Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • VTR1000
    • By VTR1000 15th May 19, 3:47 PM
    • 21Posts
    • 1Thanks
    VTR1000
    Santander Bank
    • #1
    • 15th May 19, 3:47 PM
    Santander Bank 15th May 19 at 3:47 PM
    How does this happen?

    11 April I get a text from my bank asking if an online debit card transaction for £1,300 is mine – reply Y or N. I reply N and within seconds get a phone call from the security dept. asking questions to confirm it’s not related to me.

    Online banking cancelled a few hours later and no access to current account without going in to a branch – and only then after going through security who allow the branch access to my account which is cancelled immediately after withdrawal has taken place. This continues for three weeks before they finally allow me access.

    I raise a complaint due to the lack of info and other things that happen during the ‘suspension’.

    Turns out that while I was speaking to security saying it wasn’t me, someone else was on the phone to the bank at the same time stating the payment was genuine – I’m assuming the online retailer referred the thief to the bank? They got through to security to discuss the transaction by answering a number of security questions, including my monthly direct debit for council tax (even I didn’t know the value of the direct debit) and more importantly, a transaction at my local Paddy Power on the 6 April – Grand National, only time I ever bet and never won… What is strange is that the impersonator quoted the transaction as Power Leisure, rather than Paddy Power, which to me means they’ve been in my account.

    I therefore asked for all the IP addresses to the online log in’s to my account from the 6th to the 11th – I’ve gone through my browser history and they’re all me.

    My security details have never been written down anywhere and I’ve only accessed my account from home or office laptop – never a public internet access point. I’ve never had any scam phone calls and buy everything with my credit card, settling the account in full every month.

    Hopefully the above makes sense.

    My question is; how does a scammer get that level of detail without working at the bank?
Page 2
    • colsten
    • By colsten 17th May 19, 10:21 AM
    • 10,291 Posts
    • 9,480 Thanks
    colsten
    Two laptops, home and office. I know the IP address for the office as the head of IT gave it to me and I confirmed with an online checker that it was registered to my employer.

    The complaints manager gave me the IP addresses and times that they had accessed my accounts, which I confirmed with my browser history. I spoke with the head of IT and whilst in theory they can remotely access my laptop via the VNC software, we can see when they do as the screen changes. Also, if we do not use the laptop for 10 mins then the screen locks and the password is needed to unlock it before remote connection is possible.
    Originally posted by VTR1000
    Everybody in your office will use the same IP when accessing external sites. It will be impossible to tell from the IP address whether it was you or one of your colleagues. Just as it will be impossible to tell from your home IP address who in your home was making the transactions.
    • VTR1000
    • By VTR1000 17th May 19, 11:17 AM
    • 21 Posts
    • 1 Thanks
    VTR1000
    This is how scams like this work

    First of all you get a text saying £1,300 has been spent was it you or not. This is not from Santander but number spoofing is used to make it look as though the text came from santander's number...

    You reply no - this is irrelevant the fraudster has no access to your reply. However they ring you up a few minutes later and say 'thanks for saying no we need to check your account and I will take you through security'

    meanwhile they are on the Santander internet banking screen. they need your Santander user ID of course they enter that onto the Santander banking screen. the Santander banking screen askes for digits 2 and 6 of your security code .the fraudster says to you in order to identify you please give me digits 2 and 6 of your security code...

    You give it to them and they enter this onto the Santander banking screen. This gives them access to your account

    They of course cannot send money to a new payee without a one-time password sent to your mobile number

    Often the scammers will make up some convincing explanation as to why you should give it to them

    I'm not saying all of this happened to you I'm just telling you the way frauds like this work
    Originally posted by 18cc
    The only similarity is that I got a text and call.

    There's three stages to go through before you are in the account with the online banking.

    a) Personal ID
    b) Password
    c) Security code

    None of which have been shared - me giving them two of the five digit security code won't get you past the first two stages.
    • VTR1000
    • By VTR1000 17th May 19, 11:19 AM
    • 21 Posts
    • 1 Thanks
    VTR1000
    Everybody in your office will use the same IP when accessing external sites. It will be impossible to tell from the IP address whether it was you or one of your colleagues. Just as it will be impossible to tell from your home IP address who in your home was making the transactions.
    Originally posted by colsten
    Agreed, but the as the times matched my browser history I'm confident it was me.
    • 18cc
    • By 18cc 17th May 19, 11:53 AM
    • 1,353 Posts
    • 970 Thanks
    18cc
    Agreed you need those three pieces of information

    the first piece - your username - can be obtained from the Santander website. you need the following information your name your date of birth and your postcode

    once entered it takes you to a second screen where it asks you for your debit card long number and CVV code

    it then displays your username

    clearly you gave the first lot of information over the phone they may have had your debit card and CVV another way either by having physical access to your card at some time or by you using it online o

    obviously only you would know if you used it and on what sites

    That is two of the three i.e. username and security number digits which they have with the information you gave them

    the password I don't know
    • 18cc
    • By 18cc 17th May 19, 11:54 AM
    • 1,353 Posts
    • 970 Thanks
    18cc
    https://www.santander.co.uk/info/videohub/helping-you-understand-online-banking/santander-online-banking-resetting-your-log-on-details/vAzEnN4BZjc
    • VTR1000
    • By VTR1000 17th May 19, 12:36 PM
    • 21 Posts
    • 1 Thanks
    VTR1000
    Agreed you need those three pieces of information

    the first piece - your username - can be obtained from the Santander website. you need the following information your name your date of birth and your postcode

    Ok, so lets assume they have somehow gleaned my DOB and post code.

    once entered it takes you to a second screen where it asks you for your debit card long number and CVV code

    I buy everything online and in the shops with a credit card which is paid monthly in full. The only time I've used my debit card for a purchase this year was to order car tax. However, lets assume somehow they've managed to get an image of the front of the card and watched me enter my PIN at a cash point - they still can't see the CVV.

    it then displays your username

    Not without the CVV

    clearly you gave the first lot of information over the phone they may have had your debit card and CVV another way either by having physical access to your card at some time or by you using it online o

    Card in my wallet all the time and not used online and no OTP received

    obviously only you would know if you used it and on what sites

    That is two of the three i.e. username and security number digits which they have with the information you gave them

    the password I don't know
    Originally posted by 18cc
    It's my belief if they had that level of detail that is being suggested they'd have taken the £20k that was in the account at the time - why mess about with £1,300's worth of chavvy stuff being posted to a traceable address?
    • 18cc
    • By 18cc 17th May 19, 1:11 PM
    • 1,353 Posts
    • 970 Thanks
    18cc
    they dont need to glean your dob and postcode you told them on the phone
    • VTR1000
    • By VTR1000 17th May 19, 7:01 PM
    • 21 Posts
    • 1 Thanks
    VTR1000
    they dont need to glean your dob and postcode you told them on the phone
    Originally posted by 18cc
    And your point is?

    They still need the other info, where did that come from?
    • 18cc
    • By 18cc 18th May 19, 6:07 AM
    • 1,353 Posts
    • 970 Thanks
    18cc
    My point is that I am trying to help you by giving you some pointers as to how frauds like this are perpetrated

    it may well be it was not done this way in your case but I hoped the information in my posts might be helpful to you when trying to pizxle out what happened

    Use the info as you wish
    • VTR1000
    • By VTR1000 18th May 19, 1:31 PM
    • 21 Posts
    • 1 Thanks
    VTR1000
    My point is that I am trying to help you by giving you some pointers as to how frauds like this are perpetrated

    it may well be it was not done this way in your case but I hoped the information in my posts might be helpful to you when trying to pizxle out what happened

    Use the info as you wish
    Originally posted by 18cc
    Apologies for the tone of my post - it stems from frustration.

    For clarity:

    a) the only time I've used my debit card online this year was to pay for road tax.
    b) I use it about once a month to take cash out - top and bottom of the card are never visible at the same time.
    c) I run Malwarebytes and there's none reported on my home laptop.
    d) I work for a FTSE100 who have sophisticated anti spyware software - only two people could remotely access my work laptop.
    e) For sure the text I received was from Santander as it started off the whole issue.
    f) I've not had any calls from Santander, other than the one that sparked the issue off.
    g) I've not used my debit card for a purchase other than for road tax this/last year and holidays in 2018.
    h) I've never written my details down and the wife doesn't know them, so could not inadvertently give them out.

    I couldn't of provided the level of detail known by the thief and it's my account... Having online access to the account would not have given the thief the CVV code.

    Anyway, thanks all for your input.
    • robatwork
    • By robatwork 18th May 19, 2:06 PM
    • 5,113 Posts
    • 5,874 Thanks
    robatwork
    d) I work for a FTSE100 who have sophisticated anti spyware software - only two people could remotely access my work laptop.
    Originally posted by VTR1000
    Just read the thread but I didn't see the bit where you said the IPs logged were your home and work. If I missed it and work is included then my comment is about the above.

    I use and have used remote access software since it first existed from telnet and vnc up to bomgar and connectwise.
    "Only two people" sounds dodgy. If there is a remote access host on your PC then perhaps you believe only 2 people have the credentials, but in reality your company's entire IT community and perhaps wider could have the details.

    Can you let me know the name of the remote access program?
    • 18cc
    • By 18cc 18th May 19, 2:12 PM
    • 1,353 Posts
    • 970 Thanks
    18cc
    Thanks for the apology. It is difficult to do much more than give pointers but some things you may want to ponder:

    1. are you sure that the original call from security dept was indeed from Santander and not the fraudsters wanting to gain your DOB and PCD.

    2. with your DOB and PCD - and card long number and CVV - they can display your Santander userid. They MAY have those debit card details as if it was Santander in 1. above then they made an online £1300 purchase using them (if it wasn't Santander then the text was a lie and there was no purchase it was just a ruse for when they called).

    3. when you tried to logon was it simply account suspended or did you try to login with your credentials and got messages saying they were invalid - 2 tries left etc (implying they had been changed). The account could have been suspended by fraud dept or by the fraudsters trying 3 invalid logon attempts - but the branch visit implies it was Santander.

    4. the fact that they could quote amounts (c tax etc) implies they did indeed have access to your account - the question is did they know your credentials or did they reset internet banking and change the credentials (hence 3. above). If they changed them they would have had to have access to your mobile phone to receive the OTP.

    No solution I know but some things to mull over.
    • colsten
    • By colsten 18th May 19, 4:49 PM
    • 10,291 Posts
    • 9,480 Thanks
    colsten

    The exec complaints manager is ringing me back today to discuss my concerns that the access stemmed from them.
    Originally posted by VTR1000
    Did that happen? How did you leave matters with him/her?
    Last edited by colsten; 18-05-2019 at 6:17 PM.
    • ryan121
    • By ryan121 18th May 19, 6:12 PM
    • 171 Posts
    • 57 Thanks
    ryan121
    Santander does send those kinds of texts and they will phone you about it as well so that's perfectly normal.

    As long as they've cancelled your card you should be fine and replying no should block that transaction. If someone tried to transfer all the money out of your account they would need the code via text that's only sent to you anyway so doing anything with your online banking is a waste of time.

    I think you'll be fine but someone was able to get your card details somehow.

    Also if you're using windows 10 all the security you need is built in. You don't need anything like malwarebytes anymore.
    • Terry Towelling
    • By Terry Towelling 18th May 19, 7:03 PM
    • 1,331 Posts
    • 1,101 Thanks
    Terry Towelling
    VTR1000, can you confirm how you made your bet with Paddy Power?
    • Terry Towelling
    • By Terry Towelling 19th May 19, 4:14 PM
    • 1,331 Posts
    • 1,101 Thanks
    Terry Towelling
    VTR1000, can you confirm how you made your bet with Paddy Power?
    Originally posted by Terry Towelling
    In the absence of an answer to this question from OP, I am forced to assume it was a card-present debit card transaction because OP refers to placing a bet at their 'local' Paddy Power for the Grand National and it appears on the bank account as Power Leisure.

    This does not match with their contention that they didn't use their debit card for anything this year other than online road tax and a few cash transactions. So, was this just an oversight by OP and why share with us the fact that this was the only bet where they never won?

    Sometimes I get the feeling that what appears to be just a way of exercising our minds (but not necessarily on this thread) is that some people are trying to invent fraud scenarios and then test them out on us for robustness. Should they prove to be watertight, just maybe they are a fraud worth committing, should they have holes in then more planning will be needed.
    • robatwork
    • By robatwork 20th May 19, 6:26 PM
    • 5,113 Posts
    • 5,874 Thanks
    robatwork
    The OP is ignoring some of the finer detailed questions, I guess we can draw our own conclusions as to why.
    • Terry Towelling
    • By Terry Towelling 20th May 19, 6:56 PM
    • 1,331 Posts
    • 1,101 Thanks
    Terry Towelling
    The OP is ignoring some of the finer detailed questions, I guess we can draw our own conclusions as to why.
    Originally posted by robatwork
    ...and continues to do so - and their last post was quite final in the way it was signed off.

    Other things that might be questioned are:-

    1. Would a FTSE 100 company really only employ two people capable of remotely connecting to the endpoints of staff using its IT network?

    2. Can a company really have an IP address registered to it on a permanent basis and is there a way of checking this registration on the internet? I don't have the knowledge in this area and was going to contact an IT friend of mine to ask - but couldn't be bothered in the end.
    • londoninvestor
    • By londoninvestor 20th May 19, 7:23 PM
    • 994 Posts
    • 894 Thanks
    londoninvestor
    ...and continues to do so - and their last post was quite final in the way it was signed off.

    Other things that might be questioned are:-

    1. Would a FTSE 100 company really only employ two people capable of remotely connecting to the endpoints of staff using its IT network?

    2. Can a company really have an IP address registered to it on a permanent basis and is there a way of checking this registration on the internet? I don't have the knowledge in this area and was going to contact an IT friend of mine to ask - but couldn't be bothered in the end.
    Originally posted by Terry Towelling
    1 seems pretty unlikely.

    2 though is not at all uncommon - many large companies will do this rather than rely on a third party provider to manage the addresses. (It's probably a block of adjacent addresses, rather than literally a single address, but the point still stands that the owner of the address can be looked up in this situation.)
    • VTR1000
    • By VTR1000 21st May 19, 11:32 AM
    • 21 Posts
    • 1 Thanks
    VTR1000
    The OP is ignoring some of the finer detailed questions, I guess we can draw our own conclusions as to why.
    Originally posted by robatwork
    Which would be what?

    Would you question my honesty to my face?

    I haven't signed in for days - nothing to report.

    ...and continues to do so - and their last post was quite final in the way it was signed off.

    Other things that might be questioned are:-

    1. Would a FTSE 100 company really only employ two people capable of remotely connecting to the endpoints of staff using its IT network?

    2. Can a company really have an IP address registered to it on a permanent basis and is there a way of checking this registration on the internet? I don't have the knowledge in this area and was going to contact an IT friend of mine to ask - but couldn't be bothered in the end.
    Originally posted by Terry Towelling
    1 seems pretty unlikely.

    2 though is not at all uncommon - many large companies will do this rather than rely on a third party provider to manage the addresses. (It's probably a block of adjacent addresses, rather than literally a single address, but the point still stands that the owner of the address can be looked up in this situation.)
    Originally posted by londoninvestor
    It's a de-centralised company and pretty much each opco has their own IT team.

    I put the IP address in a 'checker' and it came up with the opco that pays my salary.

    BTW I paid Paddy Power with the debit card as I assumed they'd charge me extra for paying by credit card, other than that oversight there were no other payments.

    Anyhoo, just off the phone from the executive complaints manager and it seems that Santander gave the info on Paddy Power/council tax out to someone who passes security with my card details and DOB/Address. Apparently, they wouldn't give any further details.

    30 minutes later the they tried to order £1,300 on my account...

    And for the doubters on here I might post a copy of the (redacted) Santander letter of apology.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,937Posts Today

5,093Users online

Martin's Twitter
  • This is a very useful and interesting, factual piece about what the PM's new Brexit proposals mean and how new they? https://t.co/qM1bCz6FZp

  • After two cancellations, I'm on the 3rd train back from Manch. Just heard its being rerouted as someone's taken tak? https://t.co/sRO4cvoWIw

  • RT @helen_undy: It's hard campaigning at the moment. Trying to cut through amid Brexit votes, protests & political resignations can feel fu?

  • Follow Martin