ID Fraud Protection: Loophole to get it free discussion

lisyloo

So how many lenders are equipped to ask for thumb prints as part of their application process?

Or are you saying that just by sending that notice you are making them liable?

Just speculating, but I guess the majority don't notice but are liable.
It could mean you get dealt with manually and not automatically or as you say declined.

OwenA

As fromJune 2015, under new Ofcom rules, ‘freefone will mean free’ for 0800, 0808 and116 numbers whether they are made from a landline or a mobile. Other changes are being made too in order to tackle ‘consumer confusion’.

O2 has now agreed to block my details being used to open a network account. Tesco has not. Tesco tells me that ‘there is no way for our Fraud Team to block your details from being used again on our system’. It is quite possible, therefore,that I will once again become a victim of impersonation through the Tesco Phone shop. I could subsequently get ‘onus’ letters from Orange and Vodafone or other network companies (but not O2) thanking me for opening an account with them and asking me to ring if the bank details, against which direct debits will be lodged, do not belong to me. Clearly the people most likely to make such calls will be victims of impersonation.

It seems reasonable that that such calls should be free (i.e paid for by the network company) from either a landline or a mobile. Many victims of impersonation would certainly be very concerned, given they would not know the length of the call they would have to make, about ringing a network company as they would have no idea of the charges involved. When Vodafone wrote to me in October 2011 they said I should call on an 08700 number if the bank details supplied by the Tesco Phone shop were incorrect, but there was no indication of how much the charges per minute would be. Orange(Everything Everywhere) gave a 07973 number and there were no indication of charges per minute on this either.

Customer confusion is certainly rife about charges but when consultation about the ‘freefone will mean free’ changes was taking place objections were made by some network companies. For example, according to an article in 'The Times', Everything Everywhere, which owns Orange, said removing charges for non-geographic calls from mobiles was an ‘ill-thoughtout proposal’ that ‘would crush an already struggling industry segment’. TheTimes article took the view that such objections were to ‘protect a cash cow that brings in tens of millions of pounds a year’.

OwenA

In a Radio 4 Moneybox programme broadcast in May 2012 the question was raised of why a boy of 16, who had falsified his age, had been given a loan by a digital finance company. The company blamed third party data providers, saying it had used several sources,including a credit reference agency, to verify the age of the boy and no conflicts were found. However, this statement was contradicted by the agency it used, which said that when a check had been made it showed ‘no match’, which meant it could not positively identify the boy. Crucially, the data provider then said it was up to the finance company to interpret the data and decide whether to lend.

This incident throws into focus the issue of responsibility when companies use data provided by third parties. Post 56 outlines the situation I faced and could face again. I wonder if Ofcom, having now set new rules for freefone numbers, could look to insist that, when an application is made to buy a phone ‘on’ a network, all the details of the bank accounts submitted are kept.

Ofcom was established under the Communications Act of 2003, which says the regulator's general duties should be to further the interests of citizens and of consumers. Understandably the organisation is given wide discretion in interpreting how these interests are best served. However, the Ofcom websitesays meeting the duties is at the heart of everything we do.

Section 3 (3) of the Act says Ofcom must have regard to a number of areas (thirteen in total) which include,

(j) the desirability of preventing crime and disorder and (k) the opinions of consumers in relevant markets and of members of the public generally.

but this requirement is qualified by a caveat making it clear that Ofcom itself will decide where action will be taken. When responding to a letter about identity fraud Ofcom stated oursales regulations do not extend to the security checks a company carries out when selling a contract and later confirmed that it has no explicit requirement about retaining card details. But surely it cannot be unreasonable to expect that third party retailers (or network providers which sell products and services through their own portals) take adequate steps to maintain the records of all information submitted to support an application. It would seem to me that as the Tesco Phone shop kept the records of the bank account to be used for direct debit purposes there would have been no breach of the Data Protection Act had it kept details of the card it said it had used to support the application in my name.

Vodafone, in June 2013, said that both it and Tesco had retained appropriate information relating to the sale ofthe intercepted phones. Then it went on to say that, as the card details used to support the application of the phones sold ‘on’ Vodafone did not relate to the sale or pricing of the mobile telephone services, retention of the card details the Tesco Phone shop said it had accepted was not required. The letter went on to say that Tesco would have been required to exercise due skill and care to bring the contract terms to the attention of the customer when purchasing the phones, but it is unclear how this was done. Was it done by a telesales assistant? If so was a record kept? If it was which, if any, organisation was monitoring the skill and care of the Tesco Phone shop by checking this record?

One would have expected that if the responsibility for bringing the contract terms to the attention of the (purported) customer lay with the Tesco Phone shop it would have been the Tesco Phone shop that would have followed this up with a document setting them out, but the letter I had from the Tesco Phone shop gave me no clue as to where it had been sent from. There was no address or no telephone number and the signature of the Head of Telecoms Customer Services was indecipherable. There were no details of the contract either. There was merely a statement that the Tesco Phone shop would love to hear about my buying experience.

OwenA

At the end of last month, at the Hilton Metropole hotel in West London, Vodafone held an extraordinary general meeting to vote on the disposal of a stake in another company. This will lead to a large payout to shareholders. During the meeting one shareholder complained that calling the Vodafone investor’s relation helpline could be very expensive as it was charged at 10 pence a minute.

Given this level of concern about phone bills I wonder if it might be possible for any Vodafone shareholders, who are interested enough in the way the company operates to attend such meetings, might take up cudgels on behalf of victims of impersonation. After all, if they themselves were not victims, members of their family might be. Here is one possible scenario.

The shareholder might be a grandparent (as I’m sure some are) with a granddaughter who is a student. She returns from the summer recess to find a letter from theTesco Phone shop thanking her for buying a phone and an ‘onus’ letter fromVodafone asking her to confirm if the bank account details on the ‘onus’ letter belong to her. They do not. As the granddaughter has been away and has not replied to Vodafone she finds a second letter saying that there is now a potential termination fee to close the account of over £1000.

During the time she is dealing with Tesco and Vodafone the student is also in the process of attempting to raise a loan as she is in something of a race to find accommodation. A credit reference is required but when this is turned down she loses the accommodation. She does not know why the credit reference is refused because she has had no written confirmation from either Tesco or Vodafone that a credit reference agency has been informed of her being a victim of impersonation. A few days later she receives a letter from Vodafone referring to CIFAS. It is dated the day after Vodafone contacted CIFAS.


This scenario is based on what happened to me. Section7(1) of the Data Protection Act states that a data controller cannot supply information about a data subject (‘an individual who is the subject of personal data’) on their behalf unless they have been informed, yet Vodafone contacted CIFAS the day before it sent a letter to me. It offered no justification for this and when I contacted CIFAS about it and asked for a comment on the breach of the DPA none was given. Instead I was told that Vodafone had clearly made a decision to contact CIFAS first and follow up with a letter. CIFAS says there is no denying that on ‘odd occasions’ (how many?) a CIFAS flag may delay genuine applications, which is what happened to the student.

It is reasonable to assume that when the Data Protection Bill was drafted the effects of allowing personal data to be passed on before informing the person to whom it belonged was weighed up. It was then decided, with certain exclusions not applicable to normal commercial transactions, that informing the individual should take priority.Vodafone could easily avoid such situations happening by refusing to open a network account before confirmation of the account used to pay direct debits has been made. It chooses not to operate in this way, but this does not mean it can breach the DPA.

Public companies belong to the shareholders and the management is ultimately responsible to them. Questions at general meetings could raise the issue of the wider responsibilities of Vodafone and, hopefully, ensure some press coverage too.

iAMaLONDONER

OwenA wrote: »

At the end of last month, at the Hilton Metropole hotel in West London, Vodafone held an extraordinary general meeting to vote on the disposal of a stake in another company. This will lead to a large payout to shareholders. During the meeting one shareholder complained that calling the Vodafone investor’s relation helpline could be very expensive as it was charged at 10 pence a minute.

Given this level of concern about phone bills I wonder if it might be possible for any Vodafone shareholders, who are interested enough in the way the company operates to attend such meetings, might take up cudgels on behalf of victims of impersonation. After all, if they themselves were not victims, members of their family might be. Here is one possible scenario.

The shareholder might be a grandparent (as I’m sure some are) with a granddaughter who is a student. She returns from the summer recess to find a letter from theTesco Phone shop thanking her for buying a phone and an ‘onus’ letter fromVodafone asking her to confirm if the bank account details on the ‘onus’ letter belong to her. They do not. As the granddaughter has been away and has not replied to Vodafone she finds a second letter saying that there is now a potential termination fee to close the account of over £1000.

During the time she is dealing with Tesco and Vodafone the student is also in the process of attempting to raise a loan as she is in something of a race to find accommodation. A credit reference is required but when this is turned down she loses the accommodation. She does not know why the credit reference is refused because she has had no written confirmation from either Tesco or Vodafone that a credit reference agency has been informed of her being a victim of impersonation. A few days later she receives a letter from Vodafone referring to CIFAS. It is dated the day after Vodafone contacted CIFAS.


This scenario is based on what happened to me. Section7(1) of the Data Protection Act states that a data controller cannot supply information about a data subject (‘an individual who is the subject of personal data’) on their behalf unless they have been informed, yet Vodafone contacted CIFAS the day before it sent a letter to me. It offered no justification for this and when I contacted CIFAS about it and asked for a comment on the breach of the DPA none was given. Instead I was told that Vodafone had clearly made a decision to contact CIFAS first and follow up with a letter. CIFAS says there is no denying that on ‘odd occasions’ (how many?) a CIFAS flag may delay genuine applications, which is what happened to the student.

It is reasonable to assume that when the Data Protection Bill was being drafted the effects of allowing personal data to be passed on before the person to whom it belonged was weighed up. It was then decided, with certain exclusions not applicable to normal commercial transactions, that informing the individual should take priority over passing their information on.Vodafone could easily avoid such situations happening by refusing to open a network account before confirmation of the account used to pay direct debits has been made. It chooses not do operate in this way, but this does not mean it can breach the DPA.

Public companies belong to the shareholders and the management is ultimately responsible to them. Questions at general meetings could raise the issue of the wider responsibilities of Vodafone and, hopefully, ensure some press coverage too.

Why don't you make a separate thread about Vodafone?

OwenA

I did think of that, but, in my view, it is a bit better to keep everything together on the same thread because of the interaction between Tesco and Vodafone. Plus, it is useful to compare the way 02, Vodafone and Orange dealt with similar issues. But thanks for the suggestion anyway.

iAMaLONDONER

OwenA wrote: »

I did think of that, but, in my view, it is a bit better to keep everything together on the same thread because of the interaction between Tesco and Vodafone. Plus, it is useful to compare the way 02, Vodafone and Orange dealt with similar issues. But thanks for the suggestion anyway.

Surely you could just post the relevant posts in a more relevant section of the forum and hence receive more responses?

OwenA

This part of the site seemed best for the issues I wanted to raise when I started posting last May. It was useful to be able to direct any organisation interested in the matter just to this point. The posts, in my opinion, support the view that the companies I had to deal with needed to improve their security checks. However, if I did put those relevant to Vodafone elsewhere on the site where do you think would be best?

Incidentally, it is worth mentioning the response of Vodafone after the account was closed. I was still in the dark over the way both Vodafone and Orange (EE) operated and wanted to know how a bank account that did not belong to me could be used to support direct debits. I had, in fact, rung Vodafone and asked this question as soon as I discovered I had been the subject of impersonation. I was told the answer could only be given by the credit department and this did not deal directly with the public. I therefore wrote, twice, to the Head of Commercial Delivery Outsource and Strategy, who had contacted me about the potential termination fee, asking the same question. I realised by this time that any letter not sent by recorded delivery was unlikely to get a response, but I didn’t get a response to either letter anyway. I waited a month and then wrote again. This time I said that if an answer wasn’t given I would take the matter to the OFT. I then got a response. Two in fact. One was letter which bore no postmark but was dated the same day Vodafone had received the letter sent a month previously. It gave no answer to my question. The second was an e-mail. This said that;

Please note that before opening any account, we do make all the appropriate checks.However, sometimes due to some errors such situations are created.

As far as I can see Vodafone made no checks except to pass my details through the CIFAS database. In my view an appropriate check would have been to have contacted me before opening a network account.

OwenA

The recent posting of details of over 2000 Tesco Clubcard accounts on a text sharing website caused some people, accordingto the Daily Mail, to question whether company security measures were strong enough. A Tesco spokesperson evidently said ‘We take the security of our customers’ data extremely seriously’. The security of customers’ data is clearly not applicable to someone who has been a victim of impersonation and who is, therefore, not a customer. However, it seems reasonable that when impersonation has been identified Tesco should furnish the victim with a written alert outlining the processes it uses to sell phones ‘on’ an Orange (EE) or Vodafone network account - or any other network for that matter. None of the information I received from Tesco alerted me to the fact that my bank details may have been compromised and it was not until my attention was drawn to the Tesco website, over six month later, that I realised this may have happened. Nothing on the ‘onus’ letters I received from Vodafone or Orange indicated this either, both companies merely drawing attention to the bank account, which did not belong to me, on which direct debits would be drawn.

In the letter notifying me that it had contacted CIFAS Vodafone said it was committed to 'protecting potential customers against fraud' but on the ‘onus’ letter it stated the full account number and sort code of this 'direct debit' account. Surely, a minimum standard of security, even for a bona fide customer, would demand that all the numbers of the account would not be given in such correspondence?

OwenA

According to the news last week Vodafone, which currently has an advertising campaign featuring the use of its network by the emergency services, is soon going to create 1400 new jobs and open a number of new shops. It also has plans to spend up to £25bn, realised after the Verizon sale, on its main European markets and is launching Project Spring to speed up introduction of 4G networks and increase investment in a number of other areas. However, searching through various reports I have been unable to find out if the company is going to increase its expenditure on its non-customer services. By non-customer services I mean services to those people who, by the way it chooses to operate, are inconvenienced, or worse.

During the two years I spent trying to find out just how telephones that I had not ordered could be delivered to my house I found it was partly on the basis of a NatWest bank account that didn’t belong to me and which Tesco and Vodafone knew might not belong to me (see post 56). A second account was also used but, according to both companies, no record had been kept of this. I subsequently had a letter from Vodafone containing this sentence;

We believe our checks are robust but I’m sure you’llappreciate that we need to ensure the majority of genuine applications are not affected by the minority of fraudulent applications.

I understand the company made no checks save to run my name through the CIFAS register.

Shortly before I received the letter CIFAS had commented, through its website, that respondents to an internet poll it had recently run;

have clearly offered the view that organisations, lenders and the like should and could do far more to verify customer details when processing applications and transactions. This perhaps demonstrates the realisation that although internet safety protocols are now in place, fraudsters will always try to find a way around them. This has led respondentsto consider that it is the responsibility of organisations to check identities more prudently and actively to protect their customers from fraud.

I was not the subject of fraud but, as is usually the case with victims of impersonation, was the one inconvenienced and who had to waste time sorting matters out. I wonder if Tesco, which currently refuses to block Phone Shop applications in my name, or Vodafone, have improved the quality of their checks and so enhance the protection against criminals who seek to steal through impersonation. If they have one would imagine it would be something to celebrate and publicise through their websites or even through newspaper adverts.