Having a bank account without having a phone number

I hate phone numbers. I hate the synchronous audio communications paradigm the phone network represents, and I'm hardly the only one; but I also hate the phone number namespace as a namespace, as I've written previously. To put it another way, I am politically opposed to the telephone network, to phone numbers, the existence of phone numbers and to having a phone number.

Some years ago, the European Union introduced a piece of legislation, the Payments Service Directive 2 (PSD2), which continues to come into effect. One consequence of this legislation is a requirement for “strong customer authentication”.

UK banks seem to have largely decided to implement this by making the invalid and entirely baseless presumption that anyone with a bank account must have a phone number, and to start sending authentication codes by SMS or robocall to one's phone number whenever one attempts to access one's account online. The effective result of this is to deny me access to my own bank account, because I don't have a phone number. Not only that, in a statement of astonishing audacity, my bank even had the nerve to mail me a letter telling me that if I don't have a phone number on file, I will no longer be able to make payments online. Given that this is basically all I use the account for in the first place, the effective outcome of this is to render me unbanked unless I agree to have a phone number.

The net result of all this is that the UK banking industry appears to be effectively trying to coerce me into having a phone number, something I am not only politically opposed to but which I also have no use for whatsoever, and which frankly I would regard as a security liability.

Once in the past I did have a phone number, on a prepaid mobile, purely to satisfy the irritating habit of companies demanding a phone number, presumably under the completely baseless presumption that it gives them some sort of way of contacting me, when in reality I never answered calls to it ever under any circumstance, because I do not support audio communications. The sheer effectiveness of such “placebo numbers” is comical, a sort of silly comfort blanket for corporate customer relations departments; whereas the ubiquity of presumption that because I have a number and give it to them, this means it will ever be answered, ever, is simply deeply amusing.

However, since there are no circumstances in which I wish to make a phone call, receive a phone call, or for that matter send or receive SMS messages (SMS being probably one of the most ridiculous and overpriced telecommunications networks ever to have blighted the earth, at least in this century), the carrier eventually decided I clearly don't need the number after all and yoinked it off me, and, presumably, reassigned it to someone else; meaning that now some random third party is now the phone number of record for assorted accounts. How secure. This of course underlines the absurdity of trying to force reliance on the telephone network for “security”, because the security of the telephone network is nowadays an open joke both for this and for a million other reasons.

So essentially my bank is trying to force me, for “security”, to get a kind of identifier which I cannot own, certainly nowhere near to the same extent that say, a domain name can, and which can randomly be taken from me by a carrier at a whim without recourse, or be stolen by anyone who can hack the routing of the telephone network or socially engineer a carrier, which both, as of writing, appear to be hopelessly easy. Yet even if I do, such an identifier will be taken from me unless I pay to consume a service I literally have no want or need for, so the effective outcome here is that banks are trying to force me to pay a telco for a service I have no want or need of, and not only that, make me tie it to my bank account, nominally to make make my account more “secure” and in actuality to make it less secure.

Thus begins my quest for a problem that never should have existed in the first place: to have a UK bank account without having a phone number. “Having an account” here implies the ability to use a debit card and make wire transfers online, so this excludes anything like “well, you can have an account, but we won't let you do anything with it unless you give us some phone number... any phone number”.

Initial research. There's been some reporting on people who have been rendered unable to access their accounts owing to this assumption that everyone has a phone number. Stephen Murdoch of UCL has also written about this issue here, touching on both the exclusionary nature of assuming everyone has a mobile phone, and the extremely questionable (or rather, simply wrong) decision to treat SMS as a secure communications network. Extraordinarily the latter article even notes a case where a victim of SIM-swap fraud — where a telco was fooled into reassigning the victim's number to another SIM by a fraudster — was blamed on the victim by the bank! How a bank customer is supposed to prevent their mobile carrier from being defrauded, through deficiencies in their own practices and through no fault of their own is beyond me. In one case a victim of SIM-swap fraud had £5000 taken from their bank account, a direct result of the false notion that SMS is a suitable medium for secure authentication.

While the default perception of banks might be that they will be highly concerned with security, this has never been my perception; I've always seen banks as caring only about liability and regulatory compliance, which is sort of but not actually the same thing.

In any case, whenever some new regulation is introduced, whether for banks or for any other kind of company, generally there will be companies which interpret it reasonably and companies which interpret it pathologically. The companies which interpret a regulation pathologically will claim innocence and that they have no choice but to act as they do, yet this will be demonstrated a lie by their peer companies which have less pathological interpretations yet would equally protest their compliance with the regulations. Perhaps the most famous example of this in the UK is “health and safety” regulations, where countless companies will protest that they can't allow this or that due to “health and safety”, when in reality the choice was theirs and made on the decision to minimise any conceivable liability to their company in court, no matter how improbable or baseless such a complaint might be. The increase in popularity of seemingly baseless civil personal injury lawsuits, which are no doubt expensive to defend even if won, is probably a contributing factor to this.

It's not particularly surprising therefore to find, based on the above linked article, that UK banks differ on their implementation of the new regulations. Some banks will only send SMS, and not even make automated voice calls to a landline; some will at least do that, but might not allow payments to be made if you don't have a phone number at all, and others will consent to send verification codes via email instead. Based on this information there is a distinct sense that there is a statistical distribution not just in terms of the interpretation of the regulations but also how much effort has been put into the implementation; not even being able to call a landline is just comically halfarsed.

I suspect that many banks are trying to implement these requirements as cheaply as possible. Fortunately, this does not appear to be universal; some banks will issue card readers which can generate authentication codes using an issued debit card. Thus I chose to migrate to an institution that does this and thus doesn't require me to have a phone number to authorize transactions. Moreover, this card reader approach is much more secure than relying on SMS in any case.

Switching accounts. Nowadays, UK banks and building societies let you open new current accounts via their website. This is an interesting development since the UK has traditionally had very strict requirements for proof of address when opening a bank account; I believe a century ago a reference from another customer of the bank would generally be required.

The form asked for name, address, date of birth, nationality, country of birth, marital status, annual income, approximately what month and year I moved to my current address, employment status, whether I wanted an overdraft, whether I have any dependents and whether my income might decrease in the next two years. Randomly, it also asked me to quantify any monthly outgoings for the reasons of rent/mortgage, property changes, childcare or school fees, child support or student loan repayments, then got my permission to perform a “soft” credit check.

Then, disaster; the form asks for contact details. The “mobile phone” field is mandatory; both the “landline” and “email address” fields are, curiously, optional. Apparently you can have a mobile phone and a landline, but someone with a landline and no mobile phone is inconceivable.

Since I'm not spoilt for choice in terms of reasonable financial institutions in the UK, I started searching their website for contact methods. The “contact us” page keeps trying to direct you to call them — why are companies so obsessed with synchronous communications, when asynchronous communications would probably cost less in employee time and resources? The closest thing to a way to contact them via email was a feedback form. I completed the form, which promised a response via email. “I don't have a mobile phone number, or any phone number”, I wrote. By the day following a response: “maybe there's a landline number you could put in there? We need a phone number in case we need to contact you urgently.” I replied: “I don't have a phone number of any kind. For urgent matters email works best.”

The reply stunned me. I laughed: “I don't think our system will let you sign up without a phone number but you can try putting all zeroes in as the phone number and see if the system accepts it.”

Ordinarily I wouldn't do something like this as it feels like bad faith. But here I was, being given OFFICIAL PERMISSION by a company representative to do just this. Back to the form; interestingly all zeroes did not work, as the mandatory “mobile number” field wanted a number beginning with 07 (all mobile numbers in the UK begin with this¹). This also means that entering a landline for this field wouldn't have worked — so this form couldn't ordinarily be completed by someone with only a landline. However, I entered 07 followed by zeroes, which it happily swallowed.

The form also asked whether I wanted my current bank account switched automatically. The Current Account Switch Service is a scheme which all UK banks and building societies participate in, and allows all balances and standing orders to be transferred automatically and the losing account to be closed automatically. This was convenient to me since I no longer had online access to the losing bank account at this point, being that it now insisted that the only way to login to it was to enter a verification code sent to a mobile phone number which has not been assigned to me for years.

For the switch, the form asked for the sort code and bank account number of the old account, and whether a debit card was issued for the account. Saying yes, it asked for the last five digits on the card, the expiry date, and the name on the card.

Finally it asked me to verify my ID. I had passport scans and mailed bank statements (proof of address) ready, but it wouldn't accept JPEGs and instead wanted to use an attached webcam to take a photo of me and, presumably, my passport right there and then. Since this was a desktop with no webcam attached, this couldn't be completed. Curiously, though, this did not fail the application; instead, it simply stated that the account details would have to be posted instead of shown to me immediately. I assume if this ID check had passed, I would have been given sort code, account number and PIN immediately.

The subsequent mailings included the PIN number, debit card, etcetera, and eventually a card reader. Note that I didn't have to do anything in response to anything mailed to complete the opening of the account; it was simply assumed I wouldn't be able to access or do anything with it if I wasn't able to receive mail at the address. It's interesting that this is considered adequate proof of address in the UK, which has traditionally had very strict proof of address requirements for opening bank accounts. It's also unclear to me how my identity, as opposed to my address, was verified if at all. It's possible that this was verified via the old account's details I entered for the purposes of the switching process, and that more stringent verification would have been needed if I wasn't switching from an existing account. There are some mentions of having to take a passport into a branch to confirm the opening of the account if the online ID check is failed, so perhaps this would have been necessary if I wasn't switching.

How secure is this process? Speaking of which, it's equally interesting how little authentication is needed to switch an account, which results in receiving all funds in the account and the account being closed. I only had to input the sort code, account number and last five digits, expiry date and name on the debit card attached to it. The only thing really secret about any of this is the first of the last five digits of the card number; a single digit. Moreover, all of this is information which any online merchant I have used in the past might possess. I would guess (or hope) that the address given for the new account and the address filed for old account have to match, though fully automated matching of addresses is likely to be error-prone and it's quite plausible they only match e.g. postcode.

I received only a single communication from the losing bank about the switch, two days before the switch was due to complete, on a Saturday. The letter noted that if I hadn't requested the switch, I should call them immediately. This is remarkably short notice. The switching process takes seven working days and the letter was dated on the day the switch process began, so the letter was at least dispatched the instant the switch process began; however my losing bank has some way of sending mail in the slowest possible way, such that it took nine days to arrive and only two days before completion. Moreover, no action by me to the losing bank was necessary for me to authorize the switch; the process is completely “gaining provider led”.

In short, to the extent that this process is secure, it relies in large part on someone who is being impersonated taking action when they receive mailings about a new account they didn't ask for. Were I on some extended vacation, this could easily be exploited. Anyone who has ever seen my debit card and knows my date of birth could open an account in my name and have all funds in my current account transferred to it. By the time I return, this process might already be complete. On the other hand, accessing the account would be impossible without receiving the debit card or online banking passcode mailed to the address, so it's hard to see what the incentive would be for an attacker.

Card readers. While most UK banks may not use card readers for personal accounts, I believe they're fairly popular for business accounts, so the infrastructure isn't as underdeveloped or new as one might expect. While all card readers issued by UK banks are branded with their logo, I am told they are in fact standardised within the UK and all compatible with one another.

The card reader I was issued is manufactured by Gemalto; it wouldn't surprise me if they all are. As you can see, it's really a standard design which just has the branding changed for a specific institution.

The technical infrastructure for the use of card readers and debit cards to authorize transactions is known as the Card Authentication Program, at least for MasterCard; other networks as usual have different names. The protocol is known as EMV-CAP, and open source implementations do exist, though I should obviously point out that using these on an internet connected machine (e.g. with a USB smartcard reader) defeats much of the security gained by the use of card readers, so this does not seem particularly well advised.

The device turns on when inserting a card, and asks you to select one of the three functions:

• “Identify” is used when logging in to online banking. It prompts for your PIN and then shows an eight-digit authentication code. Since the device can't know the current time (the batteries are 2xCR2032 and user-replaceable, and there is no provision for setting the time), this is presumably a HOTP-like function. This raises the possibility of desyncronization (e.g. if you generate hundreds of Identify responses for some perverse reason without using them, and your bank only validates against the last couple of responses relative to the last response you used with it).

  Since it's not a challenge-response process, you could also presumably use this function multiple times to create a handwritten list of responses, akin to TANs, crossing them off as you use them. This might be useful if you just want to check statements and balances when you don't have a card reader with you. Of course, it also offers reduced security if anyone steals the list, but since “Identify” responses can only be used to login to online banking and view information, but not authorize new payments, arguably this isn't that much of a concern.

• “Respond” is a challenge-response function. It prompts for your PIN and then an eight-digit challenge, then generates an eight-digit response.

• “Sign” is an extended challenge-response function which accepts a PIN, an eight-digit “reference” and a transaction amount, and then generates an eight-digit response.

There seems to be some variations between banks around when they use “Identify”, “Respond” and “Sign”. In general “Respond” seems to be used when making debit card payments, at least if the merchant decides to make you use 3D Secure (and supports using a card reader for it), or to authorize other operations which don't fit in to the idea of a transaction with an amount. “Sign” seems to mainly be used to authorize new wire transfer destinations in online banking, but some banks don't use it at all.

On the whole this seems to me like a pretty well-designed system. The use of three different modes to create segregated authentication contexts is relatively impressive in that it chooses greater security over a desire to simplify things to avoid confusing users. There are some weaknesses which have been documented in the past, like the fact that for older versions of the protocol, Identify is apparently equivalent to Respond with an all-zeroes challenge, meaning that someone could be fooled into providing an Identify response; but this is apparently fixed in current versions. Some other security concerns are noted here.