ID Fraud Protection: Loophole to get it free discussion

OwenA

In response to post 60 (from Buzby) I would say I would not expect a bank to give information to network providers about the name of a person to whom a bank account belongs when a direct debit application fails. I would, however, expect a network provider to check with a purported customer (not with their bank) that the bank account details provided by a mobile service retailer like Tesco actually belongs to them before treating them as a customer.

This is why I asked the Vodafone company representative about present Vodafone policy in post 58. In the response posted yesterday there is reference to the way Vodafone handles customer information. But subjects of ID theft are, by definition, not customers. I can see no reason why Vodafone could not answer the question directly through a post.

Incidentally, I took up the matter of when Vodafone and Orange began treating people as customers (and therefore started to press them for money) with Ofcom in May 2012. The regulator referred me to the two organisations that deal with disputes with mobile service providers. CISAS said; The CISAS scheme is for disputes between customers and their telephone or internet service providers primarily for billing orservice problems and Ombudsman Services:Communications said; We cannot investigate fraudulent activity perpetrated against you or the processes and systems telecommunication providers have in place to detect and prevent fraud. Also we cannot investigate contracts taken out through third party retailers. These areareas which fall outside our terms of reference.

No help for victims of ID theft there then.

In the summer 2012 the anti-fraud organisation CIFAS (which says that in 2011 it put 96,000 people on its Protective Registration register as a result of identity theft) ran an internet poll. One question was ‘What needs to be done to prevent fraud more effectively?’ and one of the options given was for ‘Organisations to verify more customer details’ which indicates, I think, a general concern about this issue. In my view Tesco, Vodafone, Orange and O2 (I haven’t posted about O2 yet but I will) need to step up to the plate and bring in better security checks.

Once again, with reference to Buzby’s post, I certainly do not want a credit reference agency to hold bank details either but I do not agree about the action a subject of identity theft should have to take. Why should anyone unwittingly involved in identity fraud on the basis of just four pieces of personal information, easily obtainable in the public domain, and a good credit rating be put in the situation of having to contact a network provider to stop threats of action against them or then have to go to the ICO?

The CIFAS website gives access to the annual Fraudscape report. Comments made in the 2013 edition cite the emotional effect of ID fraud and this really is the crucial issue. Whether money is taken out of a bank account or not the effect of ID fraud can be far greater on individual than a company that has lost a gadget.

OwenA

Further to the post above, here is the information about O2.

Along with letters noted in post 54 were four from O2, indicating an account had been opened in my name. There was no letter to say I had purchased a phone and I was not informed about this until January 2012. Presumably, however, a criminal had my home under surveillance before stealing the phone.

There was no Onus letter amongst the series from O2 but I assumed the account had been opened using the Nat West details. My response was to write and ask how this could be opened on the basis of bank details that did not belong to me. I had no reply. What I got was a Noticeof Debt Collection.

I had not intended to ring O2 as, naively I suppose, I thought it would act on my letter, but I did call after receiving the notice from the debt collection agency. On asking for the bank details given to support the direct debits I was told it was a Halifax account. This did not belong to me. I was informed the technology did not allow confirmation checks with a bank to be made.

O2 acted on my call and the fraud team sent me a letter to say the account had been closed and credit reference agencies had been notified and requested that they remove any related information. This implies O2 had already contacted credit reference agencies, as they said they might in one of their letters. I rang the fraud team and got their address and wrote to them with this question:

Why did O2 fail to check if the bank account belonged to me before it opened the phone account?

I had no reply.

After waiting four weeks I wrote to the complaints department and asked why I had no reply. I was eventually told Our fraud team did miss your letter as they don’t expect letters by customers. My letter was sent by recorded delivery and signed for so it is unclear how it could have been missed. Also, of course, as the fraud team had previously established, I was not a customer.

As to my question the answer was this;

This account was taken out on-line by someone with your details. When contracts are set up we have to perform certain checks with the banks. The bank account details given for this contract confirmed to be active and so the contract was accepted.

Clearly the only check made by O2, as with Orange and Vodafone, was to see if a bank account was open, not to see if it belonged to me.

I therefore pressed the point and wrote back making some suggestions as to how security could be improved. O2’s response was to say;

You’ve made some great suggestions at things we can look to do. I’ve sent these to our legal and security teams.They’ll see if these things are things we can introduce into this process.

However, as I understand it, my suggested changes, great as they might have been, have not been acted on.

There are several ways in which O2 could check if bank details actually belong to a purported customer who wants to open an account online. For example, on a ‘Radio 5 Investigates’ programme in November 2011 the CEO of the broker division of the Brightside Group indicated his company required all on-line insurance applications to be validated by documentation because fraud was proved to be involved in 25% of all applications. Such requirements will, naturally, reduce the opportunity for identity fraud and it is interesting to look at this statement from O2;

We don’t run our business with the possibility of what a criminal might do …. We follow the correct security procedures and make sure our customers can use our services, in a way that is comfortable for them.

and compare it with the security processes adopted within the Brightside Group.

OwenA

Following on from the post above perhaps it is worthwhile noting that in July the Home Affairs select committee on e-crime issued a report relevant to the way in which mobile phone thefts are recorded after being ordered on-line and when they are sold through telesales. When I reported the theft of phones ordered through telesales (see post 54) to the police a statement was not be taken as they did not belong to me at interception. I was advised to tell Tesco so they could make a report, which I did. But as the company did not report the theft it would appear no information about the three thefts would have reached the official crime statistics through police sources. I do not know whether O2, which took the order on-line, reported the theft of their phone but I was told that the company could neither prove or disprove that the thief intercepted the phone being delivered to my address.

Vodafone put my name on the CIFAS ‘victim of impersonation’ register but that would only indicate a single impersonation when four phones were stolen, so if this source fed crime statistics it would not help give an accurate picture of what happened either. As far making a report to Action Fraud is concerned although someone inadvertently caught up in fraud would be able to report identity theft they would have none of the most important information which would enable the police to ‘map’ the action of criminal gangs involved in theft of phones, either on-line or through telesales. That would remain with the companies selling the gadgets.

The committee drew attention to the views of the Foundation for Internet PolicyResearch about reporting e-fraud perpetrated against the bank accounts of individuals. The FIRP takes the view that when victims of fraud began to be channelled into reporting the crime to their banks, rather than to the police,the rate of recorded instances of fraud started to understate the reality.

The committee considers current recording practises are inadequate to give an accurate picture of e-crime. It recommended that banks be required to report all e-crime fraud to law enforcement agencies and to log details of where attacks come from. Given what is currently happening in the mobile phone industry it would seem reasonable that network providers selling through their own portals, such as O2, or third party retailers, such as Tesco, should be required to make similar reports. Only in this way will a true picture of the scale of mobile phone theft via on-line sales and telesales become clear. Hopefully, this would lead to a more pro-active, anti-crime stance by relevant telecom companies and third party retailers, which would lead to a reduction in the number of people who find their home has been put under surveillance by criminals and who are subsequently pressed for monies they do not owe on contracts they have not taken out. No-one, of course, knows exactly how many people find themselves in this situation every year.

dalesrider

OwenA wrote: »

Why did O2 fail to check if the bank account belonged to me before it opened the phone account?

Why does the account paying the bill have to be in your name?
Many of us pay for family members bills out of one account. Which is not in the same name of the mobile contract.

OwenA wrote: »

My letter was sent by recorded delivery and signed for so it is unclear how it could have been missed. Also, of course, as the fraud team had previously established, I was not a customer.
.

You are aware that large companies will have a department that opens and deals with mail received.
A company like 02 will receive thousands of pieces of mail a day.
Given that your letters was not related to any account held by them. It would be very easy for it to be put on one side in the mail room. As they would be unsure of where to send it.
Even if addressed to a certain department. It is still easy for mail to get lost.
Add in that if they matched the letter to a fraud file. Given it had already been resolved. It would be filed with no action.

What do you really want these companies to do?

There is a limit on the number of checks that can be made.

As to someone watching your house. I doubt it. More likely they used their (throwaway) email and when received a tracking no. Requested the carrier to deliver to a 3rd party address.

OwenA

Let me deal with the points raised by the post above one by one.

I was not aware, in November 2011 of the way in which 02 or the other three companies worked. I have never had a contract with a mobile phone company and have never applied for one. I did not know these companies allowed direct debit paying bank accounts to be linked to a network account without the express permission of the bank account holder. At that time I was intent on stopping another network account being opened in my name. The question was perfectly reasonable and all the companies eventually confirmed that the bank account against which the direct debits would be lodged did not need to be in my name. I did not know this before I asked. Incidentally, Orange initially thanked me for paying by direct debit and later, when it hadn’t been paid, asked if I had thought of paying by direct debit.

When the 02 fraud department contacted me a telephone number, but no address, was given on the letter. It said if I had any queries I should ring them so I did ring and was given the address of the department by the person who answered the phone. 02 may have considered issues with the account had been resolved, but I did not.

As far as the four companies I dealt with are concerned I suggest they invest more in their administration to make them more efficient. They can certainly afford it.

It is possible that my letter to the fraud department of 02 was put to one side, although their letter to me had given the number of the account registered in my name. It is also possible the letter was lost, but it is also possible that it was simply ignored.

The question of the number and type of checks is crucial. 02 has never assertedthat any checks other than a credit check were made on the application made in my name and I think most people would take the view this was not enough. There are alternative ways of doing business in the mobile phone industry, which would involve a higher, but not too onerous, level of security.

It may well be doubted that someone was watching my house as far as the 02 phone was concerned, but the Tesco website still publishes this statement;

As a security precaution we will only deliver to the address where your bank details are registered. We cannot deliver to any other destination, as we want to ensure safe transit of the goods direct to you.

Clearly then, if Tesco did have my registered bank details (it has yet to catagorically confirm this) it would have ignored any request to send it elsewhere.

When criminals intercept phones sent to individuals who have had just four pieces of freely available personal information used to make an order, no general assumptions can be made about surveillance. The most important thing, of course, is that the a victim of impersonation might feel their home had been under surveillance and might well be again. As anyone who has been involved in supporting victims of crime knows, such a situation can be very upsetting indeed.

OwenA

It is now two years since I was unwittingly involved in a fraud which led to the theft of four phones (see posts above starting at 54) and I recently had a letter from CIFAS which asked me if I wanted to renew my annual subscription for Protective Registration. After reading this and checking with the CIFAS website I think the organisation might be making a slight change of emphasis over renewals. This could be of interest to those who find themselves in a similar situation to me.

CIFAS maintains the National Fraud Database (NFD) and names of those deemed to be victims of impersonation may be put on this without their permission. This is allowed as CIFAS is an Anti-Fraud Organisation as specified by the UK Home Office under the 2007 Serious Crime Act. CIFAS is not a credit reference agency (the acronym CIFAS stands for Credit Industry Fraud Avoidance Service) but it facilitates the sharing of information about fraudulent activity between members. There are presently approximately 300 members and the great majority are firms involved in finance. However, Vodafone, Orange (EverythingEverywhere) and O2 are on the membership list although the Tesco Phone shop is not.


The NFD can be checked by its members on receiving an application for goods or services, including credit. If the check reveals a matter for concern (called a ‘flag’) then further investigation will be initiated by the member before a decision is made to accept or reject the application. Most victims of impersonation will, I feel, welcome the extra screening.

The first year’s registration on the NFD is paidfor by the organisation submitting the name of the individual who has been impersonated – in my case it was Vodafone. After that the individual must pay the annual fee, currently £20. I think many victims of impersonation will take the opportunity to continue registration, but it should be remembered that £20may not be a small sum to those living on low incomes.

The letter I received from CIFAS seems to indicate that the numbers of people who want to maintain their registration is growing and those who are already on it want to stay on it. The subsequent rise in numbers may lead to an increase in the time taken for screening. One section of the letter reads;

We hope that your personal details are no longer at risk. If, however, you have good reason to believe that there is still a risk you may extend your CIFAS Protective Registration at the standard fee of £20.00 (including VAT)


Unfortunately, what constitutes personal details is not stated. Is it merely the ‘enough correct information’ that will allow an application to be passed through a check made by a Credit Reference Agency? If so it is impossible to take a view they are no longer at risk as these are all in the public domain and relatively easy to obtain quite legally. If they include bank details then my experience with the Tesco Phone shop indicates a victim of impersonation with more than one debit card cannot obtain relevant information to make a judgement about risk. Tesco stated the card details used to buy phones ‘on’ Orange (EE) and Vodafone were not kept and when I recently asked if it would block further applications in my name it flatly refused. Perhaps other phone retailers take the same attitude. In any event, I think most people wouldtake the view that, rather having to cancel all their cards when they found their home had been under surveillance by criminals intent on intercepting phones, it would be better to maintain their CIFAS registration.

James

Have a look a something that is IMHO more effective than CIFAS Protective Registration. Check out the following:


www.freeidprotection.co.uk


Driven by you, for you.

OwenA

Thanks for that James. As I understand it using the method you suggest has one great advantage over CIFAS Protective Registration. It is possible for someone to use it before their identity has been stolen.

CIFAS calls itself The UKs Fraud PreventionService. People who have had their ID used as I did are not (as was pointed out in post 43 by gemma1986) the victims of fraud but in my view it would do no harm if the organisation permitted individuals who had never been the subject of impersonation to register. At first glance the CIFAS website seems to suggest this is possible as a heading on one page reads;

Help to stop identity fraudbefore it happens!

This would, I think, lead many people to believe that they could register on their own volition as a kind of ‘insurance policy’. However this is not allowed. An individual has to show there is reason to believe that their details are at risk before they can register.

The CIFAS website gives sensible advice about how the individual can protect themselves from ID theft but only last week there was a report in ‘The Times’ about the possibility that hackers had accessed the credit-card data of half a million people across Europe through a data centre in Ireland. It was unknown how many people in Britain might be affected. Informing individuals about how they should guard their data may be useful, but they have no control at all in protecting it when it is in the hands of companies or organisations that are then the subject of bulk cyber theft or are simply incompetent.

Is it really unreasonable to insist that a company which identifies ID theft in the course of providing goods or services be required to give all the personal details used to the victim of that impersonation? Such a requirement would avoid the situation I found myself in with Tesco. In that instance I was unaware, for seven months, that one of my debit cards may have been used to by criminals to authorise a transaction.

dzug1

James wrote: »

Have a look a something that is IMHO more effective than CIFAS Protective Registration. Check out the following:


www.freeidprotection.co.uk


Driven by you, for you.

So how many lenders are equipped to ask for thumb prints as part of their application process?

Or are you saying that just by sending that notice you are making them liable?

If I were a lender and noticed such a thing I'd just refuse you credit out of hand as well as any fraudster

OwenA

The points made in the post above may be valid, however, there does not appear to be an alternative that could be used by someone who has not yet been the subject of identity theft but who wants to avoid becoming one. Of course nothing is perfect and some companies don’t make credit checks at all - a point made by gemma 1986 in post 44. Also, there are thousands of companies which have no access to the CIFAS database but all the network companies, as far as I can see, do.

Last Monday was dubbed Cyber Monday because of the rush to buy on-line and there was plenty of coverage in the media. In this context maybe it is worth mentioning that the Commissioner of the Metropolitan Police recently made the point in a newspaper article that 'cybercrime is the growth industry of the criminal underworld'. Hewent on to make the point that 'only a fraction of cybercrime and fraud now reported to the Action Fraud centre is ever referred on to a police force, so thousands of victims a year do not so much as hear from an officer'.

In 2014 the Met evidently intends to establish a world-leading unit to counter on-line criminals. Perhaps third party mobile phone retailers could help in this initiative by developing further layers of security to reduce the number of victims of impersonation. And maybe they could also do more to assist people who become victims of impersonation, rather than just refer them to CIFAS.

Here are some suggestions based on my own experience. Maybe some third party retailers (and network providers who recruit through their own portals) already operate these checks, but if not they could;

a) raise a query when several applications are made in one name and not all are accepted. In my case five applications were made to Tesco over a period of two days. Three were accepted two rejected. One would have thought that this may have caused the company to have made further enquiries about the three successful applications before passing information to Vodafone and Orange. As it happened it took the best part of year to find five applications had been made in my name. Initially I was just told three contracts had been opened.

b) retain bank details used when an application is made to buy phones and open a network account. So long as the Tesco website continues to say that it will only deliver to the address 'where your bank details are registered' victims of impersonation will have good reason to believe that, if a phone is delivered from the Tesco Phone shop, criminals have their bank details and their home has been under surveillance.

c) after the fraud has been discovered immediately let someone who has been the victim of impersonation know, clearly and in writing, which ‘personal details’ were used for each transaction. They need not, of course, give full bank details, just sufficient to identify which bank account had been compromised.

d) if requested agree to block all further applications made in the name of the person who has been the subject of impersonation.