Marks and Spencer &More credit card balance transfer woes

david72

In December I applied for an M&S &More credit card in order to take advantage of their life-of-balance low interest balance transfer offer.

The card (but not my PIN) arrived at the beginning of January and I completed the paperwork to arrange my balance transfer.

After a week or so, I phoned up to check whether a PIN had been sent, and since I was on the line, to check whether my balance transfer had been processed. No, but they'd somehow managed to apply a balance transfer (which I had not authorised) from somebody else's card to my account! So, they said they'd cancel that, take the details for my balance transfer again, and send a PIN.

After about another week, still no PIN, and still no sign of my balance transfer. So I phoned again, only to discover no record of my PIN request and, hey, presto, yet another unauthorised balance transfer. So, I give them the details again, and they arrange to cancel the bogus transfer..

Fast forward to today, PIN has eventually arrived in the interim period, but still no sign of my balance transfer. So, I phone again. The call centre agent confirmed that the erroneous transfers had indeed been cancelled, and that my balance transfer had been processed, but not until at least a week after I had last phoned..

On this occasion, the agent also asked for what seemed like an excessive amount of 'security data': address, birthday, mother's maiden name *and* employer's name. While asking for one, or two, of these is normal, it seems a little over-the-top to ask for so much? Then, as the call progressed, he also asked for the expiry date of my card, and the Card Security Code. I refused to give the Card Security Code as, mindful of recent reports of data-harvesting operations at crooked call centres, I was under the impression that, similarly to a PIN, it should not be divulged, not even to bank staff, and the only time it should be given is on secure web forms for CNP transactions? I have to say, this does give me concerns that this call centre may not be as secure as it should be.

Frankly, I'm not impressed with this at all, and will be writing to M&S Money (assuming that the mail is actually answered in the UK and not South Asia[1]), to complain about the poor level of service their offshored call centre provides, *and* to M&S to let them know how this is damaging their brand (I know they don't operate M&S money, but any business needs to ensure that whomever it licences its name to meets the standards you would expect from under that name).

[1] If the staff in South Asia can do the job competently, professionally, honestly and securely, fine, but it seems that they're failing on at least one of these grounds..

david72

I suppose I should be fair and note that, at long last, my balance transfer now appears to have taken place and has shown up in my existing credit card balance. I do hope that's the only transaction that shows up on my next M&S statement, and that they don't manage to create any more bogus ones. Honestly, 6 weeks, and multiple phone calls, just to sort out what ought to be a simple transaction..

Crabman

It should be a simple transaction, I'd be weary of any call centre employee asking for a strangely large amount of 'security information'. It rings bells with the HSBC call centre in India which was responsible for the disappearance of a large amount of money from customers' accounts... be very ware when using anything to do with finances, be that internet, post or phone.

No_6

If you buy something online,
you give your card number
expiry date
and 3 security numbers.

?

6

david72

Crabman wrote:

It should be a simple transaction, I'd be weary of any call centre employee asking for a strangely large amount of 'security information'. It rings bells with the HSBC call centre in India which was responsible for the disappearance of a large amount of money from customers' accounts... be very ware when using anything to do with finances, be that internet, post or phone.

That does rather worry me! M&S Money = HSBC! After all of the messing around I have endured, I have written to M&S Money about my concerns, including about being asked for rather a lot of security information, so at least they have a record in writing from me if something fraudulent should happen (touch wood it won't).

Oh, and say a big "Hi!" to Joy for me, Crabman

david72

No_6 wrote:

If you buy something online,
you give your card number
expiry date
and 3 security numbers.

?

6

That's what I wrote. Hence I was concerned that the credit card company was asking for this information, as I was under the impression that it should only be given during CNP transactions. You're expressly told not to give out your PIN to bank staff; I assumed that similar rules applied for the CSC. By the point in the conversation that this occurred, my suspicions had already been raised, so I took the cautious option.

david72

Hmm, HSBC are fast convincing me that their initials really stand for Hopelessly Shambolic Banking Corporation..

My &More credit card statement date is supposedly just before the end of the month, but as of yet, last month's statement hasn't arrived, after a week: my post isn't usually quite that lousy. So I phoned up the call centre: "Oh, you have to allow two weeks after the statement date for it to arrive". Two weeks?! Sheesh, where are they posting them from? (I have a horrible feeling I can guess where they're posting them from, it's somewhat further to the east than the UK, isn't it?)

So, when's the payment date? It turns out it's only just over three weeks from the "statement date". In other words, I might well end up only having the statement for just over a week before payment is due, which doesn't give much time to arrange a payment (I'm very reluctant to let Have Somebody-else's Balance-transferred-to-your Card have a Direct Debit). What on earth is the point of having a supposed "statement date" that is two weeks before you ever get to see the actual statement? That seems barely legal to me.

They're really not doing a good job of convincing me that they're a competent banking institution to ever use in the future. Admittedly, the sole reason I have this card is for the balance transfer offer, but it'll certainly be getting cut up and cancelled as soon as I've paid it off (meaning that they lose a potential longer-term customer), and this experience means I doubt I will ever choose HSBC for any financial service in the future.

RCA_2

can i just point out that when you call we have your security info in front of us aswell as other such as your application, your scores. charges applied, statements, your bank details... in short every little bit of info we have is right there in front of us. so when we ask security info we are only checking it with what we are already looking at. how can questioning you be a breach of security? in my opinion it makes it more secure. if we wanted to pinch your details we sure as hell wouldn't ask you the questions would we?

david72

RCA wrote: »

can i just point out that when you call we have your security info in front of us aswell as other such as your application, your scores. charges applied, statements, your bank details... in short every little bit of info we have is right there in front of us. so when we ask security info we are only checking it with what we are already looking at. how can questioning you be a breach of security? in my opinion it makes it more secure. if we wanted to pinch your details we sure as hell wouldn't ask you the questions would we?

Well, obviously I wasn't to know that.

However, that strikes me as a very insecure way to run the system. It relies absolutely on the trustworthiness of the call centre staff, and human nature being as it is, that isn't always the case. What is needed is a system that minimises the capability and scope for misuse of trust.

When you consider system security, it is always best to have the fewest number of people knowing the least amount of information required. In a well-designed system, the computer screen should not display all of the information at once. The system should require further keypresses or authentication (of the agent) to show different pages of data. That way, if an agent looks up my bank account details (for example), this can then be logged. If there was no legitimate reason for this (eg, a legitimate reason might be my querying whether a direct debit had been correctly taken), then suspicions could be raised if the agent's actions did not match what the call log suggested was appropriate. By making all of the customer information available, this protection is lost.

Given that HSBC have, what is it, 5 or 6 items of security information for me, what should happen is that I am asked for perhaps 2 or 3 of them (or for a subset of letters from them, for even greater security), and the information required is all that the agent is allowed to see. That way, it is impossible for a rogue agent to see all of a customer's information at once (and the chances of the rogue agent acquiring all of the data over several calls is considerably minimised). Arguably, the agent should not even see the data at all: the system should, just like a login password, merely respond whether the data keyed is correct or not.