I logged on to internet banking to transfer some money into my spending account (an account I mainly use for on-line purchases) and noticed that I was £1760 into a £2000 overdraft I didn't have before. I then looked at my other accounts and they had both been emptied.
I rang HSBC and because I have never used telephone banking before didn't know my security number. This locked me out and I Had to speak to a person and answer some security questions. He told me in a stern manor that he will only accept my first answer. The first one was what is my memorable place. I couldn't remember this and answered with the answer to the usual question of your place of birth.
Next he asked me my date of birth. No problems with that one. Lastly he asked me the month and year when my account was set up. I said I had no idea. The account was set up when I was about 10 when it was Midland Bank.
Based on me getting 2 of the 3 questions wrong I still passed the security check which now allows me into my accounts to do as I wish.
He went onto look at the activity and told me that someone has stolen the money via telephone banking. Even moving money around accounts so it could be removed.
I think I’ll be moving banks if it’s that easy to get past HSBC’s security.
I used to think on-line banking was the one to be careful of but it seem like anyone could get into a person’s telephone banking and take whatever they fancied.
Are you getting your money back?
Scary stuff.
Has your wife mysteriously disappeared by any chance?
Perhaps they looked at your account information and realised that fraud had happened that you were unlikely to remember when an account that was set up when you were 10 was and used some discretion to help an obvious customer in distress?
I assume this is what happened rather than 1 of 3 was good enough.
They seemed to think ill get my money back. I have to speak to HSBC head office fraud investigators shortly and prove its not me who has taken the money.
Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.
Unfortunately the wife's still here. I think!
I never mentioned how old the account was. I just told him I didn't know.
Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.
Someone must have a serious need for [url= http://www.coanbiltong.com/ ]salty dried meat snacks[/url]!
andysredmini - MemberApparently the money has gone to a Lloyds bank account with a reference of COAN ltd.
Transfer error made by the bank?
It would be really stooopid to hack someone's bank account only to transfer them to another UK bank leaving a trail of their activity ... normally it's either transferred to some doggy foreign banks or cash withdrawal.
Definitely fraud.
They transferred 60p first which they use as a test to see if everything works before taking whatever they want.
ime the police cant be bothered to investigate and the banks just write it off
frustrating because the scallys that caused you all the stress seem to get away scott free
Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.
Just pop around and ask for your money back, if he refuses then give him some fist pie. Don't tell him I sent you.
[img] 
[/img]
[i]ime the police cant be bothered to investigate[/i]
Problem I had was that I had my money returned and so wasn't the victim of a crime and the bank would rather write the money off than involve the police so the police have their hands tied even if they wanted to look into the problem.
This is a very interesting doc on the subject actually...
[url= http://www.bbc.co.uk/programmes/b04kbl8p ]http://www.bbc.co.uk/programmes/b04kbl8p[/url]
I think I’ll be moving banks if it’s that easy to get past HSBC’s security.
I think the problem with internet banking is its one of the first internet systems that had any sort of advanced security system for the public. Thats a public that pretty much still is using the same password for every other internet account and 4 digit pin that will invariably start 19xx.
Since then people have put so much of their lives online (by choice or accident) so the way of setting security information - with a list of questions that it was imagined only you could answer (place of birth, first school, last school etc) is now a list of questions that can mostly be answered by looking at your Facebook page. It seems outmoded but... even keeping it that simple look how difficult it was for you to answer the questions.
If you'd instead had a list of half a dozen unique long alpha-numeric, non-dictionary passwords how would you remember them if you can't remember a place that you'd nominated as being memorable?
Your account would be more fraud proof, but it would also be completely customer proof. 🙂
We're all a bit more password savvy than we were even a year ago, let alone 12-15 years ago when online banking started to become mainstream (the details I use to access my bank are the only passwords I haven't reset in all that time) but I doubt either the banks or their entire customer base are ready to have the whole login system re-built.
andysredmini - MemberI think I’ll be moving banks if it’s that easy to get past HSBC’s security.
I used to think on-line banking was the one to be careful of but it seem like anyone could get into a person’s telephone banking and take whatever they fancied.
Nothing would surprise me when it comes to company's security processes.
Not quite as bas as your situation, but when I was with Vodafone, someone rang them up pretending to be me, but unable to remember my password. They gave him access anyway, so he changed my address to a flat in Birmingham, upgraded my phone and contract and had the phone sent to the address that had just been changed.
The only way I found out was when Vodafone rang to check I was happy with my new phone and contract.
We then had a 10min conflab about the fact that I had/hadn't/had/hadn't changed my contract and eventually it ended up with their fraud investigation team.
While this was being dealt with, they set up 2 more 'personal questions' and a second PIN I had to get through in case they tried again.
In the next couple of weeks, I must have rang them 5 times and not once did they ask me for the 'extra security' details, until I mentioned it once I had already got into the account, which led to plenty of ummmmming and aaaaaahing.
What was crazy, was that they let him change my address and send the phone to the new address with no checks and they had no details of my previous addresses, so they couldn't confirm the address I was giving them was correct. Once they've overwritten the address, it's gone from their system for good....!
Hope you get your situation resolved!!
I also wondered how they could send it to lloyds without it being traceable.
What do they do with it from lloyds?
I once could not get some info from the benefits office because I was unable to provide the last address they had from me and they would not even confirm what decade it came from! The address they had was only 18 years out of date and they still wanted the postcode.
The problem with any security system is the one guaranteed flaw - the human link in the chain.
Social engineering is the easiest and quickest way of getting into a system.
It could be as simple as leaving an infected USB stick with a keylogger outside someones house. Wait for them to pick it up, plug it in and then you have their passwords.
Or in this case, it is convincing someone over the phone you are someone else.
in 9/10 cases of "hacking" it is actually social engineering. It's just far simpler to convince someone to do your bidding then do that tappy keyboard wizardry.
Here is an excellent article about a tech reporter who got hacked for his Twitter handle, the unfortunate collateral being the complete wiping of his laptop:
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/
Really interesting to read how it was accomplished all through social engineering of someone on the phone.
Last year, some thieving goits walked into my bank with (bad) fake id (passport!) and cleared me out. Security checks weren't properly followed and, despite the cashier saying the whole transaction didn't 'feel right', still let it go through on shaky identification.
As per the OP, i had massive problems phoning up to sort this out, and due to failing the obscure questions actually got blocked as well, however the bank would not talk to me at all! In fact, now i think about it, i was blocked on a "recent transaction" i got the value wrong for - i was about 20pence out...
I got it back as the CCTV proved it wasn't me - but police weren't interested, the bank was in the middle of a mall with good CCTV too. Ho hum.
The morale of this story is that nowhere is safe, no amount of due diligence on the public side will help if some scrote is going to steal something. The secondary morale is that, the criminal will have a much easier time getting your stuff than you will have proving that it was your stuff in the first place...
P
The morale of this story is that nowhere is safe, no amount of due diligence on the public side will help if some scrote is going to steal something. The secondary morale is that, the criminal will have a much easier time getting your stuff than you will have proving that it was your stuff in the first place...
I think my morale would be seriously low after that happening.
The security question thing is worrying. I've forgotten them before, and been prompted. I guess you have to know vaguely what it is, but even so, not great! I phoned up pretending to be my boss, to get his corporate card statements sent to his home address rather than the office. Muddled through with hardly any of his personal details!
Or have you recently been befriended by a Nigerian prince on the interweb?chakaping - MemberHas your wife mysteriously disappeared by any chance?
I just got off the phone with HSBC
Saturday night I was told to ring up next day to report it the fraud team. After waiting 50 mins yesterday morning I was told that the fraud team don't work on Sunday and to call back today. Another 40 mins on the phone just and the fraud team just told me they cant do anything and that I need to go into a branch and show them ID which I feel more comfortable with rather than everything being done facelessly over the phone.
HSBC = shower of s#@t
The last government changed the rules about the Police being involved for bank account / credit card fraud.
It's 100% the banks job to sort and take the risk, until they have enough evidence to hand over to the fraud squad to help bust a major fraud ring.
Have know the double pronged fraud where they go for the mobile phone and bank account together. Quite an elaborate sequence of swapping addresses, ordering replacement SIM, and insecure telephone hotlines. Think one of the security questions was something like "what bank account number do you pay the direct debits by?" , which is not at all difficult when the victim had binned a bank statement without shredding.
I did buy my wife from Nigeria funnily enough?
and her brother is always emailing me asking to borrow money.
Go to company check website and look for COAN LTD it was dissolved in 2008 but that does not mean the bank account has been closed and still may be used for "clearing" transfers unknown to the origional account owner - it's easier these days to get access to an existing account than set one up! Chances are it will have been sent onto multiple accounts via online banking then withdrawn as cash - my business works in card data security (PCIDSS)
A friend had his HSBC bank account emptied of £11k in a similar way to andersop even though the branch they walked into was in London and his account was held in Middlesbrough.
Could this be linked to my mobile not being able to receive calls all day Friday and Saturday?
I had to speak to Vodafone on Saturday who had to update some settings as some diverts had been set up but not by me.
I didn't know anything about it until three people told me they had been trying to ring me.
Definitely incredibly stressful and horrible feeling throughout. I wouldn't wish it on anyone.
re the comments on internet banking security. The issue here was phone banking. HSBC uses a keypad thingummy to get on to the internet site. I assume this is more secure than either a single password or asking questions and giving access regardless of whether you can answer them.
My experience of HSBC's anti-fraud people is very good (eg card declined at US hotel reception and as I got out an alternative card to pay with they phoned to confirm it really was me in the states and reactivate the card). Nothing like the service OP is experiencing (not doubting the story, commenting on the inconsistency).
I recently went on a trip to Italy and had all kinds of problems with First Direct declining card transactions as they seemed "unusual". I guess I should be grateful, but it was bloody annoying at the time !!
Write everything down, keep a note of every conversation times, dates, who you spoke to. I had a blooming nightmare when my CC got done. I fear money from a bank account will be even harder to retrieve.
When I asked if I needed to do anything i.e. cut cards up they said as long as I phisically have my cards and my internet banking keypad in their eyes I'm classed as secure.
That's all good and well until I refer back to them letting anyone in through telephone banking.
Latest update.
I had to go into branch and verify myself by showing them my id.
Whilst in the branch I had to speak to the fraud department who ran through the whole situation, this included listening to the conversations I had when I reported it and the conversation the person who stole the money had when he completed all the fraudulent transactions.
It turned out that I got all 3 of the security questions wrong (see op) but they still let me in and the thief also got the questions wrong and they let him in to my account to do whatever he wanted including setting me up the £2000 overdraft and emptying all the accounts.
HSBC’s security is even more of a joke than I thought.
The end result is HSBC have accepted its fraud and are refunding me the money today or tomorrow and after some persuasion issuing me new cards (maybe not needed but for peace of mind)
I'm not normally a complainer but in this instance I have logged a complaint and due to the severity it has gone quite high up the tree and is being investigated.
Good news.
I am amazed they didn't want to issue you new cards though. It costs them pennies and even if the hole wasnt related to them they normally want to do it anyway as it's cheaper than more money going missing.
HSBC.... grrrr
applied for a mortgage with them 2 months ago, ok for a week but then the madness started...
Asked for proof of id - fine - took to Branch - they did nothing for 10 days after that, then phoned to check something - two weeks later nothing had happened and then spent about 2 hours one day to call centres in ? 3 different countries. All polite and helpful except the UK one...
But they still managed to change my id and address details 3 x in 24 hours and then sent out a request for my financial details to an address I left 2 years ago where my STB-ex-wife lives...
And every time I rang them, or they rang me they insisted on asking my security questions, which as they had changed my address without asking, I got wrong... Even when they rang me to apologise, they insisted until I told them I wasn't going to apply any further and to go a long long away.
Nationwide sorted the whole thing in 7 days
HSBC - Avoid
The business about your mobile phone not working sounds familiar but I can't quite think what the story was.
Let me know if you do remember. Could be nothing related but you never know.
Sorry about your experience with HSBC as I've had nothing but good service from them. Including when my card was cloned and they informed me of it and had new cards out to me within days.
Did you have a call, email or text to your phone about your bank account? I can't find anything on google about it but it was something like you answering the call or email and giving the person on the other end your details, they then somehow prevent you using your phone for a bit whilst they empty your accounts (so you cannot ring up and check with the bank!!)
I'm with Barclays who are evil bastard bankers of the highest order.
So far however they have proven to be reasonably competent evil bastards with excellent online banking and a good track record of flagging odd transactions and calling me about them.
So fair play.
HSBC haven't sent me any messages, phoned or emailed me. and I haven't contacted HSBC about anything for probably a year since we looked at changing our mortgage.
In regards to my phone. I cant say for certain its not something I accidental did myself. It set up some kind of divert to voice mail (but when I rang it from the wife's phone it just rang out but the call never came through to my phone). I could make calls no problem.
I have to say that this is in stark contrast to my dealings with HSBC regarding fraud.
I had both my current account, and associated credit card emptied a while ago, and on discovering I was potless gave them a ring. Got through the security checks with a bit of hassle, they wanted me to spell out my memorable place name (as it was Welsh) and I'd apparently spelled my mothers maiden name wrong on my initial setup form, so they quizzed that too.
Got sent a form with all the dodgy transactions listed, and a copy of my statement so I could add to their list, returned it to my local branch and had my money back the next day. So it took 3 days in all.
The only fly in the ointment was that the scrote(s) that stole my money used a cloned version of my debit card to pay for a rented house deposit, yet when I contacted the police, with an address, they didn't want to know and said it was the banks problem not theirs.
It turned out that I got all 3 of the security questions wrong
You got your own date of birth wrong ?? 😕
No. Listening back that was a different question at a different time that fortunately I got correct.
Memorable word was the other I got wrong.
"[i]The business about your mobile phone not working sounds familiar but I can't quite think what the story was[/i]"
Not this story, was it? (details towards the end of the article)
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/
Police aren't interested in fraud because 'Action Fraud' was set up to take the reporting of these crimes away from the police. Unfortunately (and somewhat scandalously IMHO) Action Fraud just collate the statistics, and expressly do not investigate individual crimes.
Good wireless programme on it from the Beeb here (from about 13:30):
http://www.bbc.co.uk/programmes/b0460zmj
It is run by the City of London Police. One could speculate whether their primary remit is to protect the interests of the '[url= http://en.wikipedia.org/wiki/City_of_London ]City of London[/url]' rather than Joe Public.
At least you got all your money back! When my account was emptied out it was all done from overseas and in smallish increments over the course of 2 weeks (this was about 10 years ago & I wasn't using internet banking much then). They returned the money taken but not the overseas transactions fees, leaving me about £16 down. I guess I could have pursued it but was just grateful to get the money back (about £1300).
It's odd that the texts/emails I regularly get about problems with my online bank account are always from HSBC/Santender/Barclays.
None of which I've ever had any kind of account with.
My two online accounts are with Lloyds and Halifax, and now authorise through my iOS devices, so I no longer need the password, but it requires the inputting of three randomly chosen characters from my 'memorable info', which was chosen and set up in the bank, and works really well.
I only have it written down in one place, a book with all my passwords and other info, the only issue is counting which character is so many along out of eleven, I usually write it on my hand and number underneath, just to make sure I get it right!
My memorable info is the registration number and make of an old car, that I've never forgotten. My current one would be useless, I can never remember it, despite owning it for nearly ten years!
Latest update.
A partial result for me but a disciplinary for someone.
Turns out that the fraudster should never have got through the security checks with the incorrect details(no sh1t) and neither should I of with the details I gave.
HSBC say the people who let me through will be facing disciplinary action. Normally i would feel guilty but the results of their action speaks for itself.
HSBC without me asking have credited my account with £150 as an apology and have assured me my account is as safe as it can be.
Reverb stealth here I come.
On one hand I'm happy that it's all sorted but annoyed that it could happen in the first place. I really think it was an inside job though as the answers they provided (although they were wrong turned out to be very close) only exist in 2 places. Forgotten in the deepest darkest parts of my brain from 1996 and on the HSBC system. Seeing as I couldn't remember them and they have never been written down I can only think they came from HSBC themselves.
and neither should I [s]of[/s] [i]have[/i] with the details I gave.
Exactly same happened to me last year with HSBC - I only found out about it when I got a rejection letter through the post for a loan. I hadn't applied for a loan.
The same day as this letter came I got a different letter from their anti-fraud dept asking me to call them. I did this and it transpired that not only had my account been cleared out up to my overdraft limit, but they'd also taken out loans and opened other bank accounts at Barclays in my name.
Because everything had been done via the telephone they wouldn't do anything else in the phone - I had to go to my local branch and sift through everything. To their credit I got every penny back.
The Police (that is, your local bobbies) just aren't set up for this type of thing. The scale is incredible. This is why these have been set up:
http://www.actionfraud.police.uk
You need to report it via this link.
I toyed with have/of. Knew I would pick the wrong one.
Thanks for the link I'll have a look now.
HSBC without me asking have credited my account with £150 as an apology and have assured me my account is as safe as it can be.
That's a bit tight.
I got £350 credited as an apology when HSBC cancelled my overdraft for no reason, without telling me.
They reinstated it within 24 hours, but credited me with £350 (and sent flowers !) as an apology.
Log an official complaint and see what they give you then !
Weren't HSBC done for helping drug cartels launder money a few years back? Maybe a few of the old looppholes that were used are still open.
For balance - I got **** all, despite it being their fault. Feels a bit late to moan now. Having said that, it was such a relief to get everything back that I don't think I would've appreciated a cash bung.
I had the same thing happen with the HSBC. It was over a weekend also. The fraudsters do it on a Friday on purpose.
HSBC, in fairness, did return my money and gave me a free, unlimited overdraft to allow for any bills etc until the money reached my account (took 7 days). Mine was as a result of internet fraud, cloning my banking page or something.
Their security systems are crap though, compared to other banks.
Scary stuff. Glad to hear that there's been a positive resolution, andysredmini.
My experience with First Direct was very positive. My credit card was cloned, they spotted it and froze the account before I noticed. I was in Afghanistan at the time yet I was still able to ring them, they sorted it and I had a new credit card in my hand within five days. Very impressed (although I'd have been even more impressed if the fraud hadn't happened in the first place).