We're aware that some users are experiencing technical issues which the team are working to resolve. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

HSBC 2FA failure

Options
Recently, when using my credit card to do an online transaction, I realised my mobile wasn't handy, so cancelled at point of requesting my OTP during authentication. 

Unfortunately, HSBC still "cleared" the transaction and a payment to the merchant went thru.

Merchant refunded me, but HSBC initially refused to accept that they'd done anything wrong.

Multiple calls to them resulted in me making a complaint & again, I was told no issue.

I just received my final letter, and after some investigation, they now admit there is a flaw in the system, whereby cancelled by user transactions are being pushed thru regardless (my terminology).

Their compensation offer is 75quid.

Now, I'm slightly offended by that offer, as they clearly have a significant breach of security, trust, peace of mind if their 2FA isn't working robustly. 

In terms of FCA, principle 3 comes to mind.
In terms of ombudsman, given no loss, are they interested in breaches of security on a horrific scale (my terminology).

I'm perplexed. 
«1

Comments

  • Phoenix72
    Phoenix72 Posts: 425 Forumite
    100 Posts Name Dropper
    Offended by free money for something you had no financial loss for?

    Had they offered say £500 would you have been so keen to run to FCA?


  • Nasqueron
    Nasqueron Posts: 10,620 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    You had no loss, they noticed a possible issue which they will fix, £75 is pretty generous to be honest.

    If they need to, they will self report to the FCA
    You can always go to FOS who may agree with the bank after reviewing the case in 6-18 months that £75 was fine and the bank may withdraw the offer. Or have the £75 to earn some interest or something

    Sam Vimes' Boots Theory of Socioeconomic Unfairness: 

    People are rich because they spend less money. A poor man buys $10 boots that last a season or two before he's walking in wet shoes and has to buy another pair. A rich man buys $50 boots that are made better and give him 10 years of dry feet. The poor man has spent $100 over those 10 years and still has wet feet.

  • MrsMeg
    MrsMeg Posts: 39 Forumite
    Sixth Anniversary 10 Posts
    They didn't notice tho. I pointed out, after hours of repeating myself & they ignoring. Seems odd to not investigate as a result of my complaint but rather, as an after thought when doing final response. 

    I'm not being greedy, it's a significant security fail that could cost folks significant money, if the merchant isn't keen on refunds.

    I kinda thought the forum readers would have been sensitive to that, but here we are.


  • Nasqueron
    Nasqueron Posts: 10,620 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    edited 15 May 2024 at 12:57PM
    MrsMeg said:
    They didn't notice tho. I pointed out, after hours of repeating myself & they ignoring. Seems odd to not investigate as a result of my complaint but rather, as an after thought when doing final response. 

    I'm not being greedy, it's a significant security fail that could cost folks significant money, if the merchant isn't keen on refunds.

    I kinda thought the forum readers would have been sensitive to that, but here we are.


    This isn't a matter of being "sensitive", it's the technical answer - you reported a problem, they noticed and they will fix it. Or possibly it was just a problem with your account and they wouldn't give any more details for security reasons.

    They are required to report something major to the FCA themselves which they will do if it's deemed serious, else they won't and will just deal with it. It's a very unlikely scenario though, how many people get to the point of purchase, put in their details and then, at the second security stage, decide to cancel the order? Distance selling regulations cover refunds so no, it won't cost anyone "significant money", indeed, you might be the only person ever affected hence they didn't realise it was possible.

    You said you are not being greedy but equally are "offended" by the amount in their gesture for something that has not caused you a loss. You need to be clearer what outcome you want here - either more money or something else. They wouldn't publicly admit a problem that could be exploited by criminals until it was fixed and any losses covered.

    Sam Vimes' Boots Theory of Socioeconomic Unfairness: 

    People are rich because they spend less money. A poor man buys $10 boots that last a season or two before he's walking in wet shoes and has to buy another pair. A rich man buys $50 boots that are made better and give him 10 years of dry feet. The poor man has spent $100 over those 10 years and still has wet feet.

  • MrsMeg
    MrsMeg Posts: 39 Forumite
    Sixth Anniversary 10 Posts
    I can assure you, that having chatted about this to friends, plenty have abandoned the transaction when they realised their mobile wasn't to hand & therefore the OTP not forthcoming.

    Maybe it's just me, but I think this flaw in their security (HSBCs words) is quite significant. 

    I'll check with FCA & ombudsman tho. 
  • sheramber
    sheramber Posts: 22,193 Forumite
    Part of the Furniture 10,000 Posts I've been Money Tipped! Name Dropper
    I'm not being greedy, it's a significant security fail that could cost folks significant money,

    You want more money because other folks could lose money?

    yOu have received a thank you in the form of £75 for advising them.

    How much do you think you should get?
  • eskbanker
    eskbanker Posts: 36,934 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    MrsMeg said:
    Maybe it's just me, but I think this flaw in their security (HSBCs words) is quite significant. 
    Worth bearing in mind that 2FA is really for the banks' benefit rather than the customers', in that banks are required to reimburse any unauthorised transactions anyway.

    While it's understandable to consider that abandoning a 2FA check ought to cancel the transaction, the customer has already authorised it (via a 'pay' or 'submit' button) by the time it reaches the 2FA check (the decision to invoke this remaining with the bank), so if the bank chooses to proceed with it without the 2FA step completing then it's effectively at their risk.
  • MrsMeg
    MrsMeg Posts: 39 Forumite
    Sixth Anniversary 10 Posts
    Hmmm, having spoken to both FCA & ombudsman. They say, as 2FA was not completed, HSBC should not have committed to the purchase. FCA have requested formal notification of the incident from HSBC. Ombudsman have requested similar as well as asking for volume of incidents that have been affected. 

    I've also been offered a substantial sum from HBSC too, so obviously something has happened to prompt that.

    Thread complete.
  • Eyeful
    Eyeful Posts: 935 Forumite
    Fourth Anniversary 500 Posts Name Dropper
    So what is the amount of this " substantial sum" you have now been offered?
    You mentioned the £75, so why do you not state the amount of this new offer?
  • Shakin_Steve
    Shakin_Steve Posts: 2,813 Forumite
    Ninth Anniversary 1,000 Posts Photogenic Name Dropper
    Eyeful said:
    So what is the amount of this " substantial sum" you have now been offered?
    You mentioned the £75, so why do you not state the amount of this new offer?
    Yes, 'substantial' is subjective. Either that, or a 'told you so' comment.
    I came into this world with nothing and I've got most of it left.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.6K Banking & Borrowing
  • 253K Reduce Debt & Boost Income
  • 453.4K Spending & Discounts
  • 243.6K Work, Benefits & Business
  • 598.4K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 256.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.