Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: security (page 1 of 3)

Why My Credit Union Is No Longer My PFI

Originally published on CUInsight.com

A few months ago, I slipped a mention of my own credit union relationship. My CU of many years was no longer my PFI. Banking shouldn’t be an exercise in compromises and hassles, yet that was what it had become. My PFI is now an institution which is so seamlessly easy and tailored to my needs that I often forget what it was like to have problems (Anything that has come up was handled within a few minutes, no matter the medium).

So, not all credit unions are the same. Besides being designed for differing memberships, they can also have a varied capacity for improvement. It’s why I keep talking about finding the right partners. Maybe a dozen CUs can afford to keep up with innovations on their own; the rest must find strategic partners. However, I digress. My CU wasn’t doing either.

During my time as an active member, here’s some of the challenges I encountered:

  • My debit card was compromised. It happens. But replacement taking 2 weeks? I asked for sooner and they wanted to charge $25 for a 3 day timeframe. The Big Banks replace overnight. Build the cost in; the alternative will only upset members.
  • A $100 member reward program failed to deposit funds when promised. Noticed a month later and had to speak to them to get it resolved.
  • Customer support hold times have never been less than 5 minutes. Typically, it was up to 45 minutes, with no system for callbacks in place.
  • No service on weekends after 1
  • Poor support on their mobile app (see post about the security issue, still unresolved)
  • Hard limit on mobile check deposit amounts less than 10% that of competing institutions. Their suggestion was to visit a branch to deposit instead.
  • Online secure contact form takes 48 hours to get a reply

I’ve actually had a number of other issues, but have forgotten the details for inclusion here. The credit union mission is special amongst banking institutions, but it’s not the only thing which matters. You still have to be a top-quality solution for your members. And, if your members have a problem, your resolution process needs to be seamless. It’s as if I’ve written about these things before.

After sharing some of these things on Twitter, I had more than one credit union trying to gain my membership. Unfortunately, I was not eligible by geography or work. However, they were on top of member recruitment and ensuring they were serving not only their members, but potential ones anywhere. Alliant still wants my loan for that Tesla I’m totally getting eventually. 🙂

What are you doing to ensure your members adopt you as their PFI, and not, as I did, fall away from the relationship?

If IT’s Broke, You Can’t Release

Eagle-eyed readers will notice the “typo” in my title. Good catch! However, no mistake was made. We’re talking IT, as in “information technology”. In other words, your digital stuff.

Naturally, I’m a member of a credit union. They are a small to mid-sized institution, and I’m going to leave their name out of the discussion. If you really want to know, a quick check on my Twitter feed will give you the answer you seek. You’ll understand why in just a few sentences.

Honest disclosure: They’re no longer my primary financial institution. Let’s just say that not all credit unions are like yours.

A recent article by a fellow industry writer pointed out many great points about engaging your younger members. Yeah, a Millennials story. With truths! Rhiannon Stone (I’m sure she never gets the Fleetwood Mac reference tossed out…nope, I’m the first) explains, like me, that appealing to young people is just like connecting with anyone else. Your services need to be naturally easy to use, fast, and comprehensive. Also, they just have to work. “You are more likely to keep younger members by providing applications that are straightforward, intuitive, and free of glitches.”

Therein lies the point of this post. Their mobile app, shall we say, is old. It last received an update October 2, 2013. Did your current phone exist back then? 3 years is an eternity in mobile tech. Especially in mobile banking. But, it worked. No, it didn’t fill the screen and functionality was limited, but, the things it did support ran as expected.

On Monday, they released a new version…finally! It debuted a redesigned look and feel along with some new security features. No, the new design wasn’t better, but it was new for newness sake. Oh well. But alas, it now supports logging in with Touch ID! Welcome to 2015 and the big bank apps! I eagerly activated this feature. Then I closed the app and reopened it to test.

It didn’t work.

Ok, that’s not fair. The app opened right up with no problem. Only it never asked for my fingerprint. Or my password. It was now stuck “logged in” to my account info. Even logging out in the app was just a tease. Reopen it and there appeared my accounts again.

Being the responsible user I am, I quickly reported this issue to my credit union via Twitter. Two whole days later (they posted “Good morning” tweets in-between), they replied (ok, they “quoted” my tweet, but it’s close enough) with, “Hi Joe, thank your feedback. We’ll look into it and will try to improve this soon!” Grammatical errors are their own.

Would this inspire confidence in the security of your data? Or in their attention to detail? Let’s recall what Ms. Stone said about keeping younger members: “by providing applications…free of glitches.” This is beyond a glitch. It tells me they never bothered testing. In case you might think, “well, he’s a geek, probably running some weird operating system on an obscure phone.” I have an iPhone 7 with iOS 10.1.1, the same setup hundreds of millions of other Apple users enjoy.

I can understand if the interface on their new app had some visual artifacts or performance issues. It’s new and all software has bugs. However, the core security should be rock-solid. This part you can’t compromise or “wing it”. To me, such a critical bug should mean the app gets pulled immediately until it can be resolved. You can’t mess around with security.

My generation doesn’t tolerate security issues or companies with a lax attitude towards technical problems. Look at the uproar when Netflix was recently down for a few hours…the Internet nearly imploded. Netflix, to their credit, was incredibly responsive throughout the outage, updating as they learned more. This is how you have to be now.

Like it or not, your credit union is now a tech company, with all the privileges and responsibilities that come with the role. Those who can fulfill this position well will reap the benefits. Those who don’t grasp this concept will be in a future, “mergers of the month” article from NCUA.

Where do you see your credit union in 5 years?

Image credit: http://www.csus.edu/sacstatenews/articles/2010/12/images/instory_security.jpg

Give Your Card A Security Update

Originally published on CUInsight.com

Update 7/12/16: An earlier version of this article claimed Samsung Pay did not use tokenization. They do, my mistake! Corrected. (CUInsight version not updated)

A family friend was in town this past week. She is part of the Boomer generation, so, a user of new tech, but semi-begrudgingly. At one point, we discussed how her Android phone supported mobile payment. “It’s easier and more secure for you!” I explained to her. “You’ll never need to go through the hassle of getting a new card number again!” Her response? “Yeah, still wouldn’t bother. I’d prefer to just swipe.”
This is the type of apathy you’re facing. She didn’t grow up in a world of data security breaches, and considers a reissued credit card “par for the course”. It’s not that she doesn’t believe me when I tell her that mobile payment is vastly better. She just doesn’t care.

Maybe I framed it wrong. As we all have, using terms like tokenization instead of just calling it what it is: A security update for your credit card. So what is tokenization (To-Ken-I-Zeh-Shun)? Besides a big, scary word, of course. It’s always thrown around when mobile payments are discussed, but a recent survey shows understanding is lacking. Nearly a third of people admit to not knowing what it means and almost half say that it wouldn’t encourage them to use mobile payments. My interpretation: That latter group doesn’t grasp what it is either, but are afraid to admit it. So, what is it and why should you care? Tokenization represents how your card number is handled during the transaction. Still fuzzy? That’s ok.

Here’s how a normal purchase works (greatly simplified and leaving out payment processor):

1. Swipe at terminal (or type number on computer).
2. The number on the front of your card goes to the merchant.
3. Merchant asks credit card issuer (your credit union or bank) if the number is good.
4. Bank or credit union looks at number and gives a “yay or nay”.
5. Merchant keeps your name and card number so they know who you are when you buy again.

As you can see, the number on your card passes through multiple hands, and even stays with some. While your financial institution guards the number, others along the line may not. This is how major breaches occur. Bad actors break into these non-bank systems and steal the list of names and numbers, then sell them on the black market. Sometimes they lie in wait, gathering new numbers for months before anyone even notices. Then, the numbers are sold or posted online, and that’s when your frustrations begin.

Here’s how a tokenized mobile payment works:

1. When you add a card to your phone’s “wallet”, it asks your bank or credit union to verify your identity.
2. Your issuer then creates a new number just for mobile payments (which you never see).
3. Upon paying with your phone, a fingerprint is required to show it’s really you.
4. The phone then uses your “mobile payment” number to make another one-time-use number and sends that to the merchant.
5. The merchant asks your bank or credit union if this number is good, but learns nothing from it, since it will never be used again.

The number on your card never leaves your possession. Best part of this? If every one of those systems was hacked, your card number would still be safe. The issuer just makes a new “mobile payment” number for you, and that’s it. No canceling accounts, changing numbers, or mailing cards. In fact, it might happen without you ever knowing. Think of it like a security update for your credit card.

Tokenization isn’t scary. Swiping your card the old way is. Your credit union put a lot of work into supporting the mobile payment systems…growth will remain stagnant if only 1/4 see the value. Help your members live a safer financial life and spread the knowledge!

Older posts

© 2017 Credit Union Geek

Theme by Anders NorenUp ↑