HSBC 2FA failure

MrsMeg

Recently, when using my credit card to do an online transaction, I realised my mobile wasn't handy, so cancelled at point of requesting my OTP during authentication. 

Unfortunately, HSBC still "cleared" the transaction and a payment to the merchant went thru.

Merchant refunded me, but HSBC initially refused to accept that they'd done anything wrong.

Multiple calls to them resulted in me making a complaint & again, I was told no issue.

I just received my final letter, and after some investigation, they now admit there is a flaw in the system, whereby cancelled by user transactions are being pushed thru regardless (my terminology).

Their compensation offer is 75quid.

Now, I'm slightly offended by that offer, as they clearly have a significant breach of security, trust, peace of mind if their 2FA isn't working robustly. 

In terms of FCA, principle 3 comes to mind.
In terms of ombudsman, given no loss, are they interested in breaches of security on a horrific scale (my terminology).

I'm perplexed. 

Phoenix72

Offended by free money for something you had no financial loss for?

Had they offered say £500 would you have been so keen to run to FCA?

Nasqueron

You had no loss, they noticed a possible issue which they will fix, £75 is pretty generous to be honest.

If they need to, they will self report to the FCA
You can always go to FOS who may agree with the bank after reviewing the case in 6-18 months that £75 was fine and the bank may withdraw the offer. Or have the £75 to earn some interest or something

MrsMeg

They didn't notice tho. I pointed out, after hours of repeating myself & they ignoring. Seems odd to not investigate as a result of my complaint but rather, as an after thought when doing final response. 

I'm not being greedy, it's a significant security fail that could cost folks significant money, if the merchant isn't keen on refunds.

I kinda thought the forum readers would have been sensitive to that, but here we are.

Nasqueron

MrsMeg said:

They didn't notice tho. I pointed out, after hours of repeating myself & they ignoring. Seems odd to not investigate as a result of my complaint but rather, as an after thought when doing final response. 

I'm not being greedy, it's a significant security fail that could cost folks significant money, if the merchant isn't keen on refunds.

I kinda thought the forum readers would have been sensitive to that, but here we are.

This isn't a matter of being "sensitive", it's the technical answer - you reported a problem, they noticed and they will fix it. Or possibly it was just a problem with your account and they wouldn't give any more details for security reasons.

They are required to report something major to the FCA themselves which they will do if it's deemed serious, else they won't and will just deal with it. It's a very unlikely scenario though, how many people get to the point of purchase, put in their details and then, at the second security stage, decide to cancel the order? Distance selling regulations cover refunds so no, it won't cost anyone "significant money", indeed, you might be the only person ever affected hence they didn't realise it was possible.

You said you are not being greedy but equally are "offended" by the amount in their gesture for something that has not caused you a loss. You need to be clearer what outcome you want here - either more money or something else. They wouldn't publicly admit a problem that could be exploited by criminals until it was fixed and any losses covered.

MrsMeg

I can assure you, that having chatted about this to friends, plenty have abandoned the transaction when they realised their mobile wasn't to hand & therefore the OTP not forthcoming.

Maybe it's just me, but I think this flaw in their security (HSBCs words) is quite significant. 

I'll check with FCA & ombudsman tho. 

sheramber

I'm not being greedy, it's a significant security fail that could cost folks significant money,

You want more money because other folks could lose money?

yOu have received a thank you in the form of £75 for advising them.

How much do you think you should get?

eskbanker

MrsMeg said:

Maybe it's just me, but I think this flaw in their security (HSBCs words) is quite significant. 

Worth bearing in mind that 2FA is really for the banks' benefit rather than the customers', in that banks are required to reimburse any unauthorised transactions anyway.

While it's understandable to consider that abandoning a 2FA check ought to cancel the transaction, the customer has already authorised it (via a 'pay' or 'submit' button) by the time it reaches the 2FA check (the decision to invoke this remaining with the bank), so if the bank chooses to proceed with it without the 2FA step completing then it's effectively at their risk.

MrsMeg

Hmmm, having spoken to both FCA & ombudsman. They say, as 2FA was not completed, HSBC should not have committed to the purchase. FCA have requested formal notification of the incident from HSBC. Ombudsman have requested similar as well as asking for volume of incidents that have been affected. 

I've also been offered a substantial sum from HBSC too, so obviously something has happened to prompt that.

Thread complete.

Eyeful

So what is the amount of this " substantial sum" you have now been offered?
You mentioned the £75, so why do you not state the amount of this new offer?

Shakin_Steve

Eyeful said:

So what is the amount of this " substantial sum" you have now been offered?
You mentioned the £75, so why do you not state the amount of this new offer?

Yes, 'substantial' is subjective. Either that, or a 'told you so' comment.