RBS online security

c_smith · 6 July 2012 at 10:09AM

This just gets better. It seems that not only did the fraudsters contact the bank to have both my security number and password reset at the same time, but they gave them a new email address for the purposes of doing so!

I'm sorry, but alarm bells would have been ringing for me when they asked to reset two separate security codes at the same time, never mine, "oh, and I've changed my email address as well, will you please send the reset information to that"!!

I also contacted them again yesterday to find out when my new debit card and direct banking activation codes would be arriving to be told that I need to go down to my branch to have that sorted out. I was told last week by someone from the fraud dept that I would receive a new card and direct banking activation code in the post ........ more incompetence.

The only thing I will say is that when I went to the branch today, they couldn't have been more helpful. Unfortunately the same can't be said of the muppet I spoke to last week. I will be escalating this to a formal complaint with the bank as these are serious issues that need addressed. I'm also thinking I should notify the ombudsman service and the information commissioner.

mr_fishbulb · 6 July 2012 at 12:00PM

stclair wrote: »

If you click you do not have a debit card ask for some details then says we will send you an activation code in the post.

I don't bank with RBS but I would have thought this too. Every other Internet Banking site I have used have done passwords through the post. That way you don't have a call center employee who knows your password as they read it out to you.

Melontwist · 6 July 2012 at 7:43PM

Mandelbrot wrote: »

Is the password resetting operation based in the UK or India?

It's in the uk in Birmingham

Melontwist · 6 July 2012 at 7:45PM

c_smith wrote: »

This just gets better. It seems that not only did the fraudsters contact the bank to have both my security number and password reset at the same time, but they gave them a new email address for the purposes of doing so!

I'm sorry, but alarm bells would have been ringing for me when they asked to reset two separate security codes at the same time, never mine, "oh, and I've changed my email address as well, will you please send the reset information to that"!!

I also contacted them again yesterday to find out when my new debit card and direct banking activation codes would be arriving to be told that I need to go down to my branch to have that sorted out. I was told last week by someone from the fraud dept that I would receive a new card and direct banking activation code in the post ........ more incompetence.

The only thing I will say is that when I went to the branch today, they couldn't have been more helpful. Unfortunately the same can't be said of the muppet I spoke to last week. I will be escalating this to a formal complaint with the bank as these are serious issues that need addressed. I'm also thinking I should notify the ombudsman service and the information commissioner.

What you are saying doesn't quite add up. The telephony team for Internet banking do not have the option to reset your pw or pin for online. If you are a potential victim of fraud we will freeze your online account and then put a stop on your card. We will try to contact you with the most up to date number we hold.
If the information needs to be reset, we will send an activation code in the post.
It sounds as if someone has well and truly hacked your personal infor action, and I a, assuming depending on the details they gave and how they asked for access would of determined what they achieved.

c_smith · 6 July 2012 at 9:17PM

Melontwist wrote: »

What you are saying doesn't quite add up. The telephony team for Internet banking do not have the option to reset your pw or pin for online. If you are a potential victim of fraud we will freeze your online account and then put a stop on your card. We will try to contact you with the most up to date number we hold.
If the information needs to be reset, we will send an activation code in the post.
It sounds as if someone has well and truly hacked your personal infor action, and I a, assuming depending on the details they gave and how they asked for access would of determined what they achieved.

It certainly doesn't add up, which is what concerns me. Someone has managed to get my customer ID number and enough information to have the security number and password reset to gain online access to my accounts. Where they got this information is a concern, as I am very careful with my personal information and online security. Nothing with personally identifiable information even goes in my bin without first going through the shredder.

Some of the information we are talking about is known only to me and the bank, and I know I didn't pass any of it out. Could it have been a rogue employee, hacked systems during the "IT issues" the bank have been having, or simply that an employee lost or mislaid the information?

To make matters worse, I only found out today from the branch, that my direct banking email address had been changed to one I have never heard of. It seems the fraud team failed to pick up on this and if I hadn't found out from the branch today, a week and a half after the incident, what further damage and personal data could have been given out to the persons concerned.

Melontwist · 8 July 2012 at 10:50AM

c_smith wrote: »

It certainly doesn't add up, which is what concerns me. Someone has managed to get my customer ID number and enough information to have the security number and password reset to gain online access to my accounts. Where they got this information is a concern, as I am very careful with my personal information and online security. Nothing with personally identifiable information even goes in my bin without first going through the shredder.

Some of the information we are talking about is known only to me and the bank, and I know I didn't pass any of it out. Could it have been a rogue employee, hacked systems during the "IT issues" the bank have been having, or simply that an employee lost or mislaid the information?

To make matters worse, I only found out today from the branch, that my direct banking email address had been changed to one I have never heard of. It seems the fraud team failed to pick up on this and if I hadn't found out from the branch today, a week and a half after the incident, what further damage and personal data could have been given out to the persons concerned.

The reason I am dubious that it's the bank is because we have no idea of your pins or password or numbers etc, we don't even know the last 3 digits on the bal of your card???

c_smith · 8 July 2012 at 11:04AM

Melontwist wrote: »

The reason I am dubious that it's the bank is because we have no idea of your pins or password or numbers etc, we don't even know the last 3 digits on the bal of your card???

I don't doubt that bank employees don't have access to my pins or passwords, that would be a huge security issue. The point here is that both of these were reset using other information the bank hold on me and it's the fact that this was so easy for someone to do which concerns me.

Have a read at this news article, do a google search and you'll find many more along the same vein. Doesn't fill you with confidence about Data Protection, does it?

http://www.thesun.co.uk/sol/homepage/news/3727561/Brits-bank-data-sold-for-pennies-by-Indian-call-centres.html

Melontwist · 8 July 2012 at 11:11AM

I've just read the article and to be honest those details can be supplied not only by your bank by pretty much n e one u have credit with or a dd set up with...

jalexa · 8 July 2012 at 11:20AM

Melontwist wrote: »

The reason I am dubious that it's the bank is because we have no idea of your pins or password or numbers etc,

What *exactly* are you saying? Perhaps you are saying it's the computer which selects which characters of the Security Number and Password gets requested?

Anyway the issue is "reset" not authentication using the Security Number and the Password. The personal identity and account information that RBS requires for an online reset (possibly including "immediate" access) is clear for anybody to see.

The Direct Banking telephone authentication for online users is identical. Are you saying there is no telephone "reset" process for telephone Direct Banking customers who do not use online? If you are not saying that how does the telephone "reset" process differ from the online "reset" process?

Edit: just seen your more recent post "to be honest those details can be supplied not only by your bank by pretty much n e one u have credit with or a dd set up with". That also applies to certain information required of the online "reset" process.

c_smith · 8 July 2012 at 11:37AM

Melontwist wrote: »

I've just read the article and to be honest those details can be supplied not only by your bank by pretty much n e one u have credit with or a dd set up with...

We were given bank account details, personal data and credit card numbers with the three-digit CVV security code needed for use on the phone or web. There were even online account passwords.

CVV codes and online account passwords? I don't think there are many places, outside of the bank, that would readily have access to such informaiton.

At a later meeting at Delhi’s Hyatt hotel, Chuphal said he had more than 25 insiders at nine call centres. Directors or team leaders make about £400 a month by stealing data — doubling their salaries.

Don't you find it worrying that certain banks, knowing that this is going on, are still happy to outsource to India? They are putting profit before customer security.

RBS online security

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free