Bank card security and a little rant on the ludicrous.

Because my mum is in a care home, I have power of attorney for her account. I have a debit card, so I can shop for her and I get statements etc. I tried to use the card today and it was declined, i didn't notice why at the machine, I thought I was using the wrong number but later saw that it was out of date.

So, I've just been on the phone to the bank to arrange a new card and was told that one was sent out in december, which I haven't received or at least don't recall having received.

I'm being sent a new card which will arrive in 3ish working days and a new pin to arrive in perhaps 8 working days. BUT the card can be used contactless immediately!!

I was stunned by this and pointed out to the nice chap at the bank that it was a MAJOR security problem because anyone receiving that card in error could use it. It used to be that the first use of the card had to be using the PIN, but apparently they've changed that because the PIN takes so long to be sent out 😲.

It's even possible for someone at the sorting office to take the entire envelope, use the card at a contactless terminal and then return the envelope back into the system to complete it's journey. There'd be no way of proving the fraud.

Incredible.



The older I get, the better I was.

Comments

  • bm5
    bm5 Posts: 601

    That's a ridiculous system.

  • katani
    katani Posts: 141
    edited February 17

    In that case the letter should be a tracked delivery and a signature should be required at the receipt.

  • briantrumpet
    briantrumpet Posts: 20,762

    Just a thought - if you use their banking app, could you put a temporary freeze on the new card till it arrives?

  • briantrumpet
    briantrumpet Posts: 20,762

    Still a stupid system though, as you say. Anyone could just hold the envelope to the contactless machine.

  • pangolin
    pangolin Posts: 6,660

    I'm sure they've done the maths and found this costs less in fraud than sending everything recorded and signed for etc

    - Genesis Croix de Fer
    - Dolan Tuono
  • thistle_
    thistle_ Posts: 7,218

    Halifax have recently added a feature to their app which lets you see your PIN for the card within the app. Not sure what the point of this is....unless you're waiting for a PIN in the post.

    You can also see all the card details in the app which is apparently for online shopping so you don't have to have your card to hand. Which is fine if you're on a laptop/desktop but doesn't work if you're using your phone because if you swap from the banking app to the shopping site it logs you out of the banking app before you can see the second page of card details 😂

  • capt_slog
    capt_slog Posts: 3,974

    I don't think they do the temporary freeze thing. Some banks do, some don't.

    I've since found out that 'My' card was sent to my mum in the care home. As we have the same initials on our names, she didn't notice and thought the bank had sent her another card and so didn't think to mention t to me.

    The chap i spoke to on the phone did agree that the system was flawed, and said he will pass on the feedback.

    I think it's worth a letter to the bank to make sure this gets known to someone in charge. As pangolin points out, it probably costs less in fraud, but the bank wouldn't necessarily be the ones paying as you'd have a hard task proving YOU didn't receive the card.



    The older I get, the better I was.

  • daniel_b
    daniel_b Posts: 12,042
    edited February 19

    That's really odd - whenever I am sent a new card, it ALWAYS retains the previous pin, but then as you say, the card can not be used for touch payments until the PIN has been entered for the first transaction.


    Did you ask why they have decided to change the PIN without you requesting it?


    Sounds like a bureaucratic mistake somewhere.

    Felt F70 05 (Turbo)
    Marin Palisades Trail 91 and 06
    Scott CR1 SL 12
    Cannondale Synapse Adventure 15 & 16 Di2
    Scott Foil 18
  • briantrumpet
    briantrumpet Posts: 20,762
    edited February 19

    Was just thinking that this is the kind of thing I'd probably post a Tweet on the bank's feed to publicly poke them into having a better system.

  • capt_slog
    capt_slog Posts: 3,974

    I had further dealings with my mums bank other day (Co-op by the way, in case you're wanting to know who to avoid).

    I had to log-on to the online service. So..

    Put in username, put in password, and a dialogue box comes up saying that it will send me a text mssg with a one-time access code. This code arrives and I put the code into the dialogue box and...

    Fail. It says I've done something wrong and I'm back to the start.

    It turned out that I had put in the wrong password, just a mistype as there's no way of seeing what you've written on their system. What I find bizarre about this is why it bothered with the message to my phone IF I'd put in a wrong password, what was the point?. It makes no sense to me.



    The older I get, the better I was.

  • rjsterry
    rjsterry Posts: 29,817

    To thwart down brute force attempts to guess passwords.

    1985 Mercian King of Mercia - work in progress (Hah! Who am I kidding?)
    Pinnacle Monzonite

    Part of the anti-growth coalition
  • whyamihere
    whyamihere Posts: 7,717

    This one's actually reasonable, it prevents anyone from knowing if they have your correct password or not and also notifies you any time someone tries to log in to your account. Lots of people reuse the same few passwords (or the same one) for everything and there's been plenty of leaks of password data. If there's 5 possible passwords a hacker thinks you use and only one of them goes to the next step of sending the verification code, they immediately know which one's correct, and if you suddenly start getting verification codes through when you're not trying to log in, you know that someone is.