I promised a couple of months back that I’d blog about a “security incident” with an agent of my bank once the transition was complete. Well, the transaction completed last week and then something similar happened with my credit card company. Anyway, I’ve calmed down now so here’s what happened….
I re-mortgaged my house in order to (1) get a better deal and (2) free up some of the equity so I could do some improvements. The improvements have started – I’m repainting some rooms and at the weekend I ordered the new carpets.
My new mortgage provider, lets call them Intelligent Finance (because that’s their name), said that they’d have a firm of surveyors call me to arrange a time to come and value the property. A couple of days later the company phoned me. The woman who I spoke to said she was from the surveying company and she’d called to arrange a time and would I give her my credit card number so that the survey would be paid for in advance.
I didn’t know who this person was. They could have been anybody who might have happened to find out I was re-mortgaging – it wasn’t exactly a secret that I was doing that. So I said that given that I wasn’t able to verify that she was who she said she was I wasn’t going to hand over my credit card details to some one who phoned me.
This is an issue I feel very strongly about. Despite what many people believe, it is well known that one of the least safe credit card transactions are over-the-phone “Cardholder not present” transactions. I’m not keen on giving my card details over the phone when I’m initiating the call, but when someone calls me and I have no way to verify who they are then I will never give out any details.
So, I phoned IF to get the phone number of their surveyors and said how disappointed I was in the complete lack of security. I phoned back the surveyors with a number that I knew came from a trusted source (my bank) and paid for the survey.
Now that my re-mortgage is through, I stated to buy the things I wanted for the home improvements I was doing. So, I went to buy a new carpet for my lounge, hall and bedroom. I was asked to pay a deposit (if you can call 80% a deposit) and the card had to be authorised over the phone with the bank. When I got home there was a message waiting for me on my voicemail to say that my card had been used in an unusual transaction and could I call my bank’s fraud department.
This bank, lets call them The Royal Bank of Scotland, ask in the voice mail to call their fraud department on a specific phone number. So, I look on my card to verify the number. It isn’t there. I look over my old statements to verify the phone number. It isn’t their either. I cannot verify that the phone number given to me belongs to the bank. So I phone their customer services department to say that I apparently had a call from their fraud department but I wasn’t able to verify that it really came from the RBS or not. The woman I spoke to confirmed that it was them that had phoned.
Now, there are many vulnerable people out there who don’t take security issues all that seriously and would blindly call a phone number like that thinking there was something wrong. I suggested to the person that I spoke to that a better message might be to say to phone the phone number written on the back of the card or written on the credit card statements. If people start getting messages like this that are genuinely from their bank then they become desensitised to the potential security risks and are more likely to give out their credit card details to the wrong people without realising or even thinking about it.
The excuse by the RBS was that they ask very specific security questions. Really? How is the average consumer meant to know that? How is the consumer meant to verify that the person asking these questions is, in fact, an authorised employee or agent of the bank? In order to carry out a malicious transaction all a con-trickster need to know is the credit card number, expiry date and the 3 digits on the signature strip. If they want to know more they can ask the most common security questions like: What is your mother’s maiden name? What is your Date of Birth? What was the name of the first school you attended? If they know the bank’s procedures well enough they can be quite convincing by asking other security questions related to that bank.
I think that on the whole banks are taking security seriously – However there still remains the issue of trust. How can the consumer trust that the person who phones them is a genuine agent of the bank who is authorised to carry out the task at hand?
NOTE: This was rescued from the google cache. The original was dated Tuesday 10th January 2006.