Alsuren

January 13, 2010

Internet Banking and Trust

Filed under: collabora, facebook — alsuren @ 5:08 pm

or “What Went Wrong”

I’ve probably wasted at least 3 hours of my life on this (and at least a man-hour of HSBC time) so I might as well try to work out what went wrong, and what can be done in future to avoid such problems. Skip to the end if you like.

I made a deposit payment to my landlord on the 7th of this month using internet banking from my laptop. On the 8th, I got a phone call from HSBC telling me that they needed to confirm a transaction. This is commendable, up to the point where they said “before I continue, I will need your date of birth and post code to authenticate you.”

Take it from my point of view: Someone has just phoned me up out of the blue and asked me to give out my personal details. That’s not going to happen. I asked them if there was any way that he could authenticate himself. He said No (clearly this is impossible without arranging some secret in advance) but he could give me their fraud number and I could call them back with a reference number to confirm the transaction. So close, but not quite the right answer. Someone ringing me up and telling me a number to ring doesn’t help me trust him. He then pointed out that there was a number on the back of my card that I could ring and he could put a note on my records to get them to put me through to fraud. Bingo! “Okay, wait a minute for me to put the note on your file. Okay, bye.”

I was slightly sceptical at this point already, since he’s suggested 2 insecure methods of getting my details from me and it’s only the 3rd is one which is guaranteed not to be a con. I rang up HSBC and got a pretty prompt response once I’d gone through the usual automated menus. Kudos HSBC: you seem to know how to run a call centre. I told the woman what had happened and said my reference number. She couldn’t find anything on my file about any communication. How odd. She didn’t seem as worried by this as me. She said that someone asking for my birthday and postcode was completely normal (Sure, there are easier ways for a fraudster to find out such information, but I still think that a policy of not giving away any information to people you don’t trust is probably a sound one). I got her to write a note in my file to say what had happened, and that I hadn’t given out any details so my account was safe.

Convinced that I had just been the target of a phishing attack, I rang up 1000 and asked them if they could tell me the phone number before last that I was connected to. Turns out they don’t keep that kind of information.

This morning, I got a letter from HSBC telling me to ring up their fraud number. Again, this was someone contacting me out of the blue and asking me to ring a number, but I put on my “don’t give out any personal details” hat on and called them up. This took a little longer to get through, but there was no automated system beforehand, so it’s not too bad. The guy I talked to was very understanding and said that if I had any doubts, I shouldn’t give out any personal details. He said to try ringing up the phone banking or go into the branch, but the likelihood was that I’d need to go into my branch with photographic ID and get them to sort it all out. Sure enough, when I tried internet banking, it gave me an error code which translated to “go into your bank and get your account reset”

When I went into the bank it was lunchtime, but I got seen straight away (more points to HSBC for this). The Lady in the bank was helpful, but there was a note on my file saying that she should phone up a number, and they put her on hold for ages. Apparently this happens a lot at lunchtime. They get all of that sorted out, and I mention that I really need to get this paid by Sunday when I move in. Because it can take a few hours to reset internet banking, she put me onto the woman in the fraud centre to approve the transaction and helped me to set up a standing order for the rent.

I asked the woman in the fraud centre to take a look at the notes on my file, and work out what had happened. Apparently it was recorded that they couldn’t get through to me to confirm the transaction. I explained that I had been given a reference number and told to call a number I didn’t trust, so arranged to call the number on the back of my card instead. She said something like “Yeah, a lot of customers don’t like to ring up the fraud number because it’s an 0845 number and they don’t trust it.” I asked why I was supposed to trust a number that I was given out of the blue, and she said “Tell you what: I’ll give you the number now, and if it comes up again you can trust it.” Turns out it was the same number that was in the letter, but there doesn’t seem to be any reference to it on the HSBC website, and nothing comes up if you type it into the search. For reference, number is 08456 100 194, but don’t take my word for it, because I might be trying to trick you into giving out your bank details.

So what could have been done better?

If someone rings me up again, I will keep them on the phone until they’re certain they have written the appropriate note on my file. This avoids the race between them writing on my file and me calling up the other number.

Before I call any other number, I will make sure I know the number that called me, so I can report them to the fraud people if it turns out to be someone suspect.

If someone calls up trying to confirm a transaction, I have 24 hours from the time I tried to make the transaction to get back to them. Otherwise I’m going to get locked out of my account again. If they don’t have a clue what I’m talking about, I should make sure that I have talked personally to someone on the fraud team before I give up.

I now know that 08456 100 194 is a trusted number, but there’s no way to write it on my card, so it’s going to get forgotten.

They have a feedback section on their site. I’ve written something in there, and if they get back to me, I’ll be sure to post it in the comments here.

Advertisements

5 Comments »

  1. Hrm. Error submitting the feedback form. Firebug reports that there is an error in the code that checks the length of the response box. This is probably the problem.

    I tried again and entered the following, which seemed to work:

    I had some problems with your fraud team ringing me up to confirm a transaction and giving me a reference number so I could ring them back but failing to document that they had done this in a way that the woman in the call centre could see/understand.

    Full details can be found at https://alsuren.wordpress.com/2010/01/13/internet-banking-and-trust/ and any response you give will be posted there too.

    I look forward to hearing from you.

    David.

    Comment by alsuren — January 13, 2010 @ 5:21 pm

  2. Hm, this is pretty worrying, especially as I’m due to (finally) set up internet banking on Thursday.

    I don’t really trust any version of phone banking anyway, whether you’ve set up phone banking yourself, or dealing with accounts generally. This is especially since I was able to cancel my Dad’s credit card and have £200 sent to a random bank in France for him to back up, just by knowing his date of birth. Kudos for emergency procedures when credit cards are stolen, but it just seemed a way to exacerbate the problem.

    Comment by yoyomarules — January 13, 2010 @ 5:49 pm

  3. There didn’t seem to be anything glaring in this part of the internet banking experience which leaves them open to a direct attack from an outsider. Any attack would need to involve me in some way.

    The failure mode that I tripped was a failsafe, and it turns out that failsafes are designed to be safe. It just caused me to waste a lot of time. My main concern is that their process encourages me to be vulnerable to social engineering attacks. Sure: if I realise that I’ve been taken for a fool I can ring up and raise the alarm. I’m pretty sure my dad’s attitude to security would leave him in the shit though.

    There is a way you could exploit a dialback-based protocol (if you had a wiretap on my phone, you could ring up pretending to be my bank, and when I dialled back you would get my internet banking number, my date of birth and 3 randomly selected digits of my security number, which is more than the fraud people asked me for when they rang up) but it is more difficult to do from the other side of the world. Maybe if HSBC had a secure skype number (if you believe that skype is secure) or wait until we implement secure communications in Telepathy then we’d be able to close this hole. On the other hand, a virus would leave you even more screwed.

    Yeah, so security is hard.

    Comment by alsuren — January 13, 2010 @ 7:24 pm

  4. What surprises me is that there are some simple things they could do. Firstly, they could advertise the number on their website, or if they only want people to ring that number if they have been contacted, say go to mybank.com/TOPSECRETURL for confirmation of the number. There is also some data they have which they should be able to reveal. They could give the sum of the digits of the available balance in your account, for example. Having something like this pre-defined might be a good idea.

    But they should really have something defined. Setting up some secret data for these purposes really can’t be that hard.

    Comment by Robert Crowston — January 15, 2010 @ 5:36 pm

  5. All this from the guy that never locked the door to any of his Uni rooms…

    Comment by Stuart — January 20, 2010 @ 10:34 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: