[Fwd: Re: Co-op Bank and Verified by Visa]

Pete Mitchell otcbn at callnetuk.com
Fri Jun 26 17:45:15 BST 2009 

>>From Peter Gutman
> 
> -------- Original Message --------
> Subject: Re: Co-op Bank and Verified by Visa
> Date: Sat, 27 Jun 2009 02:06:57 +1200
> From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
> 
> If you're in doubt you can fix this up yourself (at least for some banks) by
> going to the bank and asking to have a note placed with your account details
> instructing them to take extra precautions with your account.  For
> example for
> my credit card I have a note saying that any COB (change of billing) changes
> (in computer terms any change to the account metadata) can only be done if I
> appear in person at a bank branch with photo ID, overriding the bank default
> where it's possible to make all of these changes over the Internet (!!),
> perfect for phishers.  This means that if the bank does allow a COB over the
> Internet or phone then they're liable and not me, no matter what their T&C
> says.  

I would have thought - or at least hoped - that the bank would be liable 
for this sort of fraud no matter *what* their T&Cs say. After all it is 
their security lapse that permitted the fraud to happen, not mine.

I really can't imagine why the banks permit people to set up Internet 
banking over the Internet anyway. It is so obviously open to fraud.

I was myself done over in this way just this month. Someone fraudulently 
set up Internet banking on my Halifax account. They also set up another 
Halifax account at another branch, in my name, and did an on-line 
transfer emptying my account into this new one. I suppose they hoped to 
withdraw the proceeds - six grand - in cash before the dodgy transfer 
was noticed.

After some careful questioning, Halifax have given me the money back, 
but it has taken four weeks, and of course sorting out the repercussions 
(bounced cheques etc) has been very time consuming. The worrying thing 
is that there seems to be no way to stop it happening again, or 
happening to my other bank accounts. The bank itself has so far refused 
to explain exactly how it was done. I presume that is forbidden under 
the Data Protection Act.

-- 
Pete Mitchell

More information about the ukcrypto mailing list