Alleged Bank Security Breach - Card Detaisl & PINS compromised.

James

Hackers managed to infiltrate systems of RBS WorldPay, the group's Atlanta-based payment processing arm, and used data to clone debit cards later used to cream cash from ATMs in some 49 cities around the world.

Customers are furious that RBS waited 43 days to tell them about the security breach.

Article click here.

Comment: This again raises the following queston:

If a Bank or Card Issuer knows that an ATM or Chip & PIN device has been tampered with, or details and PINs have been hacked, do they have a duty of care to the Card Holder to inform them soonest that they suspect their PIN / Card Details has been compromised?

Bear in mind the Banking Code Articlle 12.7 -

It is essentian that you tell us as soon as you can if you suspect ro discover that - Someone elses knows you PIN.

Jemma-T

I wouldn't worry. Banks, shops, processing companies and governments have been losing this material for years and it's so frequent now it barely gets a mention on the news. The only reason we [eventually] hear about it is in some states in the USA it's a legal requirement to inform the authorities and post adverts about breaches.

Just look after your own data as much as possible, don't give out details over the phone and keep an eye on your banking. Use common sense.

Paul_Herring

James wrote: »

Bear in mind the Banking Code Articlle 12.7 -

It is essentian that you tell us as soon as you can if you suspect ro discover that - Someone elses knows you PIN.

I think you'll find, James, that clause 12.7 is a directive for the customer to follow, and has no bearing whatsoever on any duty the bank has to disclose security breaches :rolleyes:

This also ignores the fact that as stated at the beginning of the code (1.2), the whole code is voluntary. i.e. the banks are free to ignore stuff in there if they so wish.

If you want to use the banking code to bash the banks with, you'd be better off using the clauses that apply to the banks directly:

Section 2:

We will treat all your personal information as private and confidential, and provide secure and reliable banking and payment systems.

11.1:

We will not make your name and address or details about your accounts known to anyone, including other companies in our group, other than in the following four exceptional cases when we are allowed to do this by law.

12.1:

We will co-operate with other organisations in the banking industry to provide secure and reliable banking and payment systems you can trust.

James

Thanks Paul_Herring you're absolutely right re voluntary and 12.7 being a directive to customers.

And thanks again for highlighting section 2, 11.1 and 12.1.

I'm only trying to highlight the fact that reporting breaches or compromises in a timely manner seems to be one-sided.

This IMHO is very bad practise and puts us, the consumers in a very weak position when it comes to disputing a transaction or arguing the toss on how a fraudster could have got hold of a PIN or details.