Product Fails – Online banking Email Alerts

For some time I have been both impressed and baffled by the effectiveness of transaction alerts in the banking sector.

To put things in perspective, I would be looking specifically at email transaction alerts from some of our banks. SMS alerts are good but most times provide just about enough information to tell you that there was a credit or debit transaction on your account.

Overall, and I’m not being biased to favour any one bank, but I think Guaranty Trust bank provides the fastest email services for transaction alerts in Nigeria. This is purely based on my experience and not on a general consensus or extensive research.

On the other hand, considering the speed at which Diamond bank is able to send SMS alerts for transactions, I wondered why their emails were coming in almost 24 hours after the transactions were made. In one occasion the same emails came in multiple times the same day, given the impression of multiple transactions.

In order to better understand what was going on at Diamond bank with their email alert system, I examined the email headers that I received with my transaction alerts.

So here’s what I found out.

  1. The emails are created and dispatched right on time at the exact moment the transaction is recorded in their ERP application.
  2. Next, another server mbankerpro-ho (10.0.5.246) processes the emails and hands them over to the next server in line which is dbxchangehubDR.diamondbank.com
  3. Now this server dbxchangehubDR.diamondbank.com (10.0.5.207) seems to be the bottleneck in the system as it takes a lot of time (over 6 hours) to transfer the emails to the edge server that is responsible for sending out the emails to the world. From the headers this server appears to be running a version of Microsoft SMTP server with id 8.3.348.2.
  4. The emails are finally dispatched by the edge transport server dbedgesvrdr.diamondbank.com (62.173.44.21) which does a good job of dispatching emails in record time to the final recipients – you and I, the account holders.

With this I think there is a need in this bank and probably in some others for an upgrade to their internal email processing system. It appears that the queue is somehow being processed very slowly or probably being processed in an ad-hoc method.

Also, it is important to note that the edge server does not have a valid SPF record which makes it a candidate for spoofing and fraudulent emails. I wouldn’t go heavy on the absence of DKIM records for signing these emails but this one is also good to have.