12 Oct 2012 skvidal   » (Master)

What I want from schwab:

What I want from schwab:

I had told my partner that schwab had always treated me well. That
they had never made me jump through any ridiculous hoops. That I
could do everything via the web. No need for phone calls.

I told her this b/c I thought it was true. I told her this b/c
she’s deaf and it means a lot to her to be able to do things
entirely on her own w/o having to involve anyone else.

So it was a bit shocking when she was asked to call schwab to verify
the deposit amounts and complete the moneylink setup to your
brokerage service.

Worse yet, when I called to deal with the problem, with her at my
side, I was told no one could speak with me, despite having all
the requisite security information. Furthermore, I was told that
if she wanted to complete the process she would need to call in
via TDD or Relay operator.

This was all done in the name of security. Let’s explain a
bit about how security works.

A person is asked a series of questions that only they should know the
answers to. As a result that person is authenticated as actual. Whether
you ask these questions over the web, in person or on the phone, it
provides you with proof that the person you were speaking with is
authentic. Yes, sometimes that data is compromised by people intending
to defraud but if the person presents all the valid information,
it is impossible to know that.

This is the very basics of how it works:
Question, Answer, Authenticated.

In this case the questions were:
1. ssn
2. mother’s maiden name
3. account number
4. the precise amounts deposited into the other account
to moneylink with

Schwab requires that this information be presented ONLY over the phone.
They claim that this is to make it more secure. How or why a telephone
conversation is more secure is never offered. But I will let it go
for the moment their claim that it is. For a hearing person.

For a deaf person who is forced to use a Relay operator it means
connecting to a service, having them dial another number, then giving
all of the above information to a random person with whom you have
no contractual nor social relationship of any kind and virtually no
way to track them down, especially if you use the service more than
occasionally.

Please explain to me how that is MORE secure than having my partner
submit the information over an encrypted network connection?

If this were all done over the web at the end of the day the same
data exchange results but instead of making my partner angry
and resentful, you’ve made her feel happy. And you’ve not made me
into a liar when I told her that schwab wouldn’t make her do all that.

I want this corrected.

Here’s how you correct it:
1. Make the service entirely web-based and web-driven.

2. Provide a mechanism on your website where if a customer
needs to interact with a representative they can do so
in an encrypted chat window.

3. If you are going to try to force people to use the TTY and
or relay operators. Test it out for yourselves and make
your security audit and customer service people use it
with their own information. See how much trust they feel
in that system.


Syndicated 2012-10-12 13:13:29 from journal/notes

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!