It's 2014, a starry-eyed seventeen year old has just stepped off a plane eager to start a new life in Australia. Opening a bank account feels like a stride towards adulthood and the big, red "W" looks so welcoming. Seven years has past since I signed the dotted line, and today I'm calling it quits.
To put it simply, unnecessary friction in the user experience is to blame. I'll focus on two aspects - passwords and transactions.
Westpac passwords are 6 characters, alphanumeric, and non-case sensitive. This security seems lacklustre. A reddit post aptly titled, "Why is my most precious password my weakest?" with almost 300 comments can attest to this sentiment.
I will admit, prior to writing this, I had not stop to think "Why?". For context, let's examine passwords of other banks (as of July 2021).
- All 'Big Four' banks require some combination of number, alphabet, and capitalisation.
- Of the 'Big Four', CBA, ANZ and NAB allow between 8-16 characters and most special characters.
- Westpac and CBA passwords are non-case sensitive.
- Bendigo Bank requires 8 characters, no symbols, and non-case sensitive.
- ING Bank only requires a four digit access code.
Well, one observation is clear: password sophistication varies wildly across banks. This begs the question: Am I lamenting over arbitrary security measures?
In 2012, Commonwealth Bank released an official statement addressing non-case sensitive passwords. CBA explains that they employ multiple layers of security to protect their customers including "two-factor authentication and extensive monitoring to identify malicious or fraudulent activity". Ok, but shouldn't sophisticated passwords increase protection?
Troy Hunt, a web security educator, wrote a blog post about banks and their passwords. In it, he asserts, "judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison". Logically, a longer, more sophisticated password would increase the number of permutations. However, it is almost impossible to brute force your way into a bank account.
Most banks allow three password attempts before flagging suspicious activity or locking your account. Additionally, Australian banks require a customer registration number as opposed to email addresses or user-chosen usernames. Essentially, guessing gets you no where.
So, what's stopping Westpac from increasing password length? Hunt clarifies that password limits can be attributed to old legacy systems that were not designed for today's requirements. Interestingly, multiple users claiming to have insider knowledge replied to the aforementioned reddit post with similar comments.
While their credibility cannot be validated, technical debt is a real issue. As user fattydumdum puts it (this is not a joke), "It’s easier for them to plot money into detecting fraud and other security measures than it is for them to upgrade the system that decides on the length of passwords". In other words, its easier to choose short term solutions over hard fixes.
Doing some reading on this topic has definitely informed my opinion on passwords. There's a lot beneath the surface and it isn't fair to equate short passwords to bad protection.
Technicalities aside, it's still not a good look. For me, it really boils down to my perception of security - more is more. I recognise that overhauling a legacy system is incredibly expensive and might even introduce new risks. However, Westpac holds the title as one of the 'Big Four', and I expect them to rise
above to the same level as their competitors.
So, what can I do? As Hunt suggests, "Let's keep pushing banks to do better, but not lose our minds about it in the process". Gosh, I hate smart people.
I'll keep this short and sweet. My two biggest gripes about Westpac online banking are:
- Transactions do not display time.
- Transactions are organised by date of settlement, not when they actually occur.
Is this another arbitrary complaint? No, I think not. My user experience is valid and real and I hate it. In the best of times, I cannot remember the context behind a particular spending. I am slightly annoyed, but trust it is not fraud.
In the worst of times (right now in the midst of a pandemic), I cannot reliably depend on my transaction history to track my movement. It is incredibly stressful to have transactions contradict your memory when recounting the last visit to a new exposure site.
I would accept this as the norm but it's 2021 and other banks like CBA and Up have "demystified" transactions.
Before my final remarks, I would like to state: I do not claim to understand the underpinnings of the banking system, nor am I singling out Westpac as the only bank with password limits and "vague" transactions.
Much of my frustration stems from Westpac's slow adaptation. I have been a customer for seven years and I even beta tested the new Westpac app. In my experience, Westpac is always late to the game. They were slow to replace the on-screen keypad and even slower to implement push notifications. Now, they're the only 'Big Four' bank without special characters in passwords.
I'm sure Westpac knows what their customers want and will keep making improvements. I just can't be bothered waiting. The big, red "W" doesn't look so welcoming anymore. Other banking apps offer a better user experience for my needs, so I'm leaving. And I'm taking the children with me.