Credit Card

Card Cloned

I was in Tesco yesterday and my card was not accepted. Odd, I resolved to ring the card company when I got home. I forgot. Today I had a call - and I rang them back on their number (they were fine with that, unlike a previous company).

Yesterday there was a payment to someone like totaljobs.com for a few hundred pounds. This was following a transaction for 78p to some obscure place. It triggered some alarm bells with the card company and they froze things until they could talk to me.

The 78p was a test to see if the skimming worked.

I didn't authorise these transactions - somehow the card had been skimmed (amazing really, I never let the card out of my sight in shops and restaurants as I am aware of skimming possibilities).

Fortunately things had been caught, no money changed hands - unfortunately I now have to get a new card.

Tesco Credit card handled the whole thing pretty well.

Reply from Card Company

A while ago I wrote to my Credit Card company, the reply has been sitting in my intray for a while. Here it is.

Thank you for your letter dated 28 November and for taking the time to tell us of your concerns.

I would firstly like to sincerely apologise for any concern you have been caused, and confirm that you are entirely correct about being vigilant with your personal information. I would like to assure you that staff are required to only ask for sections of your identification questions and not the full answer, for example to only give the month of your birth and the first two letters of the password/mothers maiden name.

Please accept my sincere apologies that the member of staff bullied you into giving your security details. I can assure you that customer complaints are taken very seriously and this matter will be raised as internal training issues with the members of staff concerned.

The problems that you have mentioned have been raised before by staff on regular occasions, I am aware that the Royal Bank of Scotland group as a whole is currently looking for a resolution to these problems. Staff have been suggesting some sort of password system, and we are looking to find ways of making a system like this work.

The telephone number given in our messages is given for a specific reason, as the number is for our designated fraud detection call centre with specialist staff.

In the meantime, if you receive a call from someone advising that they are calling from NatWest and is asking for all your security information in full, please feel free to refuse to give this information and call the telephone number on the back of your card. As far as I have been made aware, sales calls will not ask you to divulge any security information so you will only need to do this when we are actually needing to discuss your account.

I would like to confirm that it should have been explained to you that failing to give your details on the phone at that time would only have resulted on problems with your card until you did call the number on the back of your card and confirmed usage genuine. Please accept my apologies that you were threatened with the card not working at all.

I hope that, in spite of your complaint, my response has helped restore your confidence in us. We want you to stay with us and would welcome the chance to look after you in the future.

If you remain dissatisfied with this response, you can write to: (snip). Thereafter if you remain unhappy, The Financial Ombudsman Service is an alternative open to you. Details can be found in the enclosed leaflet.

My reply to this will be sent tomorrow:

I am writing in response to a letter from *****, dated 10th December. Your ref: ***/*****. Please accept my apologies for the delay in this response.

There are several aspects of the reply which I am not satisfied with, and the fact that the fundamental problem remains does not inspire my confidence. I will explain the problems as carefully as I'm able.

Firstly, you quite rightly say that I should not divulge my full security information to anyone who phones me and says they're from RBS or Natwest. However, I was phoned, left a number I did not recognize and when I rang it I was asked to divulge some of my details. This leaves the customer open to two possible attacks.

The first attack is that this could be repeated over a period of time, and each time a different fragment of the security details could be asked for. Eventually there would be enough information for the third party to stand a good chance of gaining access to the accounts of the customer. The second attack is the classic "man in the middle" attack. Once the customer is identified, the person on the phone claims a slow computer whilst a colleague phones the bank. The colleague identifies themselves as the customer, and when asked for the security information the request is relayed back to the customer, the system slowdown having "cleared up". The effect of this is that the customer believes they are talking to the bank, and the bank believes they're talking to the customer. Once the business of the real customer is over, they hang up the phone and the "man in the middle" can continue the conversation with the bank. For this reason, one should not yield ANY security information.

These attacks may seem unlikely, but they are quite workable for an organized team.

The second issue is the statement that "the problems ... mentioned have been raised by staff before on regular occasions". Frankly I find this amazing. If this is the case, then why have steps not been taken to rectify this issue? It was mentioned that the bank was looking into a password system, this seems completely superfluous. A fix could be implemented right this second without any more passwords for the customer. I suggested this in my original letter.

My suggested fix was that if the bank needs to contact the customer, and security information is needed, then the bank should simply say: "please telephone us on the number on the back of your credit card, or on the top of your statement". Should a specific department be needed, then the customer should be asked to dial that number, and then be forwarded on to the appropriate extension. This should be the case even if the person answers the phone. There should be a sentence of the statement reminding customers that they should only divulge security information when they ring one of the numbers which are printed on the statement.

The original letter was due to the fact that I'd been asked to ring back a number which I didn't recognize and asked to provide security details, had the number been the one on my card there would have been no problem.

Letter to Card Company

Let's see what this gets, it's a letter prompted by the card fun this evening.

My particular card is a Tesco one, but it's run by Royal Bank of Scotland. I wonder what they'll say? Probably something bland and non committal.

Dear Sir/Madam

I am writing to express a fundamental concern about your security systems.

This evening I arrived home to find a message asking me to ring the "credit card centre" as soon as possible. The number given was not one I recognised.

When I rang the number, I was immediately asked for my card details and I was a little surprised. To give out card details, including security details to someone who phones up and asks for them is a fundamental security flaw.

Even if in this instance it was legitimate, this approach is open to abuse as you are effectively suggesting to your customers that these details should be given out to anyone who phones up and leaves a phone number.

The man I spoke to tried to find out from my name why the message was left, but could not get into the system without these details.

I tried to explain my concern to him, and asked whether I could simply ring the number on the back of my card. As I was trying to explain this he was saying that if I could not give him my security details then he'd have to terminate the call and I would not be able to use my card.

This is most definitely not appropriate. There was no way that I was going to give these details to someone when I could not verify who I was talking to – and I should not have been pressured to do so.

What should have occurred is that the original message on the answering machine should have asked me to telephone "the number on the back of my Tesco Personal Finance credit card, or on the top of the statement". In this way I could have been sure who I was talking to. In the end I rang this number and the issue was dealt with. I mentioned this to both people I talked to on the phone, but did not get the impression that they even understood the issue.

I appreciate that you need to validate spending from time to time, but in an era of "phishing" scandals I feel that to be left an unusual number on the answer-phone is a huge error, as it could be repeated by the dishonest without raising alarm bells in the customer's mind – especially when the solution mentioned above is so easy. The customer should be told never to give out these details except when they phone the number on their statement/card.

Credit Card Madness

I had a phone call on my answerphone when I got in today. Paraphrasing: 'Hello, it's the credit card centre, please can you ring us on <number I didn't recognise> as soon as possible?' (Essentially they wanted to confirm that my spending today was done by me).

Okay... so I rang. 'Royal bank of Scotland credit cards, can I have your card number, please?' (I have no RBS accounts, but it looks like Tesco use these guys for their card)

'Erm... no.'

'Why not?'

'Well, I'm ringing to return of a message left on my answering machine, and I don't recognise the number, so I'm not giving you my card details. There are lots of scams out there'.

'Okay, perhaps if I could have your name?'

They used my name in the message, so no harm done. I told them.

'Can I have the first two numbers in your security code, please?'

'No'

'Why not?'

Arrrrghghghhghhh!

I tried explaining that giving a phone number that bore no relation to anything on the card was not a good thing as it encouraged punters to give their card security details to cold callers. This makes it really quite awkward in a world of 'phishing' scams. I suggested that the message should have been 'please phone using the contact number printed on your card'

The guy eventually said 'I can't access any details unless you pass clearance, so I am going to have to terminate this call.'

He was not listening to what I said, and I got the distinct impression that he thought I was being awkward for the sake of it. True, I was being awkward, but this is a fundamental flaw in their security procedures. It may not open up problems immediately, but it is exploitable.

I said to him 'if I ring back using the number on my card, will I get through to the same place' - and he responded 'yes'... so why give out a different number?

I'm not impressed. The financial institutions should have a basic rule that customers should not give out details unless they can be sure that they're talking to the bank. - and here they were positively encouraging me to do so.

Idiots.