KENT RELIANCE personal data harvesting: am I married to the M*f*a???

VT82

codger wrote: »

Or is this actually something else: the deliberate use of an application process involving the collection of highly personal data not to determine the quality of an application but to manage the quantity of applications?

In other words: to manage demand for a financial product in such a way that this management isn't seen to be obvious?

Ways in which a financial institution might manage demand for a bog stadard savings product (in rough order of preference):

Remove it from paid-for spots on comparison websites.
Withdraw the product.
Cut the rate.
Introduce a minimum balance requirement.
Remove the product from one of the existing channels (branch/direct/web).
Limit the product to certain applicants (existing customers/certain post codes etc.)
Lower the maximum balance.

I don't think 'adding in an unnecessary and arbitrary administrative burden to applicants, just to see who will still bother to apply, and risks generating bad will with our potential customers, who might go as far as to throw shade at us online' would feature on the list when they have so many other options available to manage volumes.

codger

Thanks to everyone who took the time and trouble to post here. The contributions have been informative.

This morning we applied online for Virgin's instant access savings account. Virgin has no idea who we are because we've never dealt with it before. Not its trains, planes, bank, credit card or cable broadband.

As a first stage, Virgin sought to establish an online user account, this to relate to any of its financial products. The user account was created without difficulty. A pause of no more than 30 seconds occurred before Virgin then switched us to the second stage of the process, this the application for the actual instant access savings product.

At the conclusion of this process a further 30 second wait occurred before Virgin confirmed that the application was accepted and the account was now in the process of being created. Virgin provided the account number (of our new savings account) and sort code so we could set up the paying in facility from our joint bank account. It also deposited two private messages in our new Virgin online account inbox and sent us three separate messages to our email address.

From start to finish, the application / acceptance process took 24 minutes.

At no stage did Virgin ask for either my National Insurance number nor my wife's. (As will be appreciated, Kent Reliance's request for that specific information did -- and still does -- concern us, but we assumed it needed to know this so as to ensure effective checking of the application.)

Virgin did, however, stipulate that the online user account password must include special character(s) as well as lower and upper case characters and numerals. By contrast, Kent Reliance stipulated that the user account password must not include special characters.

Kent Reliance has since been in touch with us. Unfortunately it has not proved possible for it to say why it needed to have applicants' individual National Insurance numbers when it still requires a Minister of Faith -- or similar echo of 19th Century respectability -- to be privy to our personal affairs, such personage to certify a copy of documentation which will help prove that the individual which the application clearly identifies as the named co-holder of the nominated bank account (because her name is on that bank account along with mine) and asserts to be the named co-resident of an address occupied for more than 10 years (because her name is on the Electoral Roll along with mine) is indeed just that.

This personage, or similar, would presumably also assist Kent Reliance in establishing that Mrs C is alive and well and A Real Person rather than a fraud, all of this chicanery -- the setting up of phony bank account dating back 30 years; the falsifying of Electoral Roll information; the creation of an entirely fake National Insurance number -- for the purpose not of actually borrowing anything from Kent Reliance but of sticking money in its coffers for it to freely and profitably use in exchange for paying out a few quid a year in interest.

Quite how the manual process of document signing, document sending etc et al does more in the way of identity confirmation than a check with the bank or the Electoral Register -- we learn from this thread that the latter can not only be done easily, but done. . . instantly -- I've no idea.

Anyway. Kent Reliance has now closed the application and all data will be destroyed. To calm bowlhead99's obvious anxieties on this point, Kent Reliance seems unlikely to report us to the authorities. Though bowlhead99 must presumably have come across cases where p1ssed off users of financial services are subject to extraordinary rendition, such seems unlikely here.

Lest anyone be wondering why this OP was made, it stems from the fact that we all of us live in a Society where it too often seems that questions are asked for the sake of it and sensitive information -- as here: the NI numbers -- is sought yet without evidence that such was ever truly needed. So used have folks become to being asked this, that and the other that many are easy prey for scammers.

Kent Reliance's requirement of the online provision of highly detailed personal information seemed to us evidence of the existence of sophisticated checking systems deployed as much for our benefit as its own. Given the wealth of data provided -- far more than we've ever been asked to give to any source, of any type, hitherto -- we were then baffled that the process was stalled without reasonable explanation and resort to the snail-mail submission of third-party certified documentation insisted upon.

We never felt Kent Reliance was harvesting data for marketing purposes. Nor have I ever said so. The thought did occur that this might in some bizarre way, have something to do with demand management but the comments on this thread show such a notion to have no validity.

It seems, then, that either Kent Reliance's checking systems aren't as clever as we thought they were -- its approach to user security certainly isn't: prohibition of the use of special characters in an online password says little for its understanding of security -- or, as Dunston kindly pointed out, we were the subject of a random audit.

Clearly, then, we struck lucky with Virgin this morning: 24 minutes. And no. It doesn't want our National Insurance numbers at all.

Thanks again, everyone.

colsten

Why is your NI number any more sensitive than your other personal data?

Tens of millions of people have been giving their NI number to their employers for several decades. It's also been on the ER ever since the ER existed. Several millions of ISA holders have been giving their NI numbers to the ISA providers for well over a decade. Millions of students give their NI number to the Student Loan Company when applying for a loan.

With the new savings allowances and the forthcoming personal tax account, I wouldn't be surprised if all banks and building societies will require the NI number for not just ISAs but for all interest paying accounts, in order to uniquely attribute the interest to a single person.

bowlhead99

codger wrote: »

From start to finish, the application / acceptance process took 24 minutes.

Oh. I thought you were going to blow our minds with some slick demonstration of how Virgin's impressive onboarding process only takes five minutes while Kent had taken twenty minutes or something.

But it took you almost half an hour, even though pretty much all you were doing was typing in your names and address and chosen password? Either you're a slow typist or they are not a paragon of efficiency either.

At no stage did Virgin ask for either my National Insurance number nor my wife's.

So, they're stuck in the dark ages while other more modern and forward-thinking financial institutions are moving on and following newer regulations. Is that a good thing?

They'll have to get the details from you in due course instead. Maybe they offer good interest rates because they haven't yet invested money in upgrading their systems and procedures thus far, failing to get an explicit confirmation of tax residency accompanied by a tax ID because they haven't built out their databases to capture the information properly yet.

Ah well, at least it'll give you the opportunity to come back on here in a year or two's time and rant about how this bank you've been with for two years is suddenly demanding new information that they have done without since 2016, why couldn't they have just got it at account opening, moan moan moan.

(As will be appreciated, Kent Reliance's request for that specific information did -- and still does -- concern us, but we assumed it needed to know this so as to ensure effective checking of the application.)

.
Correct, as it is a unique personal identifier it helps confirm who you say you are, together with enabling them to document the fact that you are registered under the UK income tax system. This helps ensure they report your interest and balances as a UK resident in a way that HMRC can easily capture, and flag you up as someone reportable for UK tax purposes as opposed to someone who might need to be reported to the French, German or US authorities instead.

Virgin haven't bothered to do this because they are just fudging along under their old procedures. Shame.

Virgin did, however, stipulate that the online user account password must include special character(s) as well as lower and upper case characters and numerals. By contrast, Kent Reliance stipulated that the user account password must not include special characters.

.
So, your password at Virgin will be harder for you to remember and probably cause you to need write it down somewhere, where it can be found by a colleague or family member or burglar. While the password you have at Virgin is still just a string of characters found on a conventional computer keyboard and so not really inherently harder for a "bad guy" to guess at or attack with the help of a computer.

Quite how the manual process of document signing, document sending etc et al does more in the way of identity confirmation than a check with the bank or the Electoral Register -- we learn from this thread that the latter can not only be done easily, but done. . . instantly -- I've no idea.

.
Well, for example, if I know the name and address and date of birth of your wife, I could supply it to Virgin, ask that they look it up on the electoral register, which verifies that someone with that name and date of birth does indeed live at 1 High Street Anytown, and request that they create an account in her name using a password I specify, and then deposit my own money into it.

I could then use that account for my own terrorism and money laundering purposes without your wife even knowing, and later run off without being detected and have the trail of criminality lead to your wife. It might not be a massive inconvenience to your wife because she would assert that she knew nothing of this dodgy account in her name. But I would likely get out of there scot free.

By contrast, Kent want to get a copy of your wife's personal identity document, certified by a solicitor or accountant or someone who works in a regulated financial services business. Rather than just open up an account in the name of Mrs C Odger simply on the basis that a criminal is able to correctly tell them that a C Odger has lived at 1 High Street for ten years.

Kent don't seem to be bad guys to me. But feel free to misinterpret it however you like.

Kent Reliance's requirement of the online provision of highly detailed personal information seemed to us evidence of the existence of sophisticated checking systems deployed as much for our benefit as its own. Given the wealth of data provided -- far more than we've ever been asked to give to any source, of any type, hitherto -- we were then baffled that the process was stalled without reasonable explanation and resort to the snail-mail submission of third-party certified documentation insisted upon.

Good job you were able to come here and have us educate you. Please, be baffled no more.

redux

Some savings and investment firms ask for National Insurance number, and some don't, and it doesn't seem to depend on whether it is or isn't an ISA.

When it comes to having to send off original documents or certified copies, this can be tedious. More than once these firms either lose them or are very slow indeed to return them.

Years ago I applied for a loan by post and was sent back all the documents of a couple about 150 miles away. I sent them back to the bank and asked for mine, and never received even a letter of thanks and apology let alone my own stuff.

More recently I had to ask Capita 4 times in 3 months about an original letter they'd had, proving both my address and national insurance number, which I thought might be convenient to have back ready for the next such request.

dunstonh

Firms have to interpret the guidelines how they feel is appropriate. There is no industry standard here. Some electronic checking software will check NI number is valid. it can also be useful for weeding out non-residents. So, whilst it is not needed, I can see why some may choose to request it.

In respect of proof. Some will accept photocopies without certification. Some will require certification, some want the original to prove the copy has not been tampered. Sometimes their decisions will be based on events that have occurred. Upheld complaints, regulatory pressure, compliance officers being more concerned about risk than others, being victim to a fraud.

When a firm gets an audit from the FCA, they will look at the processes and if they feel there are failures, that firm may then be required to jump through more hoops in that area than is normally required. This has happened a number of times with banks in the past.

As there is no standard, this is what you get.

pafpcg

bowlhead99 wrote: »

While the password you have at Virgin is still just a string of characters found on a conventional computer keyboard and so not really inherently harder for a "bad guy" to guess at or attack with the help of a computer.

Sorry, I know it's veering off topic, but may I gently disagree with the "not really"?

Humans do tend to select passwords based on whole words which makes guessing passwords using a "dictionary" attack much easier. I don't know what rules Virgin enforce for their passwords but if any password has to contain non-alphanumeric characters, for example punctuation, then using a dictionary becomes less viable and only the "brute force" approach (using all possible combinations of all possible characters) will work. By expanding the number of possible characters (upper- and lower-case alphabetic, numeric, punctuation and symbols available within the 96 possibilities allowed in the 7-bit data interchange code, most of which are displayed on the keyboard), you can make the brute force approach rather arduous.

Use long passwords employing the full-range of available characters!
I only wish more institutions would allow more than just alphabetics and numerics.

PS: when setting-up passphrases for computer-to-computer identification across insecure networks, I used to use pass-phrases of hundreds of random characters selected from the full 256 characters available in the 8-bit code. The time required to crack that sort of password using the brute force approach on current technology is prohibitive.

greenglide

But in practice someone trying to gain access to your account will only have 3 (or maybe 6) attempts to guess the password before being locked out. They could, of course, try once or twice, wait until you had successfully logged on yourself and then try again - after a couple of lifetimes....

A truly secure password is all that is needed. Special characters are useful and I expect them to be allowed but not bothered about them being mandatory.

bowlhead99

pafpcg wrote: »

Use long passwords employing the full-range of available characters!

A massive proportion of people, when their password is rejected and they're told that it must include special characters like !"£$%^&~# , will look at their existing preferred password and just do exactly what you did when constructing that sentence. Stick an exclamation mark on the end of it.

Similarly for "must include upper and lower case letters". Change the first letter to be a capital.

Anything too tricky is going to be written down and defeats the point of having it be a 'secret' code. So while on the face of it the bank is giving them the option to use more characters which is a good thing, people generally don't take advantage and any comfort that their password is now going to be uncrackable is misplaced.

For example if you have 52 upper/lowercase letters and 10 numbers for 62 total choices, and a password that can be 20 characters long, that's a decent amount of processing time to bruteforce. Adding 10 or so special characters to make it 72 doesn't really make it conceptually more difficult. Obviously it does make it take exponentially longer if you allow more and more special characters to the max of 95 total printable characters allowed by Ascii; but as the online login screens only give a few goes before locking you out, you can assume someone who is bruteforcing it is playing in the back end and has much more time on their hands.

The idea of stopping dictionary attacks is fine, but simply having part of the password be something that isn't in the dictionary (like MSE or bowlhead99 or pafpcg) may have similar effect, as can a deliberate misspelling (e.g. don't use "RaymondLuxuryYacht", use "RaymondLuxuryYahct")

As someone with an IT background, you're probably intimately familiar with xkcd and therefore will know what's going to be in the link before you click it : https://xkcd.com/936/

Plus

codger wrote: »

Thanks to everyone who took the time and trouble to post here. The contributions have been informative.

This morning we applied online for Virgin's instant access savings account. Virgin has no idea who we are because we've never dealt with it before. Not its trains, planes, bank, credit card or cable broadband.

You do realise that Virgin is just a 'brand'? Virgin Trains are mostly Stagecoach, Virgin Media is NTL-Telewest in a posh frock. Virgin Money is mostly Northern Rock though they did have a small savings/investment outfit beforehand they merged.

As a first stage, Virgin sought to establish an online user account, this to relate to any of its financial products. The user account was created without difficulty. A pause of no more than 30 seconds occurred before Virgin then switched us to the second stage of the process, this the application for the actual instant access savings product.

At the conclusion of this process a further 30 second wait occurred before Virgin confirmed that the application was accepted and the account was now in the process of being created. Virgin provided the account number (of our new savings account) and sort code so we could set up the paying in facility from our joint bank account. It also deposited two private messages in our new Virgin online account inbox and sent us three separate messages to our email address.

From start to finish, the application / acceptance process took 24 minutes.

At no stage did Virgin ask for either my National Insurance number nor my wife's. (As will be appreciated, Kent Reliance's request for that specific information did -- and still does -- concern us, but we assumed it needed to know this so as to ensure effective checking of the application.)

I opened a Virgin current account in-branch recently, and the process took about 45 minutes, a lot of which was intelligence gathering for marketing purposes. I gave mostly truthful but unhelpful answers; when asked if I had an ISA I told them about an ISA I had 50p in, not mentioning the others, telling them about the credit card I have but don't use, etc. They did ask for the usual info like employer, salary, etc that current account applications ask for.

They didn't ask for it, but I'm not so worried about telling savings providers my NI number: now they're paying interest with no tax deducted, I suspect HMRC is going to want them to report that and the NI number is the key to doing so. Unlike the USA, the NI number is not treated as secret and doesn't allow them access to any records, it just allows them to report to HMRC.

It seems, then, that either Kent Reliance's checking systems aren't as clever as we thought they were -- its approach to user security certainly isn't: prohibition of the use of special characters in an online password says little for its understanding of security -- or, as Dunston kindly pointed out, we were the subject of a random audit.

It may be that their procedure is designed around in-branch customers, where they can easily check ID, and extends less well to remote customers. I thought KR was one of the larger building societies though which you'd expect be more geared up to remote customers.