On HSBC’s fraud detection algorithm and terrible customer service

You might have seen a somewhat obscure tweet from me yesterday:

I thought that this MASSIVE SHIT SHOW couldn’t fit in a few tweets or even make justice to the awfulness of it all, so I decided to tell the whole story here, given that HSBC’s customer service won’t listen to my complaints (or to anything at all, actually).

Warning: this is a long post.

Many things fell in place past week, so I was finally able to book a bunch of events that I would attend in the upcoming future, and I had to do it quickly before tickets sold out or got more expensive.

So there I was this Friday, happily doing all my bookings and top ups for my upcoming trips, and really glad that I could finally confirm them and get done with the whole thing in 30 minutes. Such efficiency! But one of the things I tried to buy didn’t get through, even if I entered the right answer to the Verified By VISA interstitial. I attributed it to their website having issues (not the first time), and just carried on. I still had to buy a train ticket. Done—almost 100% success! And I had let HSBC know that I would be in the States. It should all be OK.

I bought a couple of toiletries at the Boots in the airport. USING THAT CARD. Nothing weird happened, so by the time I landed in San Francisco I had totally forgotten about the whole matter. I arrived in Mountain View, and with full confidence that HSBC knew that I was going to be in the States, I withdrew some money from an ATM. WITH THAT CARD. Then I went and had dinner. And guess what happened when I tried to pay with the card? It didn’t work anymore. Huh.

But then there’s this thing where my UK-issued card has “DEBIT” printed on it, and US people diligently attempt to charge my bill using the card in “DEBIT” mode, and it doesn’t work, but it does if you charge it as “CREDIT”, even though it ends up being a normal transaction for me. So I thought that maybe the waitress had tried to do this and given up. Since I had cash, I paid and left–with a cloud of suspicion over my head.

Next day we went for dinner and well, my card didn’t work again. The person in the till told me they didn’t have specific ways to choose to bill as credit or debit. I paid with another card, and the suspicion cloud continued growing. The next night I attempted to buy something in Amazon (something that I have successfully done in the past) and a few hours later I got an email saying there was something wrong with my payment method. MEH.

Let’s stop for a moment while I highlight the fact that during all this time I didn’t get any call at all from HSBC, even when there is a US phone number for them to contact me while I’m in the States.

Story time: a few years ago I did some unusual things on a Sunday: I topped up my phone (online). Some 40 minutes later I ventured south of the river and, while I waited for my friend to show up, I topped up my oyster card, paying with the same HSBC card. Then we had Portuguese pasteis de nata and cafe com leite, which I paid with my card. On Monday I had a call from HSBC, asking me if those three movements were legit. That seemed like overzealous at the time (specially because the amounts were ridiculously low–the total was probably less than £25), but I was OK since

a) they didn’t ruin my day and

b) they proactively called me.

Since then they have made Verified by VISA mandatory in all new cards, moved us all to use the Secure Key device when online banking, and made informing them of our travel plans mandatory. Which means they should be more secure, right? THEY SHOULD!

So fast forward to yesterday when I came back here, quite tired from the flight and hence not in the best of moods to deal with bureaucracy. I thought maybe I could sort this thing out this week if I rushed and went to one of the branches that open on Saturdays, so rush I did, and got to the branch on time.

I explained my issue to the person on the front desk. He started asking me some of their stupid silly questions to confirm that “me” was me. The whole process is idiotic at the very minimum, because here I am, showing you my passport and my existing HSBC card which matches my passport which has my face on it, and I’m telling you my full address –which is not in the passport, so obviously I know a thing or two about myself. But they still keep asking you things such as how many other accounts you have, and whether did you or didn’t make a transaction at merchant ABC two weeks before, and what the amount was. For god’s sake, I sometimes don’t even remember what I had for dinner, how am I going to remember that?

Anyway, after I answered all these questions, the front desker points me to a table where he sits in front of me. I sit too, while he dials something in a phone. I expected him to sort this out for me but instead… he handed me the phone. I was livid:

“What are you doing?”

“You need to explain this to my colleagues”

“What colleagues? Can’t you sort this thing out? Why don’t you explain this to your colleagues? I don’t want to repeat what I’ve told you again. I actually don’t want to speak to anyone on the phone. What’s the point of having a branch if you direct me to a phone?”

“I can’t do anything. They are the fraud department, and they will ask you questions that only you can answer”

“Yeah, and they will ask me the security questions that I can never ever remember for the life of me”.

“Well then—“. He hung the phone. “Then we can reset your security questions now and we call them again”

So I said OK. He points me to another table—so I have to move all my luggage to that another table. See, at this point my patience was starting to get really depleted.

On to the new table. Since this was another of the colleagues, he hadn’t verified my identity yet. So guess what? BATTERY OF SILLY QUESTIONS AGAIN. “What’s your date of birth?” (even if it’s in the passport). “How many accounts do you have?”, etc. We reset the security questions and a security number which I never know where to use, because there are so many codes at this point that my brain just can’t keep on with all of them.

And then I moved to the initial table again (with my luggage), and called the fraud line. Where they promptly started asking me… MORE SILLY QUESTIONS. But this time they were silly on steroids.

The best one, and which prompted me to complain and then terminate the call when the person on the other side kept being a git, was: “Which direct debits are set up on this account?”. I tried to guess, but to be honest, I wasn’t too sure of how many are. Off the top of my head I could only remember the council tax and my broadband connection. So I told him, but he wasn’t happy enough, so he started demanding me to tell him THE EXACT NAME of these merchants in the direct debit. Which, as any other sane person will realise, it’s near to unreasonable to expect the correct answer unless you’re in front of your online banking account at that very moment. Because maybe you’ve got a contract with AWESOME BROADBAND company, but the name that shows up in the bills is AW BDN01. How on Earth am I going to remember that?

I asked him why didn’t he ask me questions I could answer. We had just reset the infamous security questions that should automagically prove my identity and he wasn’t using any of those. He said that he couldn’t choose which questions were presented to me—they were given to him randomly. At this point I just gave up. I was on a branch. I had proven my identity three times in less than 20 minutes and this wasn’t going anywhere. I hung up and left.

I went home, drank some water, washed my face, and sat in front of the computer. I opened the online banking site so I’d be ready for any stupid question this time, and then rang them again. An automatic message asked me to enter some digits from the security code that I had just reset and… they didn’t match. So I got another message telling me that my security code was now blocked too! ISN’T IT FABULOUS?

I kept on the line and finally a helpful person whose accent I could understand showed up. I provided yet again my card number, the expiration date, all the things. Wasn’t it the fourth time already? I had lost count. She confirmed that, effectively, my security code was locked. So we reset it again. I had this vague hope that she’d continue sorting out all my issues —she was so helpful and seemed so knowledgeable!— but nope. NOPE.GIF

Once the security code was in place, she told me that since this seemed a fraud issue she would have to transfer the call to the fraud department. OH NO. Back to that horrible place again!

So she transfers my call and I’m back in the land of people whose accent is impossible to understand. The conversation mostly consisted in that guy saying something and me repeating it myself and asking him to confirm if that was what he had said. Once I proved I was me AGAIN, he started saying that effectively my card had been used by evil fraudsters to perform illicit operations.

I was… so… not… even.

I asked him: “really? which fraudsters and how is that possible at all?”—because I’m that sort of person that not only makes sure there is a “lock” icon on the website address bar before I even enter any credit card information: I also click to see the certificate information.

And he went down a dangerous route… the I’M GOING TO OUTSMART YOU route. So he started enumerating the operations that their amazing fraud detection system had supposedly prevented. Beginning with… my rdio subscription. Which is set as a recurrent payment. And which is not the first time that gets paid with that card. So I told him.

But that wasn’t enough. He continued:

“and you bought something in Boots in… Heathrow?”

“Yes, I did”

“And then there is an attempt to pay something at this place in… Mountain View?”

“Yes, that’s a restaurant, and no, it didn’t get through”

“And there’s this other attempt in this other place in Mountain View”

“YES, and it didn’t get through either!”

“And you bought this J-S-C-O…”

“JS CONF—YES I DID!!!!!”

“And… a train ticket?”

“YES!!!!!!!!!!”

And here comes the best part:

“Excuse me… are you in the UK or overseas?”

“I AM in the UK. I told you that I would be going to the States. WHAT IS THE POINT of telling you if you don’t use that information then?”

But you know why he was so confused? Because the transactions weren’t sorted correctly. This might be due to the way transactions work: some of them seem to happen instantly and others seem to be batched and processed some days later. Hence when you look at the transactions list they don’t come sorted by “buy date” but by “transaction effective date”. So things I had bought on Thursday showed up as happening on Monday, and thanks to the magic of sorting by the wrong key, it seemed like I was in two places at the same time.

Get ready for his verdict:

“So we have blocked this card because it has been cloned”

You could believe that the first time. But it hasn’t been the first time they give me this excuse, because the same thing had happened to me, about six months ago: I came back from Toronto, went to buy some coffee and BAM, my card didn’t go through, presumably because it seemed as if I was in Toronto and in the UK simultaneously. That time I went to a branch because the person on the phone was just as useless as this one, but the person on the branch sorted everything out for me, even though she told me the same “your card has been cloned” excuse, which I candidly believed back then.

I tried to stop him on his tracks, but he kept going and going on this story of my card having been cloned, and actually a whole range of cards having been cloned. SUCH A MASSIVE CATASTROPHE OMG. Wasn’t HSBC supposed to be super safer now with all the security measures in place? How come they clone ENTIRE RANGES of cards?!

I just couldn’t stand this:

“Listen, this is all stupid. Your fraud detection algorithm doesn’t work. IT JUST DOESN’T WORK. And you’ve seen it because I just confirmed you that all the transactions, ALL THE TRANSACTIONS, were initiated by me. You left me out in another country without a working card and you didn’t even CALL ME. This doesn’t work. AT ALL.”

You’d think he’d at least apologise profusely, but you’d be quite wrong. He fired a mechanical “yes, I apologise”, and continued with this stupid story and I had to cut him short again because I thought if I didn’t I would just freak out in a matter of seconds:

“When are you going to send me a new card?”

“Four to six days”

“Fine. Bye”

At which point I hung up, and looked at my not-even-six-months-old card with a mix of pity and rage. Should I slice it in squares or maybe just stripes? Or perhaps something more elaborated—arabesque patterns? Or maybe I could start an art project with all the cards that HSBC will instablock during the course of me being their customer. Or build a deck of cards and play magic with them. Or maybe I could start looking for another bank.

But I was so depleted that I… just… went for brunch. At 4pm. YAY JETLAG.

Now that I’m a little bit more lucid (and after sleeping short of 14 hours, what is this madness?) I’m totally open to banking suggestions. Pour them in the comments, and thank you.

A conclusion from this incident

I want to extract some lessons from this shameful incident. I wish I could file a bug on HSBC but I think they’d just pipe them to /dev/null anyway. And I doubt that anyone of their developers will read this, but who knows? Maybe someone in the future will try to program a fraud detection algorithm and needs some hints. So here are my conclusions:

Fraud detection systems can’t be lethal. Where lethal === instablock. Specially if the customer is going overseas and has provided you with contact numbers in case things go awry–there’s an expectation that you will at least call to make sure all is OK before going easy on the BLOCK trigger.

Also, they should be able to take into account previous successful transactions for a given card and whitelist the merchant for the future. If I topped up my phone previously, and want to top up again, don’t flag that as “suspicious” just because fraudsters use stolen cards to buy top ups.

You should ensure you use the proper transaction order by query. I’m 99% sure that the algorithm is using transaction location to flag suspicious operations because they’re in another country, but if your order is wrong, you’re going to get wrong results too.

And finally, even if this doesn’t have anything to do with the algorithm per se, NEVER EVER treat your customers disrespectfully or as if they were dumb. We are not, and specially when the customer is an engineer, you’re going to outrage them, because we know you’re talking rubbish. IT SHOWS. So don’t make people go through idiotic processes, and never tell lies to excuse yourself.