Smile – not actually the internet bank at all

About a year or so ago, Bash and I opened a joint account with Smile, who call themselves “the internet bank”. Now, perhaps there was a time, long ago, where Smile were ahead of the pack and could justify calling themselves that. Unfortunately, it looks to me like that time (if it ever existed) is long gone, and the only justification for the moniker is that they don’t have any actual physical presence (apart from call centres, of which more later).

Allow me to explain. First, however, I’d like to solicit suggestions about alternatives. Specifically, does anyone know of a UK bank with a decent online service (not suffering from the problems outlined below) but which has an ethical investment policy? Smile is part of the Co-operative Bank, and as such makes that claim, which appeals to us. However, the warm fuzzies are being nullified by their poor service, so if anyone can suggest where to move, I’m all ears.

OK, so: for anyone without the benefit of a year of Smile, allow me to explain why I think they Could Do Better.

Weak authentication upon login.

The login procedure is as follows: you enter your sort code and account number, you enter a secret four-digit code, and finally you’re asked one of about five personal questions (eg “Please enter your significant date”).

The first observation is that only one of these things can really be called “secret”. The sort code/account number are easily found out (eg if I give you a cheque, or want you to transfer money to my account), and the personal questions are obviously only weakly secret. Many people in the world know what the last school I attended was. Many know the first. Other items (memorable names, memorable dates) are the kinds of things that can be guessed.

The second observation is that the secret code is only four digits long. Four digits (0 to 9), not four characters.

I was on the phone to them yesterday, and the chirpy call centre girl I spoke with had the nerve to state that their security was “better than everyone else’s” as if this were incontravertible fact. Well, with Lloyds TSB I have three keys, only two of which I get to choose and none of which are associated with my account. None of them are only four digits long, either. The first key, which is effectively my username, is a nonsensical mix of numbers and letters. Hard to remember, completely unguessable.

The only mitigating factor here is that of course, failed attempts to log in lock down the account – but that’s also the case with other banks, so how is this stronger? Answer: it isn’t.

The third observation is this: hang on, this is a joint account – we both enter the same sort code/account number. How does it tell the difference between us? Answer: with the 4-digit security code of course! It’s not just for authentication, it’s also the username. Nice! And when I get it wrong three times, it locks me out and it locks out Bash! Because it doesn’t know which of us is getting it wrong/being attacked. In the words of The Mighty Boosh: Genius!

Oh, wait. That’s not genius. That’s stupid design.

OK, so enough about logins. Suffice to say, it’s messy.

No downloadable statements.

The next most annoying thing is that statements aren’t available in electronic format for download. Unbelievable but true! This hasn’t been a big problem for me thus far but at some point in the future I will want to do this and it will be annoying to scrape the HTML by hand. I’ve written to them twice about this with no response. To me, this is a no-brainer, especially for “the internet bank”. Yeah, right.

And yet every month they email me telling me my statement “is ready”.

Inconsistent statement formats, and no running total.

Your old statements have a running total. Obviously. Your latest statement doesn’t. In general, they seem to be different things, your latest statement is somehow “special” rather than just happening to be the most recent page of activity. As a programmer, that makes me think “yicky”. But that missing running total is the worst thing about the statements. Awful!

No dates on standing orders.

Obviously when you set up a standing order, you assign a date to it. For example, “monthly, on the first of the month”. But when you edit them, all you see is “monthly”. What the hell? When’s it going? According to Chirpy Call Centre Girl, the way to find out is “look at your statements and look at when the last one went”. a) That’s just lame, and b) What if the first payment hasn’t gone yet? I just have to sit and wait. Rubbish!

Those are the main things have have bent my widgets over the last year. There are other, smaller, niggly things – such as kicking you out if you accidentally hit “Back” on your browser (Lloyds TSB can deal with this – why not Smile?), but let’s leave it there for now. I know it’s going to take months, but I want to to move to something better, and if anyone’s got any good suggestions, let’s hear them. Thanks!

23 Responses to “Smile – not actually the internet bank at all”

  1. Krag
    August 9th, 2005 | 10:56 am

    Sorry to here about your banking woes, as a smile customer I feel your pain, but then they do give me a very generous student overdraft so I can’t grumble too much :-)

    I’m also with FirstDirect, internet arm of HSBC (hey, you can neve had too many overdrafts) and I’d recommend them. Internet banking does everything I need and they assign you two 10+ numbers for login IDs and ask you for 2 random characters of your 8+ character password each time you login.

    Not sure if they do downloadable statements (I can never remember my login id’s so can’t check it now).

    Oh, they also send you free txt messages when anything happens on your account, you can set rules up for this. (eg Txt me when a credit of over £100 enters my account).

    There’s a flash demo at http://www.firstdirect.com/banking/internet_banking.shtml

    HTH,
    Krag.

  2. August 9th, 2005 | 11:24 am

    Nice one Krag – thanks for the pointer.

    That text messaging service looks pretty sweet – great idea. From the demo it’s not clear if downloadable statements are available, but perhaps not. Certainly there didn’t seem to be an obvious option on the statement view screen, whereas with Lloyds TSB it’s pretty obvious. But let me know if you learn otherwise. :-)

  3. Krag
    August 10th, 2005 | 1:03 pm

    Just a quickie to say statements are downloadable with FD. You set the from and end dates and choose the format (Quicken/MS Money/MS Excel/MS Works/Lotus 123).

    I was about to say there’s no CSV, but having just tried it “MS Excel” format turns out to be .csv :)

    Anyway, I think I’ve done enough pimping for HSBC now.

  4. acb
    August 10th, 2005 | 2:37 pm

    I have an account with the offshore division of Lloyds TSB; the good thing about it is that you have a password which you enter every time, and a “memorable name” from which you enter 3 characters (as selected by the site; different each time) at a time. So even if someone was monitoring your transactions, it’d take them a long time to build up a copy of the memorable name.

  5. August 10th, 2005 | 4:20 pm

    Krag: thanks for that, good to know. In fact, the ability to specify start and end dates is very sexy. With LLoyds TSB you have to do it one page at a time – very tedious.

    Andrew: yeah, that’s what I’m used to with my account and I quite like it. I have three keys: username (not chosen by me, hard to remember), password (chosen by me), and this phrase of which you speak. I think it’s a good system. The same phrase is also used for authentication on their phone banking system, although the user ID is different there.

  6. Jon
    August 15th, 2005 | 8:11 am

    Those “security” questions can be made more secure by making up your answers. No one knows that I use “University of Mars” as my last place of education… ;)

  7. August 15th, 2005 | 8:40 am

    Good point Jon – but even if clued-in security minded types realise this and do it, 99% of people are going to use the real data, I fear. Why should we, the clients, have to harden the bank’s security policies for them?

    In some ways, I suppose this is like being able to choose your own number. Plenty of people will choose easy to guess PINs rather than something meaningless. But at least there the default behaviour is on the secure side, and you have to go out of your way to make it 1234 or 1066 or whatever.

  8. Huw
    October 15th, 2005 | 12:58 am

    How about Nationwide? They seem to treat their customers ethically – not sure about where they invest, or how good they are online.

  9. Andrew
    March 10th, 2006 | 12:39 pm

    I’ve got several internet bank accounts, and I’d consider Smile to be one of the most secure – it’s the only one where I don’t need to write any of the security information down. I know people who keep a file with log-in details and passwords beside their computer because the ID codes that the banks need are so unmemorable. The more complicated banks make it, the more people will do this kind of thing.

  10. February 27th, 2007 | 10:29 am

    I’m also a smile customer and agree that they’ve been resting on there laurels for years. The site design is clunky and unappealing. I need to apply and pay for statements over a year old why!?
    and I cant download my statements as data (excel etc) this seems to be an obvious thing to offer as an internet bank. I’m fed up with there self-congratulatory behavior when they’ve spent years doing nothing to improve the service they offer. I will stay with them however unless there is an ethical alternative as that is my main concern.

  11. October 28th, 2007 | 2:52 pm

    2 years and 2 months after this discussion, and I see that SMILE has not improve 1 thing on their website :-(
    and they call themself THE internet bank, you are right thats’ sad.
    I only realised now that I need it that they don’t provide download if statements, I never checked it up before as for me it THE minimum…
    I am considering changing now, but FirstDirect : I tried already and am not impressed, any others ? Citibank for instance ?

  12. Cat
    January 22nd, 2008 | 12:33 pm

    Recently they’ve started asking you for only 2 digits from your PIN, selected by them, chosen from drop-down menus so a keylogger can’t harvest it. If you get anything wrong, it asks you for the same 2 digits again. (I’ve also noticed that it asks repeatedly for the same piece of personal information if you log in multiple times on the same day.) So it’s slightly better than it used to be. Unfortunately that’s the only thing that’s changed. You still can’t download statements in any useful format. And the font is annoyingly small.

    I agree with Andrew about not needing to write the details down. And making up the personal info is a good idea, but only as long as you can remember what you made up. With 5 pieces, chances are there’s at least one you won’t be asked for for a long long time. If I was opening a new account now I’d make them all conform to a theme (e.g. going with the Mars example I’d choose details from a book set on Mars) which might help.

  13. PK
    September 30th, 2008 | 11:09 am

    One other detail that no-one has mentioned: secure messages sent to Smile are not subsequently available to the sending customers, although such messages are included with any replies received. It means that in the event of Smile’s delay or failure to respond (and they are often days behind in their processing of secure messages related to foreign services) the sender has no evidence that a message was ever submitted. At the very least they could easily provide an option to copy messages to sender email addresses.

  14. G Redford
    October 13th, 2008 | 9:14 am

    I am surprised at all of this. I have only ever needed to download accounts once but was able to do so up to the limit of 6 months which is commonplace.
    Once you have deleted a message from the video it is not probably available again, but until you do it is. Sending a copy by email would not be secure if anyone has access to your computer.
    As far as security is concerned, our family has used several online accounts from time to time and we find this the easiest and most secure. We base our opinion on security on the fact that in all other banks, there have been attempts to access from time to time. Cahoot which has just overtaken Co-op as top of the list is a problem in point. Four times I have been locked out of my account “because this is the third attempt I have made to access with incorrect information.” As I had not tried before, it was obvious that attempts had been made by someone else. Whilst you can congratulate them on switching the account off, I don’t see the point of having an account which is so hard to access oneself whilst being relatively easy for someone else to try. This also requires a change of personal information and Password also.

    The proof of the pudding is in the eating. Smile’s info is easy to remember but obviously safe. I have never been able to access three other bank accounts with there hopeless system of long and complex numbers and other stuff to remember. I resorted to having to write it down and realised this would be a problem. So far, Smile is the only bank which has fulfilled all its promises re security, ethical oulook and useful things like the original £500 fee free overdraft, now no longer available.

  15. G Redford
    October 13th, 2008 | 9:21 am

    One more thing. I appreciate the fact that when I have had to contact the bank away from home (and computer) you can talk to a real person. I cancelled my other accounts simply because I was tired of the ‘voice recognition’ only or FAQ’s of other banks, including Cahoot. Also, it has the facility of being able to have cheque books and cc’s as part of the deal. It is the easiest bank to swap money and pay cc’s without going into a list of other pages (prompting being switched off en route).
    Finally, it is the only bank where the customer can have a say in how their money is used. A priceless facility in this day and age. In view of the present crisis of worldwide banks, watch Co-op and Smile to see how they do that’s if you are not busy trying to find out where your money has disappeared to.

  16. John Sampson
    April 6th, 2009 | 10:00 am

    I know I’m on the tail end of this and hindsight is 20/20, but the whole Business Ethics of the Co-Op have obviously proven themselves to be rock solid during a tumultuous 12 months, unlike RBS, Lloyds etc, bailed out by the UK tax payer to the tune of 50 Billion, which by the way you the tax payer will now be expected to refill the Treasuary. I have never had a problem with the service, in fact I would have no problem recommending Smile as a safe, secure place to leave your money and access your money online, I certainly would’nt RBS or Lloyds. I think there are 10,000 pin code combinations for 4 digits to get through and then two additional prompts for information, that can be used how you see fit, so not sure of your beef.

    Smile has two thumbs up.

  17. i5m
    October 15th, 2009 | 10:43 am

    Interesting post, and even though old it’s still relevant. I’ve been with Smile since before this blog post, but have only recently become interested in online personal finance tools (Mint, Wesabe, etc). Until then I’d been copying and pasting my smile ‘statements’ into spreadsheets. I have found these two tools that help get information out of Smile:

    1)http://www.4square.co.uk/smile/

    2)http://userscripts.org/scripts/show/6976

    Unfortunately it doesn’t seem like Smile have any intention of becoming more Internety. Perhaps more unfortunate is that they can rest on their laurels, I’m not aware of any ethical banking alternative.

  18. jiam
    January 9th, 2010 | 8:47 am

    This is a great thread. I’m getting so fed up with Smile’s service that I’m THIS CLOSE to ditching the ethical concerns and switching to a bank that is aware it’s 2010! When I came across the 4square converter tool, I thought my prayers were answered. But…what are the security risks of using those tools? When I tried the 4square tool for the first time and then saw everything neatly sitting in my personal finance software (though with the wrong categories. obviously.) I was overjoyed…then slightly horrified at the thought that all that information is sitting on a server somewhere. What do you think?

  19. Sapphire
    March 11th, 2010 | 12:39 pm

    The security system when your login goes wrong is rubbish because you are not allowed to change the four digit number yourself. Even if you only get one of your questions wrong, it locks you out and then you have the speak your four digit code to the helpdesk operator. You should be able to change this online so if you give a code you can change it to something secret. It was not that I forgot my memorable information – it was that I could remember how to write it – my first school was a st something I so I couldn’t remember if it was St Something or st something or stsomthing or even StSomething and so it locked me out – to get everything reinstated, I’ve got to provide my four digit code and all the questions again, all from an 0870 number – how is that secure? There must be a better way.

  20. March 13th, 2010 | 8:35 pm

    Totally agree – its amazing how bad their website is like their stuck in a time warp. I will stay because of the ethics but with gritted teeth. No downloadable statements is probably the worst omission.

  21. April 5th, 2010 | 12:15 pm

    I agree, too. I’ve been with smile since 2004, and they’ve changed very little. Apart from asking for two digits only, they’ve now introduced a card reader that you have to use with your debit card every time you want to make an account transfer. I guess they must have had issues with security. It’s very annoying, though — if I go on holiday and have forgotten my card reader at home, I can’t make any money transfers.
    For business banking I’m using HSBC, and they security system is much better, I think. To log on, you use a username (chosen by yourself), a password (chosen by yourself) and a security code generated by a wee key fob that is easy to carry around.
    For Danish banking, I’m with Jyske Bank, and they send you a list of one-off codes, which is nice, too. You keep those codes in your wallet, but you also need your national insurance number and a password (chosen by yourself) to log on.
    Unfortunately, I don’t know any UK internet bank that uses one of these systems (HSBC’s business banking seems to be different from their solution for individuals).

  22. August 4th, 2011 | 9:52 am

    Hi all.

    A few years ago I wrote (for my own purposes) a little web page which allowed me to copy/paste a Smile statement into and it generate a QIF file which can then be used for whatever purpose you wish. I import mine into Microsoft Money.

    I’m surprised to find out that the tool’s been more widely mentioned.

    It used to be hosted at
    http://www.4square.co.uk/smile/

    But it’s now moved to
    http://www.web-development.co.uk/smile/

    Hope it continues to be useful to some of you.

    Dave

  23. Rolf
    February 20th, 2012 | 9:31 am

    Jesus, I must have written 20 or so letters and notes to smile indicating all the holes, flaws, nonsense, non-compliant, standards flaunting aspects of their site. It’s the WORST internet banking application currently available in the UK, aside from those without any online presence at all!

    It hasnt been updated for 10 years….TEN YEARS, in internet time that is basically forever.

    1 – it uses images instead of buttons
    2 – it uses crazy small text across a fluid layout so on a modern 1200 plus res monitor you have to magnify the screen just to read it.
    3 – the system for creating payments and management payments is anti user friendly! If I create a payment why cant I change the narrative if I want to use the details again..? Why cant I enter text for the both narrative lines..? Why cant I see my standing orders and direct debits in any sensible way..?
    4 – statements…its like the developer was testing some code to pull up a simple list of transactions and then left! Where is the full narrative..? Where is the drill down functionality…? Where on earth the the search facility…? How can it not have a search or ordering facility…? How can it not have a date search functions…? How can I not download my transactions…?

    As a web developer myself this site annoys me so much I’d redesign it for free! What on earth is wrong with the management at Smile..? They must have seen other offerings from the other banks…?

    If it wasnt for the ethical investment policy they would have no customers.

    Rolf