Tesco Banking changes to online banking & T&Cs

Milarky

(See also update: post #12 below)

(See further update: post #13 below)

(See also update: post #25 below)

Just got a mailing in today's post advising customers need to "upgrade your security details" which will "make online and telephone banking even safer and easier to use [honest!]."

Personally you have to doubt this claim when the same letter informs: "if you've previously used a card reader you'll no longer need it" Hmmm.. so why did they issue those things, exactly, if we're supposedly more safe without them?

The letter helpfully adds: "New online terms and conditions will come into effect on 20th June. You'll be able to view these online when [sic] you upgrade." [STRIKE]Oh, so now you get to find out what you've 'accepted' once you've accepted it... that's novel...[/STRIKE]Have a read here:

http://www.tescobank.com/assets/sections/onlinebanking/pdf/online-banking-terms.pdf

Two other things I noted; you will need to register a mobile number for using their new service away from your home computer. That is secure! [It actually says 'more than one'. Perhaps techies will know if this includes second home computers or not.]

Finally they are changing their bank sort codes and customers must make sure they amend their Tesco account details accordingly. The sort codes will begin '40' [HSBC not RBS] Of course this does present occasional challenges. First Direct [part of HSBC] for instance, can't even remove an existing payee's details - they have to sit there unused - let alone amend a sort code. I will have to 'double up' on the details yet again. Most banks allow deletion of payee details by customers but will not allow an amendment to a sort code anyway - so that's more time and work setting them up. Initial payments may not go via Faster Payments [but, whatever, that's [I]not[/I] Tesco's problem, is it?]

Does anyone recall being written to about these changes earlier, btw? [As they say in the letter: "I write to you recently about some important improvements and changes being made at Tesco Bank."]

YorkshireBoy

Milarky wrote: »

Finally they are changing their bank sort codes and customers must make sure they amend their Tesco account details accordingly.

Did you see the bit at the foot of page 1 regarding standing orders and direct debits not being affected by the change?

I wonder if that's poor wording or if SOs from external accounts will stay go via the old RBS sort code.

Knowing Tesco, my money's on the former!

Does anyone recall being written to about these changes earlier, btw? [As they say in the letter: "I write to you recently about some important improvements and changes being made at Tesco Bank."]

Dated April 2011, and headed "Tesco Bank is improving your banking service". Four bullets...

• Soon you'll be able to manage all your Tesco bank accounts in one place Er, I could before!
• Improved log in process will make it more secure I was happy with the previous security. And so were they because it's been running a good while now.
• Free security software will be available to download No thanks I'll use my own!
• New statements will be easier to read I can understand the old ones!

northerner77

Milarky wrote: »

Two other things I noted; you will to need register a mobile number for using their new service away from your home computer. That is secure! [It actually says 'more than one'. Perhaps techies will know if this includes second home computers or not.]

What would happen if the customer doesn't own a mobile? He/she would only be able to access account(s) via the one IP address he/she upgraded security details on?

andy_allblack

It's going to be interesting for me, because I don't own a mobile phone, suppose I'll have to phone them and explain my situation.

malc_b

northerner77 wrote: »

What would happen if the customer doesn't own a mobile? He/she would only be able to access account(s) via the one IP address he/she upgraded security details on?

They can't be using IP address since most broadband is dynamic IP, static IP costs more. You may well have the same IP for ages but it's not guaranteed.

hasdogs

andy_allblack wrote: »

It's going to be interesting for me, because I don't own a mobile phone, suppose I'll have to phone them and explain my situation.

If you dig around in the tesco.com/bankchanges site they mentioned in the leaflet you will find

"If you don’t have a mobile phone, you can only login to online banking using the computer you use to upgrade."

Of all the online savings accounts I have had Tesco was the slowest and most difficult to set up with highest number of letters from them. The stupid card and reader took weeks and I have used it once to set up a payment to the account where all the money came from in the first place.

These changes are dumb. I don't keep cookies so they can't identify the computer I am using. I predict I am going to have to receive an SMS text message and enter some code from it every time I log in. If you don't have a mobile you are screwed, maybe they can text a landline and get that BT SMS to speech service (if your landline is with BT?).

For a savings account I could live with needing to receive an SMS to set up a new payment but needing one to log in is ridiculous.

ChiefGrasscutter

malc_b wrote: »

They can't be using IP address since most broadband is dynamic IP, static IP costs more. You may well have the same IP for ages but it's not guaranteed.

It will probably work by storing a super cookie on your computer.
A&L has much the same sort of thing. If you used ccleaner it cleaned out all the cookies and supercookies and then the A&L login sequence asked some more questions.....The Tesco one from what I'm reading here looks like it will send an sms to your mobile if it detects a 'new' computer from the one you normally use - or can't find the cookie on an existing one.

Two factor security authorisation is becoming more common - even at logon stage.

JuicyJesus

Milarky wrote: »

Finally they are changing their bank sort codes and customers must make sure they amend their Tesco account details accordingly. The sort codes will begin '40' [HSBC not RBS] Of course this does present occasional challenges. First Direct [part of HSBC] for instance, can't even remove an existing payee's details - they have to sit there unused - let alone amend a sort code. I will have to 'double up' on the details yet again.

Tesco will most likely be an "agency bank", meaning they'll use HSBC's sort code range but nothing else. First Direct's limitation doesn't apply to HSBC either - HSBC online users can delete payments just fine.

You should be OK.

td_007

I was planning to close the Tesco Saver anyway as the 1 year bonus period was coming to an end. Both Halifax Websaver Reward and Lloyds Saver give better rates @3%. I might open a new Tesco Saver if any offer of additional Tesco points come along - which is what I had done the previous two times. So for now it is bye bye Tesco.

northerner77

ChiefGrasscutter wrote: »

It will probably work by storing a super cookie on your computer.
A&L has much the same sort of thing. If you used ccleaner it cleaned out all the cookies and supercookies and then the A&L login sequence asked some more questions.....The Tesco one from what I'm reading here looks like it will send an sms to your mobile if it detects a 'new' computer from the one you normally use - or can't find the cookie on an existing one.

Two factor security authorisation is becoming more common - even at logon stage.

If you happened to be in France or somewhere outside the UK when upgrading your details to the new system would it still store the supercookie on your PC? Nothing to do with the IP address?

ChiefGrasscutter

I'd imagine that it would store the cookie on the computer you were using at the time when you updated your login details to the new system...and regard that by default as your main computer. Tesco would probably not really want you upgrading your details and supplying critical info on a machine that was not as secure as possible - i.e your default computer and certainly not a cybercafe of suspect reputation!
One of the credit card providers uses the same sort of system for its online login, and likewise, when it upgraded its systems assumed that the computer you were using when you did the upgrade was your default machine. If it doesn't detect the cookie you get asked all sorts of additional security questions/passwords etc:
I think the the credit card company's system arrgmt is a bit smarter that the A&L one in that ccleaner etc doesn;t wipe the cookie/supercookie/flashcookie.

If Tesco wanted to be really smart I'd put into the cookie something like an encrypted number which was derived from the serial number of the computer's motherboard plus date and time - which I'm sure the browser could extract. That way it would prevent some smart ar** copying the actual physical file of the cookie from one computer to another one in an attempt to get round the Computer ID verification.

As previously said by others when you switch off and switch back on your router (overnight for example) your ISP will re-allocate an IP address to you. Being dynamically allocated you will probably get a different one from the one you had the day before. So Tesco using IP address to check won't work in general - and certainly not for a security level degree of check. If you have specially requested (and paid more) for a special static IP address which is permenantely allocated to you and never changes it would - most normal/domestic internet users never need a static address.

As a complete aside, your ISP will of course have a record of which computer's router was allocated which IP address over what time spans, so if some "illegal" activity was logged by some system somewhere the IP adress would be noted and the ISP then "asked to provide" the home address that the IP was connected to at the time of the incident.

Your ISP will have a range of IP address to allocate to its customers - so for a given address anyone can easily "guess" who the ISP is likely to be.
IP address's from foreign ISP will have different ranges - this is how BBC can block iplayer from use outside the UK and how banks can know an account is being accessed from outside the UK

Qute how this will affect those who log in via corporate networks using the same/different computer I don't know (network experts please!). It could be that virtually every time they login they are detected as using a "different computer". On the other hand some corporate system copy a 'users profile' across when users swap computers so Tesco's system may not be capable of realising that its a different physical computer. It all depends on how clever/complex is the info stored in the cookie.....all of which is beyond my knowledge...sorry!