Alsuren

January 13, 2010

Internet Banking and Trust

Filed under: collabora, facebook — alsuren @ 5:08 pm

or “What Went Wrong”

I’ve probably wasted at least 3 hours of my life on this (and at least a man-hour of HSBC time) so I might as well try to work out what went wrong, and what can be done in future to avoid such problems. Skip to the end if you like.

I made a deposit payment to my landlord on the 7th of this month using internet banking from my laptop. On the 8th, I got a phone call from HSBC telling me that they needed to confirm a transaction. This is commendable, up to the point where they said “before I continue, I will need your date of birth and post code to authenticate you.”

Take it from my point of view: Someone has just phoned me up out of the blue and asked me to give out my personal details. That’s not going to happen. I asked them if there was any way that he could authenticate himself. He said No (clearly this is impossible without arranging some secret in advance) but he could give me their fraud number and I could call them back with a reference number to confirm the transaction. So close, but not quite the right answer. Someone ringing me up and telling me a number to ring doesn’t help me trust him. He then pointed out that there was a number on the back of my card that I could ring and he could put a note on my records to get them to put me through to fraud. Bingo! “Okay, wait a minute for me to put the note on your file. Okay, bye.”

I was slightly sceptical at this point already, since he’s suggested 2 insecure methods of getting my details from me and it’s only the 3rd is one which is guaranteed not to be a con. I rang up HSBC and got a pretty prompt response once I’d gone through the usual automated menus. Kudos HSBC: you seem to know how to run a call centre. I told the woman what had happened and said my reference number. She couldn’t find anything on my file about any communication. How odd. She didn’t seem as worried by this as me. She said that someone asking for my birthday and postcode was completely normal (Sure, there are easier ways for a fraudster to find out such information, but I still think that a policy of not giving away any information to people you don’t trust is probably a sound one). I got her to write a note in my file to say what had happened, and that I hadn’t given out any details so my account was safe.

Convinced that I had just been the target of a phishing attack, I rang up 1000 and asked them if they could tell me the phone number before last that I was connected to. Turns out they don’t keep that kind of information.

This morning, I got a letter from HSBC telling me to ring up their fraud number. Again, this was someone contacting me out of the blue and asking me to ring a number, but I put on my “don’t give out any personal details” hat on and called them up. This took a little longer to get through, but there was no automated system beforehand, so it’s not too bad. The guy I talked to was very understanding and said that if I had any doubts, I shouldn’t give out any personal details. He said to try ringing up the phone banking or go into the branch, but the likelihood was that I’d need to go into my branch with photographic ID and get them to sort it all out. Sure enough, when I tried internet banking, it gave me an error code which translated to “go into your bank and get your account reset”

When I went into the bank it was lunchtime, but I got seen straight away (more points to HSBC for this). The Lady in the bank was helpful, but there was a note on my file saying that she should phone up a number, and they put her on hold for ages. Apparently this happens a lot at lunchtime. They get all of that sorted out, and I mention that I really need to get this paid by Sunday when I move in. Because it can take a few hours to reset internet banking, she put me onto the woman in the fraud centre to approve the transaction and helped me to set up a standing order for the rent.

I asked the woman in the fraud centre to take a look at the notes on my file, and work out what had happened. Apparently it was recorded that they couldn’t get through to me to confirm the transaction. I explained that I had been given a reference number and told to call a number I didn’t trust, so arranged to call the number on the back of my card instead. She said something like “Yeah, a lot of customers don’t like to ring up the fraud number because it’s an 0845 number and they don’t trust it.” I asked why I was supposed to trust a number that I was given out of the blue, and she said “Tell you what: I’ll give you the number now, and if it comes up again you can trust it.” Turns out it was the same number that was in the letter, but there doesn’t seem to be any reference to it on the HSBC website, and nothing comes up if you type it into the search. For reference, number is 08456 100 194, but don’t take my word for it, because I might be trying to trick you into giving out your bank details.

So what could have been done better?

If someone rings me up again, I will keep them on the phone until they’re certain they have written the appropriate note on my file. This avoids the race between them writing on my file and me calling up the other number.

Before I call any other number, I will make sure I know the number that called me, so I can report them to the fraud people if it turns out to be someone suspect.

If someone calls up trying to confirm a transaction, I have 24 hours from the time I tried to make the transaction to get back to them. Otherwise I’m going to get locked out of my account again. If they don’t have a clue what I’m talking about, I should make sure that I have talked personally to someone on the fraud team before I give up.

I now know that 08456 100 194 is a trusted number, but there’s no way to write it on my card, so it’s going to get forgotten.

They have a feedback section on their site. I’ve written something in there, and if they get back to me, I’ll be sure to post it in the comments here.

Create a free website or blog at WordPress.com.