MSE News: Santander sends thousands of statements to wrong addresses

Wasteofspace

welshmike wrote: »

Santander requires 3 things online for you to access your current account.
1. Your Customer ID as shown on your monthly statement
2. Some personal detail like your mother's maiden name or the the name of your place of birth
3. Your customer PIN

1. If a hacker has your monthly statement he will have your Customer ID and quite possibly your name from it appearing in a transaction on your detailed statement.
2. From your name it may be quite possible to deduce your personal detail like the name of your place of birth.
3. Your customer PIN is only 5 digits and a brute force computer program run by the hacker on a fast computer could crack you PIN rather quickly.

So now the hacker has access to your current account he can move your money out. If you have a savings account with Santander, say goodbye to the money in it as well.

OK so Sandander may compensate you for the loss but imagine the disruption and stress you may go though when your standing orders and direct debits hit an emptied account and you having no money in your bank account for day to day matters like drawing cash from an ATM, paying a bill with your debit card, etc.

Where on earth did you get that from? I can assure you this is nether accurate or possible.

welshmike_2

Wasteofspace wrote: »

Where on earth did you get that from? I can assure you this is nether accurate or possible.

... the sophistication and ability of determined hackers.
It is of course unlikely that anyone's Santander bank account gets hacked this way but it is indeed possible.

1. Customer ID - it is on my paper statement
2. My name is on a transaction in my paper statement "Transfer to 'welshmike' xxx.xx"
3. Password cracking - see http://sectools.org/crackers.html and also read about botnets here http://en.wikipedia.org/wiki/Botnet .
"In July 2010, the FBI arrested a 23-year old Slovenian held responsible for the malicious software that integrated an estimated 12 million computers into a botnet"

Santander should have in their server side scripts a means of blocking on-line access to an account when multiple failed attempts to Log in to an account are detected.
I don't know if they have such security and could find out using a specially crafted computer program but that would be unethical if not illegal.

Karma4All

welshmike wrote: »

... the sophistication and ability of determined hackers.
It is of course unlikely that anyone's Santander bank account gets hacked this way but it is indeed possible.

1. Customer ID - it is on my paper statement
2. My name is on a transaction in my paper statement "Transfer to 'welshmike' xxx.xx"
3. Password cracking - see http://sectools.org/crackers.html and also read about botnets here http://en.wikipedia.org/wiki/Botnet .
"In July 2010, the FBI arrested a 23-year old Slovenian held responsible for the malicious software that integrated an estimated 12 million computers into a botnet"

Santander should have in their server side scripts a means of blocking on-line access to an account when multiple failed attempts to Log in to an account are detected.
I don't know if they have such security and could find out using a specially crafted computer program but that would be unethical if not illegal.

1. Your 10 digit "Personal ID" is not on your statement, your Sort Code & Account Number are.

2. Your Name & Address are on the front page & your name is on the back page, you won't need to look at transactions.

3. You account will be locked after 3 failed login attempts & you will need to ring in to unlock you account by providing answers to various questions.

Karma4All

jambosans wrote: »

It's not as black and white as you suggest. No pun intended.

You are correct.
It is a shame, the production staff were very competent & diligent.

ghc2611

I was on a canal holiday in July for a week without any internet access to banking. When I got home & checked my account, I found that £5000 had been transferred from my mortgage into my savings account, both with Abbey/Santander. When I checked with the bank the transaction was timed when I was away. The money was transferred back & nothing was lost apart from a shortening of my life in panic. They told me that the transaction had been arranged by the use of my passwords etc & I explained I was away at the time of the transaction. They promised to investigate but I have heard nothing from them.

welshmike_2

Karma4All wrote: »

1. Your 10 digit "Personal ID" is not on your statement, your Sort Code & Account Number are.

2. Your Name & Address are on the front page & your name is on the back page, you won't need to look at transactions.

3. You account will be locked after 3 failed login attempts & you will need to ring in to unlock you account by providing answers to various questions.

It is not the "Personal ID" I referred to. It is the "Customer ID" and that does appear on the top half of the right hand side of the first page of my statement.
I understand that the printer's mistake means that for some people the first page of a statement is printed on the front side of a page and someone else's detailed transactions are on the reverse and on any other pages.
If a hacker obtains the information from the front page of a statement he does not need to see other pages. If he obtains the other pages he will not see the Customer ID.
So the vulnerability may be less severe that I had alleged.
In particular it is reassuring to read that an account becomes locked after 3 failed attempts to Log in.

sprogs

Richyrich2001 wrote: »

My statement showing transactions from 22nd Nov to 20th Dec has someone else's transactions on the back. I asume it must have been printed after the close of business on the 20th or the next day. It would appear that the error was not confined to the 18th as reported.

My statement covers 22nd Nov to 20th Dec and is fine - only my details and transactions on each side.

Flamby1

What offers of compensation has anyone received? I was offered £10 which I've rejected

Mikeyorks

You would be well advised to edit your Email address from your post. Otherwise you may receive other offers!

Dave_ja_vu

Some of the posts above mention hacking your back account, the are much easier ways to clear out your account with your statement. They can take out multiple loans in your name, no your statement does not have your date of birth on it, but the pubic Electoral Roll register does that anyone can access. Its not hard to build up the missing information, and you would only need three forms of ID for a small loan or hire agreement. Think of a run down area near you, now think some scumbag has got a good start at clearing your account. High value transactions means you must be comfortably well off, and the address would indicate a nice house full of nice things - yes. Your chance of a break-in has just increased 100% because of Santanders mistake. While the robbers ransacking your house while you are at work as well as the normal spare car/house keys, TV, PS3, jewellery, wallets, handbags they take a utility bill. So they now have a recent bank statement with your current address, driving licence from your wallet, a recent utility bill, your date of birth and your signature to copy off the back of your credit card and driving licence Now they also have your debit/credit card they go online shopping they have the 3 digit number off the back. With this information its very easy to redirect your mail at the local post office so you would not realise for a week why you have had no mail, and the criminals have all their parcels of new high value goods.

Don't accept a £10 or £20 offer from Santander I am sure that if they are aware of the enormity of their mistake they really don't care if you are robbed in the future. Hold out for the full £100 it should be £500 !each standard 'mistake' refund they can afford it.

If you close the account they can not take any money out of it as it no longer a valid account, so you are safe - sort of - get a big dog to look after the house.