[OT] motoring **** looses money from identity fraud bet.

[Ekul Namsob]

Jim <[email protected]> wrote:

> "Alan Braggins" <[email protected]> wrote in message
> news:[email protected]...
> > In article <[email protected]>, Jim wrote:
> I also think that Clarkson probably won't miss the
> >>£500 too much
> >
> > Since the bank will have given it back under the usual Direct Debit
> > guarantee, I doubt he'll miss it at all. Someone who had a cheque
> > bounce because they went over their overdraft limit while the £500
> > was missing might, but I doubt Clarkson is in that position.
>
> You mean that Clarkson's error is going to cost the bank's shareholders
> £500?
> I wouldn't be too happy about that if I was one of their customers. If I
> left my bike unlocked outside a shop for two minutes and it got nicked I
> wouldn't be covered. I'm surprised that the bank would refund him given that
> he was so irresponsible.

Firstly, he hasn't been irresponsible in any greater way than a person
who writes a cheque. I've frequently written cheques to people whom I
don't know.

Secondly, the error will cost the bank a few pence in admin costs as one
feature of the Direct Debit Guarantee is that organisations who take DD
must be willing and able to refund any payment on demand pending
investigation. That is one reason why organisations such as churches do
not tend to accept DD: simply, they would be unable to return the funds
in the event that someone suddenly decided that they had accidentally
been paying a direct debit for twenty years.

Cheers,
Luke


--
Red Rose Ramblings, the diary of an Essex boy in
exile in Lancashire <http://www.shrimper.org.uk>

 

[Ekul Namsob]

Don Whybrow <[email protected]> wrote:

> Imagine you are working in a big service centre with all sorts of forms
> crossing your desk every day and your boss is on your case to process
> them ASAP because that, in general, is what the customer wants. A fast
> turn around.
>
> Amongst all the other DD mandates and account opening forms and loan
> requests and ... comes a charity DD mandate setting up a £500 DD from
> someone. In fact it is probably stuck in the middle of a huge batch of
> the things as they arrived in the post from the charity that morning.
> All the fields are filled in correctly, the name matches the one on the
> account, the signature looks enough like the on on file (remember the
> boss is watching and the clock is ticking). So you tap in the details
> and push the GO key.

That's why the DD Guarantee exists. You don't need to be a highly
trained genius to set up DDs: I set up hundreds at the age of 15 while
on work experience. It was the most boring fortnight of my life.

Cheers,
Luke


--
Red Rose Ramblings, the diary of an Essex boy in
exile in Lancashire <http://www.shrimper.org.uk>

 

[[email protected]]

Don Whybrow wrote:
> How would you suggest that a bank protect clients who publish in the
> national press sufficient details to set up a DD?

In the same way as they protect clients who send to random businesses,
charities and private individuals the same sufficient details (that
would be "everybody who writes cheques" and "everybody who publishes
their bank account details for bill payments via BACS/CHAPS"): by
verifying the mandate using information which is actually *private*
instead of just hoping nobody will notice.

IT people refer to this as "security through obscurity" and it's
universally acknowledged to be a bad thing. Shame there are apparently
no IT security people working in banking, eh?


-dan

 

[Nigel Cliffe]

[email protected] wrote:
> IT people refer to this as "security through obscurity" and it's
> universally acknowledged to be a bad thing. Shame there are
> apparently no IT security people working in banking, eh?

I am sure there are skilled IT security people working there.
And I am sure they are not allowed to speak to the press, have their reports
"sanitised" before their reach the board, are ignored if they do ever speak
to the board, etc. etc.



--
Nigel Cliffe,
Webmaster at http://www.2mm.org.uk/

 

[David Lloyd]

"Ekul Namsob" <[email protected]> wrote in message
news:1iaf52d.1ngsqbxdmvspvN%[email protected]...
> Jim <[email protected]> wrote:
>
>> "Alan Braggins" <[email protected]> wrote in message
>> news:[email protected]...
>> > In article <[email protected]>, Jim wrote:
>> I also think that Clarkson probably won't miss the
>> >>£500 too much
>> >
>> > Since the bank will have given it back under the usual Direct Debit
>> > guarantee, I doubt he'll miss it at all. Someone who had a cheque
>> > bounce because they went over their overdraft limit while the £500
>> > was missing might, but I doubt Clarkson is in that position.
>>
>> You mean that Clarkson's error is going to cost the bank's shareholders
>> £500?
>> I wouldn't be too happy about that if I was one of their customers. If I
>> left my bike unlocked outside a shop for two minutes and it got nicked I
>> wouldn't be covered. I'm surprised that the bank would refund him given
>> that
>> he was so irresponsible.
>
> Firstly, he hasn't been irresponsible in any greater way than a person
> who writes a cheque. I've frequently written cheques to people whom I
> don't know.
>

Did anyone see the film 'Catch Me If You Can'. It was on tv last night. The
conman whose life the story is based on said that he would never use
cheques, as they are far too easily used fraudulently. Which is what he had
been doing since he was 17.

David Lloyd

 

[Don Whybrow]

[email protected] wrote:
> Don Whybrow wrote:
>> How would you suggest that a bank protect clients who publish in the
>> national press sufficient details to set up a DD?
>
> In the same way as they protect clients who send to random businesses,
> charities and private individuals the same sufficient details (that
> would be "everybody who writes cheques" and "everybody who publishes
> their bank account details for bill payments via BACS/CHAPS"): by
> verifying the mandate using information which is actually *private*
> instead of just hoping nobody will notice.
>
> IT people refer to this as "security through obscurity" and it's
> universally acknowledged to be a bad thing. Shame there are apparently
> no IT security people working in banking, eh?

There are quite a few good security people, IT and otherwise, in
banking. Although the jury is out on the success of chip&pin in
overcoming card fraud there are other measures that have come into
place. Take on-line banking for example. To access my account I need to
know my membership number and a couple of pass codes. Now, I am not
asked for all of each code, I am asked for a couple of random digits
from each. Once I get past that I am presented with a seemingly random
number. This I type into a device they sent me. This gives back another
number which I type into the on-line system. A bit of a faff, yes. But
to access my account anyone would need to know 3 separate codes and have
access to the same device that I have that has been given the same seed
key as mine.

If someone was to leave the key in their front door, they can hardly
complain to the builder if they get the DVD player nicked.


--
Don Whybrow

Sequi Bonum Non Time

"There is a wicked pretense that one has been informed. But no
such thing has truly occurred! A mere slogan, an empty litany.
No arguments are heard, no evidence is weighed. It isn't news at
all, only a source of amusement for idlers." (Gibson-Sterling,
The Difference Engine)

 

[Tim Northover]

Don Whybrow wrote:

> Take on-line banking for example. To access my account I need to
> know my membership number and a couple of pass codes. Now, I am not
> asked for all of each code, I am asked for a couple of random digits
> from each.

But at least Barclays has managed to implement this incompetently and
compromise the security. The random digits it asks for are stored between
attempts if you get the membership number correct, but generated randomly
for each attempt if you get it wrong.

The net effect is that you can tell whether the membership number is correct
independently of the pass codes -- it would be like a normal system that
tells you immediately if the username you entered was valid.

Can you guess how much success I had getting through to someone competent
enough to understand the problem at Barclays?

Tim.

 

[MJ Ray]

Jim <[email protected]> wrote:
> You mean that Clarkson's error is going to cost the bank's shareholders
> ?500?
> I wouldn't be too happy about that if I was one of their customers. [...]

In general, customers and shareholders are not the same and I rather doubt
that Clarkson banks with a co-operative or mutual, despite their better
performance.

Also, it's the bank's error accepting that DD, so it's their lookout IMO.

Regards,
--
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/

 

[David Damerell]

Quoting Tim Northover <[email protected]>:
>Can you guess how much success I had getting through to someone competent
>enough to understand the problem at Barclays?

About the same amount as I had convincing American Express that training
customers to tell the answers to their "security" questions to unsolicited
phone callers is a bad idea?
--
David Damerell <[email protected]> flcl?
Today is Second Potmos, January.

 

[marc]

David Damerell wrote:
> Quoting Tim Northover <[email protected]>:
>> Can you guess how much success I had getting through to someone competent
>> enough to understand the problem at Barclays?
>
> About the same amount as I had convincing American Express that training
> customers to tell the answers to their "security" questions to unsolicited
> phone callers is a bad idea?

Or me to persuade Lloyds TSB that my date of birth, is known by my
postman so can't count a "security" question and that

39 and my post code IS my full address and that those two pieces of
information are known to anyone with a phone book, so don't count as
"security" questions either.

That's not forgetting that they ALL use the same bloody questions as
"security"

 

[Ekul Namsob]

marc <[email protected]> wrote:

> That's not forgetting that they ALL use the same bloody questions as
> "security"

Not all. Some allow users to set their own questions. "When was your
first dog put down?" is the sort of question to which I'm fairly
confident that I and no more than four other people know the answer.

Cheers,
Luke


--
Red Rose Ramblings, the diary of an Essex boy in
exile in Lancashire <http://www.shrimper.org.uk>

 

[Andy Leighton]

On Thu, 10 Jan 2008 20:24:21 +0000,
marc <[email protected]> wrote:
> David Damerell wrote:
>> Quoting Tim Northover <[email protected]>:
>>> Can you guess how much success I had getting through to someone competent
>>> enough to understand the problem at Barclays?
>>
>> About the same amount as I had convincing American Express that training
>> customers to tell the answers to their "security" questions to unsolicited
>> phone callers is a bad idea?
>
> Or me to persuade Lloyds TSB that my date of birth, is known by my
> postman so can't count a "security" question and that
>
> 39 and my post code IS my full address and that those two pieces of
> information are known to anyone with a phone book, so don't count as
> "security" questions either.
>
> That's not forgetting that they ALL use the same bloody questions as
> "security"

But you don't have to give a truthful answer just a consistent one.
I am sure your bank doesn't check up to see what your mother's maiden
name was, what your first pet was called, and where your primary
school was.

--
Andy Leighton => [email protected]
"The Lord is my shepherd, but we still lost the sheep dog trials"
- Robert Rankin, _They Came And Ate Us_

 

[Mark]

On Thu, 10 Jan 2008 20:51:21 -0000, Andy Leighton
<[email protected]> wrote:

>On Thu, 10 Jan 2008 20:24:21 +0000,
> marc <[email protected]> wrote:
>> David Damerell wrote:
>>> Quoting Tim Northover <[email protected]>:
>>>> Can you guess how much success I had getting through to someone competent
>>>> enough to understand the problem at Barclays?
>>>
>>> About the same amount as I had convincing American Express that training
>>> customers to tell the answers to their "security" questions to unsolicited
>>> phone callers is a bad idea?
>>
>> Or me to persuade Lloyds TSB that my date of birth, is known by my
>> postman so can't count a "security" question and that
>>
>> 39 and my post code IS my full address and that those two pieces of
>> information are known to anyone with a phone book, so don't count as
>> "security" questions either.
>>
>> That's not forgetting that they ALL use the same bloody questions as
>> "security"
>
>But you don't have to give a truthful answer just a consistent one.
>I am sure your bank doesn't check up to see what your mother's maiden
>name was, what your first pet was called, and where your primary
>school was.

Although it may be much more difficult to remember the answer you gave
if it is not truthful. I do!

M.

 

[[email protected]]

David Damerell wrote:
> About the same amount as I had convincing American Express that training
> customers to tell the answers to their "security" questions to unsolicited
> phone callers is a bad idea?

Please add smile and Crapital One to that list.

And then can we talk about 3d secure? Capital One (and I assume
everyone else that outfarms it to securesuite) has a "forgot your
password" link that resets it after asking for security questions, and
this all inside an iframe on the merchant's site during the regular
purchase process. It's like phishing had never been thought of.


-dan

 

[marc]

Mark wrote:
> On Thu, 10 Jan 2008 20:51:21 -0000, Andy Leighton
> <[email protected]> wrote:
>
>> On Thu, 10 Jan 2008 20:24:21 +0000,
>> marc <[email protected]> wrote:
>>> David Damerell wrote:
>>>> Quoting Tim Northover <[email protected]>:
>>>>> Can you guess how much success I had getting through to someone competent
>>>>> enough to understand the problem at Barclays?
>>>> About the same amount as I had convincing American Express that training
>>>> customers to tell the answers to their "security" questions to unsolicited
>>>> phone callers is a bad idea?
>>> Or me to persuade Lloyds TSB that my date of birth, is known by my
>>> postman so can't count a "security" question and that
>>>
>>> 39 and my post code IS my full address and that those two pieces of
>>> information are known to anyone with a phone book, so don't count as
>>> "security" questions either.
>>>
>>> That's not forgetting that they ALL use the same bloody questions as
>>> "security"
>> But you don't have to give a truthful answer just a consistent one.
>> I am sure your bank doesn't check up to see what your mother's maiden
>> name was, what your first pet was called, and where your primary
>> school was.
>
> Although it may be much more difficult to remember the answer you gave
> if it is not truthful. I do!

One of my bank accounts has my wrong date of birth recorded for it, the
bank refuses to change it "for security reasons" there is an ongoing DPA
complaint.

 

[Kenneth MacKenzie]

JC's not the only one:

> A fraudster walked into a branch of Barclays Bank posing as
> its chairman Marcus Agius and managed to walk out with 10,000
> pounds.
>
> The conman is believed to have found Mr Agius' details online and
> persuaded call centre staff into issuing a Barclaycard in his name.

http://news.bbc.co.uk/1/hi/business/7181741.stm

I bet they'll revise their security procedures after that.