Inhale. Exhale. Nice and easy. Yes, we should remain seated and buckled in through this brief period of security turbulence, but let’s not start shoving our way to the Exit Aisle just yet. Internet banking is not going away as the alarmists would love us to believe. It probably won’t even noticeably slow down. Have you ever once met or even heard of someone who actually said they’re closing their online banking account because of security concerns? I bet not.

On the other hand, banks and credit unions are going to increasingly face dilemmas like the one at Bank of America that Carl Faulkner described in “Lack of Demand Results in Death of Internet Banking” (GonzoBanker, May 13, 2005). A customer loses some money due to no fault of the bank but rather due to the customer’s home PC getting hacked or otherwise compromised. Then, the red-faced customer looks to the bank for compensation.

Technically speaking, B of A did the right thing. Believe me, I’m a Power to the People type who loves to bash the really big banks when they have it coming, but this was not B of A’s fault. Bank of America should be no more be responsible for a consumer’s PC getting compromised than it should be if a customer’s ATM withdrawal gets snatched in a mugging. That said, from a public relations standpoint banks are probably going to have to pony up for stupid customer Internet banking losses in the future just to keep the consumer activist groups off their backs and the fraud headlines down to a below-the-fold whisper.

Granted, Dr. Faulkner has been a tad on the paranoid side regarding online security ever since someone used his credit card to subscribe to an all-male, Canadian “photography” Web site (true story.) But allusions to the downfall of Internet banking aside, Carl was dead-on last week – financial institutions damn well better plan on the reality of security mishaps and how to react to them rather than pretend they can ever stop the breaches altogether. And if you believe that banks and credit unions are going to bear at least some responsibility to financially cover dim-witted users who cannot protect their own PCs and passwords, GonzoBankers simply must beef up their online banking applicant screening. Yes, you want customers to adopt Internet banking, but you also want to Know Your Customer, right? A moron for an online banking customer can mean potential losses for you, sí?

So, GonzoBanker has written a simple questionnaire for banks to provide in their lobbies and on the Internet for their online banking applicants. Let’s end the anticipation; I offer to you GonzoBanker’s Online Banking Applicant Screening Questionnaire:

XYZ Bank: Online Banking Screening Questionnaire 1) While surfing on the Internet, no doubt avoiding porn sites and doing legitimate research, you encounter a pop-up that says you have just won a free Sony plasma TV. All you have to do is provide all of your personal demographic data, Social Security Number and a credit card number to pay for shipping. What do you do? A. Say a prayer in thanks because my current TV blows; input my information; stock up on beer/chips and wait for my sweet TV to arrive. B. This sounds like a trick. I’ll forward it to my roommate and see if he gets screwed before I commit. C. I think I’m getting scammed. Close the pop-up and tremble like a little girl. D. Mother of all that is Right and Holy! It’s a scam!! Cancel all online accounts of any sort! Hide! 2) You receive an email explaining that you can split $45,000,000 with a Nigerian ex-pat if you will only send him your banking account data so that he will have a place to safely stash the loot. What do you do? A. Inquire whether the funds are in Nigerian currency or U.S. dollars, research exchange rates, and make a risk-reward decision. B. Send him the data. There are people in this world who are paranoid, and they may reject this offer. But sometimes you just have to let go and BELIEVE in order to make your dreams come true. C. Delete the email, then delete it from my Deleted file. Feel unclean and unsure. D. Mother of all that is Right and Holy! It’s a scam!! Cancel all online accounts of any sort! Hide! 3) Our bank’s offshore data center sends you an email with a “.Ukraine” suffix. The bank needs to update your account information, including account number, Internet banking logon ID and password. We flat-out lost it all! Please log on to the following site and type in your information: www.ourbank.ukraine//thisisnotascam//9%^&())*&%/legitimateinquiry/ mockeduploginscreen.don’tworrythisisallverymuchontheupandup.org How do you react? A. Well, if you need my information, you need my information. I better send it or I’ll be kicked out of the bank and shamed. B. I’ll send my information, but I will NOT be very happy about the inconvenience. Question the bank’s data security in an angry letter to the bank’s Chairman. C. Hey, wait…..How did you manage to retain my email address and lose everything else? This doesn’t sound right. I better call the bank using a telephone number from a reliable source. D. Mother of all that is Right and Holy! It’s a scam!! Cancel all online accounts of any sort! Hide! 4) If our bank were to grant you access to our online banking product, how would you remember your user identification and password? A. Not a problem. I use the same userid and password for all of my online accounts. That makes them easy to remember! B. I will write them backwards on a small piece of paper and place said paper all crinkled up in my wallet so it looks like a useless scrap. C. I will use a very unique ID and password with no patterns or logical ties to myself, then store it safely for access with my $80 biometric device, just like GonzoBanker recommends. 5) Using our secure terminal to your right, please take the Phishing IQ test on MailFrontier: https://survey.mailfrontier.com/survey/quiztest.html How many questions did you answer correctly? A. 0 – 2: Those guys are tricky. Hope I never get a mean email like that! B. 3 – 8: I get all freaked out when I have to think under pressure. C. 9 – 10: So let me get this right, most legitimate businesses will not ask you to update account information online? Hey, I’m a freakin’ genius! D. At the advice of my attorney, I will not answer this question as it could tend to incriminate me. 6) Let’s pretend. Your name is Rich Christensen, and your account number at our bank is 4767410. Of the choices below, what is the most appropriate user identification and password to be used for your Internet banking account? A. USERID: richchristensen, PASSWORD: 4767410 B. USERID: richchristensen, PASSWORD: nesnetsirhchcir C. USERID: kiur778Wej, PASSWORD: cnvbmJJle77823 D. Can not answer that question as any response from me on this subject leaves me prone to profiling and social engineering.

And that’s all there is to it – six simple questions to weed out the high-risk brainless. Now, no consultant worth his beefy hourly fee would provide you with a tool of this magnitude without a key to interpret the results, so here are some guidelines:

• The correct answer to all questions is “C”. (psst… in practice you may want to rearrange the answers so that no one notices the pattern.)
• Any “D” answers? Probably a little too uptight – not good cross-sell candidates. Do you think anybody that paranoid would take out an interest-only HELOC?
• Classifications for customer profiling purposes and the action that the bank should take based on this test are as follows:
  
  • 0 – 3 correct answers – Mouth Breathers: Give this crowd an updated branch and ATM list and ban their IP addresses for life.
  • 4 – 5 correct answers – Semi-Conscious: You can open the online banking account, but post a $300 credit to the Fraud Anticipation liability account.
  • 6 correct answers – Rocket Scientists: No problem here. These are the brain surgeons and college professors and consultants of your customer base – no worries setting up this crowd on your Internet banking program.

Feel free to copy this questionnaire verbatim, tweak it or wholesale customize it. Use it in your normal account opening process. No pride of authorship here, Chachi. No, I used to work for the federal government, and I remain

Here to Help
-smh