Reply from Card Company

A while ago I wrote to my Credit Card company, the reply has been sitting in my intray for a while. Here it is.

Thank you for your letter dated 28 November and for taking the time to tell us of your concerns.

I would firstly like to sincerely apologise for any concern you have been caused, and confirm that you are entirely correct about being vigilant with your personal information. I would like to assure you that staff are required to only ask for sections of your identification questions and not the full answer, for example to only give the month of your birth and the first two letters of the password/mothers maiden name.

Please accept my sincere apologies that the member of staff bullied you into giving your security details. I can assure you that customer complaints are taken very seriously and this matter will be raised as internal training issues with the members of staff concerned.

The problems that you have mentioned have been raised before by staff on regular occasions, I am aware that the Royal Bank of Scotland group as a whole is currently looking for a resolution to these problems. Staff have been suggesting some sort of password system, and we are looking to find ways of making a system like this work.

The telephone number given in our messages is given for a specific reason, as the number is for our designated fraud detection call centre with specialist staff.

In the meantime, if you receive a call from someone advising that they are calling from NatWest and is asking for all your security information in full, please feel free to refuse to give this information and call the telephone number on the back of your card. As far as I have been made aware, sales calls will not ask you to divulge any security information so you will only need to do this when we are actually needing to discuss your account.

I would like to confirm that it should have been explained to you that failing to give your details on the phone at that time would only have resulted on problems with your card until you did call the number on the back of your card and confirmed usage genuine. Please accept my apologies that you were threatened with the card not working at all.

I hope that, in spite of your complaint, my response has helped restore your confidence in us. We want you to stay with us and would welcome the chance to look after you in the future.

If you remain dissatisfied with this response, you can write to: (snip). Thereafter if you remain unhappy, The Financial Ombudsman Service is an alternative open to you. Details can be found in the enclosed leaflet.

My reply to this will be sent tomorrow:

I am writing in response to a letter from *****, dated 10th December. Your ref: ***/*****. Please accept my apologies for the delay in this response.

There are several aspects of the reply which I am not satisfied with, and the fact that the fundamental problem remains does not inspire my confidence. I will explain the problems as carefully as I'm able.

Firstly, you quite rightly say that I should not divulge my full security information to anyone who phones me and says they're from RBS or Natwest. However, I was phoned, left a number I did not recognize and when I rang it I was asked to divulge some of my details. This leaves the customer open to two possible attacks.

The first attack is that this could be repeated over a period of time, and each time a different fragment of the security details could be asked for. Eventually there would be enough information for the third party to stand a good chance of gaining access to the accounts of the customer. The second attack is the classic "man in the middle" attack. Once the customer is identified, the person on the phone claims a slow computer whilst a colleague phones the bank. The colleague identifies themselves as the customer, and when asked for the security information the request is relayed back to the customer, the system slowdown having "cleared up". The effect of this is that the customer believes they are talking to the bank, and the bank believes they're talking to the customer. Once the business of the real customer is over, they hang up the phone and the "man in the middle" can continue the conversation with the bank. For this reason, one should not yield ANY security information.

These attacks may seem unlikely, but they are quite workable for an organized team.

The second issue is the statement that "the problems ... mentioned have been raised by staff before on regular occasions". Frankly I find this amazing. If this is the case, then why have steps not been taken to rectify this issue? It was mentioned that the bank was looking into a password system, this seems completely superfluous. A fix could be implemented right this second without any more passwords for the customer. I suggested this in my original letter.

My suggested fix was that if the bank needs to contact the customer, and security information is needed, then the bank should simply say: "please telephone us on the number on the back of your credit card, or on the top of your statement". Should a specific department be needed, then the customer should be asked to dial that number, and then be forwarded on to the appropriate extension. This should be the case even if the person answers the phone. There should be a sentence of the statement reminding customers that they should only divulge security information when they ring one of the numbers which are printed on the statement.

The original letter was due to the fact that I'd been asked to ring back a number which I didn't recognize and asked to provide security details, had the number been the one on my card there would have been no problem.