Tandem 3% fixed rate saver

mar7t1n

I had one of these rush rush sign up today for 1.1% emails. I followed the link - It's everything your bank will tell you NEVER to do. Rush at something because it looks too good to be true, and install an app which your phone tells you is not to be trusted. So I checked the SSL certificate of the tandem site and found they use a FREE Let's Encrypt certificate, and some more digital digging see that the infrastructure is hosted in the cloud by AWS. The above is all available to any 16 year old pretty much for free - you don't have to prove your identity - so it could be run from anywhere. As I  would expect all financial institutions to have a domain verified SSL certificate - on balance I decided it wasn't worth the risk. The excuse it's only a Beta and all exactly as they intend it to be - I think would be a convenient ploy if someone has ulterior motives. You only find it's gone and unregulated when you come to withdraw your money!

ccluedo

I applied for and was offered the 0.9% one year fixed saver.  (Late to the Tandem party I know!)
I read the threads here on the forum before proceeding.
I downloaded the app and registered an account. 

It says on the app that they need to identify my genuine UK bank account which would be funding the Tandem account and asks me to link this. Why would they need that info? Surely the fact that it is being funded from a genuine UK bank and not by some random obscure means already assures them that the funds are ok?

The link goes to Truelayer.com  which appears to be genuine, but under  What data am I sharing , it says the following:
Tandem will be able to read your:
Accounts
Balance
Transactions
Tandem will have recurring access to your data.
Why on earth do they need that access? The above three things are none of their business once  -far less recurring!

I am asking this here as I can see quite a few ppl have opened accounts with them so I must guess that those ppl have accepted the above invasion of privacy!  I have never come across a data request like this with any other bank or investment.

I am satisfied that Tandem is a genuine  regulated FSCS bank but can't fathom why anyone would allow them this type of access to other account(s).
What am I missing pls?

kaMelo

mar7t1n said:

I had one of these rush rush sign up today for 1.1% emails. I followed the link - It's everything your bank will tell you NEVER to do. Rush at something because it looks too good to be true, and install an app which your phone tells you is not to be trusted. So I checked the SSL certificate of the tandem site and found they use a FREE Let's Encrypt certificate, and some more digital digging see that the infrastructure is hosted in the cloud by AWS. The above is all available to any 16 year old pretty much for free - you don't have to prove your identity - so it could be run from anywhere. As I  would expect all financial institutions to have a domain verified SSL certificate - on balance I decided it wasn't worth the risk. The excuse it's only a Beta and all exactly as they intend it to be - I think would be a convenient ploy if someone has ulterior motives. You only find it's gone and unregulated when you come to withdraw your money!

You do realise the only difference between both those certificates is the price?
A domain verified SSL certificate complete with green address bar offers nothing more than the free Let's Encrypt SSL certificate does, an encrypted connection to the server listed in the certificate. That's it.

masonic

kaMelo said:

mar7t1n said:

I had one of these rush rush sign up today for 1.1% emails. I followed the link - It's everything your bank will tell you NEVER to do. Rush at something because it looks too good to be true, and install an app which your phone tells you is not to be trusted. So I checked the SSL certificate of the tandem site and found they use a FREE Let's Encrypt certificate, and some more digital digging see that the infrastructure is hosted in the cloud by AWS. The above is all available to any 16 year old pretty much for free - you don't have to prove your identity - so it could be run from anywhere. As I  would expect all financial institutions to have a domain verified SSL certificate - on balance I decided it wasn't worth the risk. The excuse it's only a Beta and all exactly as they intend it to be - I think would be a convenient ploy if someone has ulterior motives. You only find it's gone and unregulated when you come to withdraw your money!

You do realise the only difference between both those certificates is the price?
A domain verified SSL certificate complete with green address bar offers nothing more than the free Let's Encrypt SSL certificate does, an encrypted connection to the server listed in the certificate. That's it.

Mainstream web browsers would not give a green address bar for domain verified certificates. In fact, the most commonly used web browsers no longer display a green address bar for any type of certificate. Presumably the type of certificate being discussed is not domain validated, but rather organisation validated or extended validated. OV and EV certificates do have additional requirements, including confirming the legal entity and identity of the individuals operating the website. The details of that legal entity form part of the OV or EV certificate and can be displayed, normally when clicking the padlock icon.

I'm ambivalent about the use of Let's Encrypt and other DV providers vs OV and EV, but my employer blocks websites using Let's Encrypt, and one of our service providers that decided to try using a Let's Encrypt cert for their website has recently reverted to using a commercial CA in response to the commercial impact they observed.

JGB1955

I decided NOT to send my £20K to Tandem when Nationwide told me (after multiple attempts with different suggestions) that they couldn't validate the account.  To be fair - I seemed to be sending my money to a sort code and account number...but had no reference number to allocate the money to ME.  Decided to be safe rather than sorry.  

matty_art

JGB1955 said:

I decided NOT to send my £20K to Tandem when Nationwide told me (after multiple attempts with different suggestions) that they couldn't validate the account.  To be fair - I seemed to be sending my money to a sort code and account number...but had no reference number to allocate the money to ME.  Decided to be safe rather than sorry.  

The money was allocated to my account within a few hours and I had a text to tell me so.  I can now see it in the app with no issues.  Just in case that helps you.

masonic

JGB1955 said:

I decided NOT to send my £20K to Tandem when Nationwide told me (after multiple attempts with different suggestions) that they couldn't validate the account.  To be fair - I seemed to be sending my money to a sort code and account number...but had no reference number to allocate the money to ME.  Decided to be safe rather than sorry.  

It is quite common for non-mainstream savings providers not to be part of the "Confirmation of Payee" system, even though they assign a unique sort code and account number for their savings accounts. If you are able to make multiple deposits then the simple solution is to send a test payment of £1, followed by the remainder once you've confirmed the original sum has been received.

kaMelo

masonic said:

kaMelo said:

mar7t1n said:

I had one of these rush rush sign up today for 1.1% emails. I followed the link - It's everything your bank will tell you NEVER to do. Rush at something because it looks too good to be true, and install an app which your phone tells you is not to be trusted. So I checked the SSL certificate of the tandem site and found they use a FREE Let's Encrypt certificate, and some more digital digging see that the infrastructure is hosted in the cloud by AWS. The above is all available to any 16 year old pretty much for free - you don't have to prove your identity - so it could be run from anywhere. As I  would expect all financial institutions to have a domain verified SSL certificate - on balance I decided it wasn't worth the risk. The excuse it's only a Beta and all exactly as they intend it to be - I think would be a convenient ploy if someone has ulterior motives. You only find it's gone and unregulated when you come to withdraw your money!

You do realise the only difference between both those certificates is the price?
A domain verified SSL certificate complete with green address bar offers nothing more than the free Let's Encrypt SSL certificate does, an encrypted connection to the server listed in the certificate. That's it.

Mainstream web browsers would not give a green address bar for domain verified certificates. In fact, the most commonly used web browsers no longer display a green address bar for any type of certificate. Presumably the type of certificate being discussed is not domain validated, but rather organisation validated or extended validated. OV and EV certificates do have additional requirements, including confirming the legal entity and identity of the individuals operating the website. The details of that legal entity form part of the OV or EV certificate and can be displayed, normally when clicking the padlock icon.

I'm ambivalent about the use of Let's Encrypt and other DV providers vs OV and EV, but my employer blocks websites using Let's Encrypt, and one of our service providers that decided to try using a Let's Encrypt cert for their website has recently reverted to using a commercial CA in response to the commercial impact they observed.

Hence my point,  it's all about the money and offers nothing in enhanced security. 

masonic

kaMelo said:

masonic said:

kaMelo said:

mar7t1n said:

I had one of these rush rush sign up today for 1.1% emails. I followed the link - It's everything your bank will tell you NEVER to do. Rush at something because it looks too good to be true, and install an app which your phone tells you is not to be trusted. So I checked the SSL certificate of the tandem site and found they use a FREE Let's Encrypt certificate, and some more digital digging see that the infrastructure is hosted in the cloud by AWS. The above is all available to any 16 year old pretty much for free - you don't have to prove your identity - so it could be run from anywhere. As I  would expect all financial institutions to have a domain verified SSL certificate - on balance I decided it wasn't worth the risk. The excuse it's only a Beta and all exactly as they intend it to be - I think would be a convenient ploy if someone has ulterior motives. You only find it's gone and unregulated when you come to withdraw your money!

You do realise the only difference between both those certificates is the price?
A domain verified SSL certificate complete with green address bar offers nothing more than the free Let's Encrypt SSL certificate does, an encrypted connection to the server listed in the certificate. That's it.

Mainstream web browsers would not give a green address bar for domain verified certificates. In fact, the most commonly used web browsers no longer display a green address bar for any type of certificate. Presumably the type of certificate being discussed is not domain validated, but rather organisation validated or extended validated. OV and EV certificates do have additional requirements, including confirming the legal entity and identity of the individuals operating the website. The details of that legal entity form part of the OV or EV certificate and can be displayed, normally when clicking the padlock icon.

I'm ambivalent about the use of Let's Encrypt and other DV providers vs OV and EV, but my employer blocks websites using Let's Encrypt, and one of our service providers that decided to try using a Let's Encrypt cert for their website has recently reverted to using a commercial CA in response to the commercial impact they observed.

Hence my point,  it's all about the money and offers nothing in enhanced security. 

Perhaps you missed the bit where I mentioned "OV and EV certificates do have additional requirements, including confirming the legal entity and identity of the individuals operating the website. The details of that legal entity form part of the OV or EV certificate and can be displayed, normally when clicking the padlock icon." That does offer some enhanced security you don't get with DV.

The other part of my post concerned the blocking of Let's Encrypt DV certs, and perhaps my reason for mentioning was a little abstruse, but to clarify, organisations are starting to block LE certs because they are disproportionately involved in phishing attacks and the like. They can go so far as to educate employees to look for the padlock icon, but it seems they find it valuable to take out a load of spurious websites by blocking sites using LE certs with very little collateral damage. Which rather reinforces mar7t1n's view that a significant player using LE to sign their certs should arouse some suspicion. It would certainly be prudent to take extra precautions when faced with such a situation, such as checking the Financial Services Register, which normally contains the website address for the genuine company website, which you can check matches.

Having said all of that, I'm not sure where the website comes into it. My understanding, having used Tandem in the past, is that everything is done in the App, so the website generally just contains information and directs people to the App Store to download the App. As such, there is little value to Tandem paying for a OV/EV cert, given customers are not going to be entering any sensitive information on the website.

PaoloWD

matty_art said:

JGB1955 said:

I decided NOT to send my £20K to Tandem when Nationwide told me (after multiple attempts with different suggestions) that they couldn't validate the account.  To be fair - I seemed to be sending my money to a sort code and account number...but had no reference number to allocate the money to ME.  Decided to be safe rather than sorry.  

The money was allocated to my account within a few hours and I had a text to tell me so.  I can now see it in the app with no issues.  Just in case that helps you.

Good news: the beta App has just gone live in the official App store; and I can see my savings (as I could with the beta App - which now directs you to download the official app). So we can now say to all those naysayers that this was a fully legit offer.