Is our banking security secure enough??

rockyb72

Hello everyone, I am a student security analyst and I come to realise that in some organisations security hasn't been taken seriously enough, I have been banking with A&L for some years now and their online security is really secure including the way they distribute information towards their customers. The main reason I wrote this article is because i recently applied for a smile current account (affliate of COOP),suddenly my new bank account and sort code were sent to my email account, is this normal?
I am not a paranoid person its just i like to be aware on how safe my money is with different organisations, especially that now we in a recession where businesses are becoming bankrupt.

what are your views on this? Am i wrong? Or am i just paranoid
Thank you for those who took their time in reading this.

"When we do wrong, we come to suffering. When we do good in the world, we come to hapiness"
BHAGAVAD GITA

Paul_Herring

I wrote this article is because i recently applied for a smile current account (affliate of COOP),suddenly my new bank account and sort code were sent to my email account, is this normal?

You're really going to panic when you get your cheque book/debit card through the post.

Extant

A sort code and account number is not enough to do any damage with - the most they could do with those two piece of information is... nothing. They'd need your name to even set up a Direct Debit, or the bank would realize the mandate was incorrect.

In short, you are paranoid - fraud exists and will always exist, but does not impact a significant percentage of people, or typically occur online. Anyone applying basic security (i.e. not following links in e-mail, not using shared computers, etc.) is going to be safe against all but the most advanced/targeted methods of fraud.

"Men will never be free until the last king is strangled with the entrails of the last priest."
- Not Denis Diderot

jambosans

I think you are paranoid. Virtually nothing can be done with a sort code and account number.

Also, Smile are an internet bank, I would like to think they know what they're doing.

A quote from the Smile Website:

We’re the first UK online bank to be accredited with the ISO27001 Information Security certification. That means we have an extremely secure Internet Banking service

radebe2k

I completely refute what had been said about sort codes and account numbers, twice this has happened to me now.

Some scumbags have gone online and purchased home insurance, one to the tune of 312 quid DD and a 2 recurring DD's of 12 notes and 15 notes.

i have spoken to each insurer\broker and they have told me that the details entered (Sort code, account detail and name) didn't match, although the sort code and acc no were valid the name used for the account holder name was different and even so the DD went through.

I contacted the bank and they were going on about how that a parent could pay for a child's insurance etc and that the details set up wouldn't match and that's why it goes through, BOLL**KS!, i understand that the insured party might not be paying for the insurance, fine, but in any other transaction like shipping a computer or toaster or anything bought online requires shipping and billing address and the billing address would be in a different name and different address details and all would be different. WHAT IS THE FRICKING DIFFERENCE WITH INSURANCE, it's still product and payment, ok it's not a tangible thing you can see our touch so to speak but it is still a product nonetheless.

Sorry to be spouting off like this but i am soo p'd off with it all, i have spent half a day chasing these morons around their own phone system.

As far as i have found the BACS people who oversee the DD system receive the information from the originator (product retailer), BACS check that the acc no and sort code are valid and forward the information to the bank who hold the account in the DD instruction.

It is down to the bank to check and validate the details sent through.

This isn't happening, seemingly. my bank are hiding behind the direct debit guarantee that says if anything goes wrong then you can claim back but surely if the details are not correct i shouldn't have to rely on the guarantee as the DD shouldn't have been set up inthe first place.

plus how am i meant to check if i don't have internet banking and 9 out of 11 statements never arrive, this account was to allow us free withdrawls overseas, that's it, no cheque book nothing.

As a footnote anyone know if the Aus\NZ banking system is the same as ours?

withnell

Well when you got the letter through telling you a DD was set up, did you not just contact the bank and say it wasn't made by you, and please cancel?

Paul_Herring

I completely refute what had been said about sort codes and account numbers, twice this has happened to me now.

And because it's happened all of two times to you, this applies to everybody else?

Didn't think so. Anyway, you got your money back didn't you? Granted, (1) your bank seems to be a little lax in vetting AUDDIS requests, and (2) either your bank is lax in sending out DD confirmations or you are lax in talking to your bank when you receive them, but your experience does not mean the principles don't hold.

It's like saying "burglary's legal because twice I've been burgled, and no-one's been prosecuted for it."

masonic

Paul_Herring wrote: »

either your bank is lax in sending out DD confirmations

Is it normal practice for banks to write to you when a new DD has been set up on your account? I don't recall ever having received notification from anyone other than the originator.

EarthBoy

masonic wrote: »

Is it normal practice for banks to write to you when a new DD has been set up on your account? I don't recall ever having received notification from anyone other than the originator.

That's right, -it's the originator who sends you the confirmation, not the bank. The originator will send the letter/email to the name and address on their records, so if they have got your account no. by mistake, e.g. their customer gave them a wrong digit, so the d/d is set up on your account instead of their customer's account, you wouldn't know about it unless you noticed it on your online account or on your statement when the payment came out.

Extant

EarthBoy wrote: »

That's right, -it's the originator who sends you the confirmation, not the bank. The originator will send the letter/email to the name and address on their records, so if they have got your account no. by mistake, e.g. their customer gave them a wrong digit

Account numbers are specifically designed to prevent this from happening, and the Industry Sorting Code Directory carries details on how to prevent this.

Most software dealing with BACs/AUDDIS/etc. knows how to deal with this, and it's built in to most things. I'd expect your online banking to reject if you put in an incorrect/unused sort code for example. In some cases, it would might even reject the number if there is enough ISCD data available.

You can test it for yourself on this website: http://www.postcodeanywhere.co.uk/demos/bankvalidator.aspx

Put in your sort code and account number, and try changing a random number - it should reject as invalid.

so the d/d is set up on your account instead of their customer's account, you wouldn't know about it unless you noticed it on your online account or on your statement when the payment came out.

Then you're entitled to a full and immediate refund, as well as a claim for any consequential losses. There's even a specific part of the bank-side Direct Debit reclaiming process that refers to no mandate existing or not matching.

PBA

There's always a trade off made between security and cost effectiveness. That call is made by the bank, and they underwrite the losses. Given that a sort code and account number is relatively irrelevant information (remember that you already give that information to anyone you give a cheque to, or anyone seeing your debit card) your bank obviously feel that the security risk of sending it by email is offset by the benefit of being able to provide it immediately.