I logged on to internet banking to transfer some money into my spending account (an account I mainly use for on-line purchases) and noticed that I was £1760 into a £2000 overdraft I didn’t have before. I then looked at my other accounts and they had both been emptied.
I rang HSBC and because I have never used telephone banking before didn’t know my security number. This locked me out and I Had to speak to a person and answer some security questions. He told me in a stern manor that he will only accept my first answer. The first one was what is my memorable place. I couldn’t remember this and answered with the answer to the usual question of your place of birth.
Next he asked me my date of birth. No problems with that one. Lastly he asked me the month and year when my account was set up. I said I had no idea. The account was set up when I was about 10 when it was Midland Bank.
Based on me getting 2 of the 3 questions wrong I still passed the security check which now allows me into my accounts to do as I wish.

He went onto look at the activity and told me that someone has stolen the money via telephone banking. Even moving money around accounts so it could be removed.

I think I’ll be moving banks if it’s that easy to get past HSBC’s security.

I used to think on-line banking was the one to be careful of but it seem like anyone could get into a person’s telephone banking and take whatever they fancied.

Are you getting your money back?

Scary stuff.

Has your wife mysteriously disappeared by any chance?

Perhaps they looked at your account information and realised that fraud had happened that you were unlikely to remember when an account that was set up when you were 10 was and used some discretion to help an obvious customer in distress?
I assume this is what happened rather than 1 of 3 was good enough.

They seemed to think ill get my money back. I have to speak to HSBC head office fraud investigators shortly and prove its not me who has taken the money.
Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.

Unfortunately the wife’s still here. I think!

I never mentioned how old the account was. I just told him I didn’t know.

Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.

Someone must have a serious need for salty dried meat snacks!

andysredmini – Member

Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.

Transfer error made by the bank?

It would be really stooopid to hack someone’s bank account only to transfer them to another UK bank leaving a trail of their activity … normally it’s either transferred to some doggy foreign banks or cash withdrawal.

Definitely fraud.
They transferred 60p first which they use as a test to see if everything works before taking whatever they want.

ime the police cant be bothered to investigate and the banks just write it off

frustrating because the scallys that caused you all the stress seem to get away scott free

Apparently the money has gone to a Lloyds bank account with a reference of COAN ltd.

Just pop around and ask for your money back, if he refuses then give him some fist pie. Don’t tell him I sent you.

ime the police cant be bothered to investigate

Problem I had was that I had my money returned and so wasn’t the victim of a crime and the bank would rather write the money off than involve the police so the police have their hands tied even if they wanted to look into the problem.

This is a very interesting doc on the subject actually…
http://www.bbc.co.uk/programmes/b04kbl8p

I think I’ll be moving banks if it’s that easy to get past HSBC’s security.

I think the problem with internet banking is its one of the first internet systems that had any sort of advanced security system for the public. Thats a public that pretty much still is using the same password for every other internet account and 4 digit pin that will invariably start 19xx.

Since then people have put so much of their lives online (by choice or accident) so the way of setting security information – with a list of questions that it was imagined only you could answer (place of birth, first school, last school etc) is now a list of questions that can mostly be answered by looking at your Facebook page. It seems outmoded but… even keeping it that simple look how difficult it was for you to answer the questions.

If you’d instead had a list of half a dozen unique long alpha-numeric, non-dictionary passwords how would you remember them if you can’t remember a place that you’d nominated as being memorable?

Your account would be more fraud proof, but it would also be completely customer proof. 🙂

We’re all a bit more password savvy than we were even a year ago, let alone 12-15 years ago when online banking started to become mainstream (the details I use to access my bank are the only passwords I haven’t reset in all that time) but I doubt either the banks or their entire customer base are ready to have the whole login system re-built.

andysredmini – Member

I think I’ll be moving banks if it’s that easy to get past HSBC’s security.

I used to think on-line banking was the one to be careful of but it seem like anyone could get into a person’s telephone banking and take whatever they fancied.

Nothing would surprise me when it comes to company’s security processes.
Not quite as bas as your situation, but when I was with Vodafone, someone rang them up pretending to be me, but unable to remember my password. They gave him access anyway, so he changed my address to a flat in Birmingham, upgraded my phone and contract and had the phone sent to the address that had just been changed.
The only way I found out was when Vodafone rang to check I was happy with my new phone and contract.
We then had a 10min conflab about the fact that I had/hadn’t/had/hadn’t changed my contract and eventually it ended up with their fraud investigation team.

While this was being dealt with, they set up 2 more ‘personal questions’ and a second PIN I had to get through in case they tried again.
In the next couple of weeks, I must have rang them 5 times and not once did they ask me for the ‘extra security’ details, until I mentioned it once I had already got into the account, which led to plenty of ummmmming and aaaaaahing.

What was crazy, was that they let him change my address and send the phone to the new address with no checks and they had no details of my previous addresses, so they couldn’t confirm the address I was giving them was correct. Once they’ve overwritten the address, it’s gone from their system for good….!

Hope you get your situation resolved!!

I also wondered how they could send it to lloyds without it being traceable.
What do they do with it from lloyds?

I once could not get some info from the benefits office because I was unable to provide the last address they had from me and they would not even confirm what decade it came from! The address they had was only 18 years out of date and they still wanted the postcode.

The problem with any security system is the one guaranteed flaw – the human link in the chain.

Social engineering is the easiest and quickest way of getting into a system.

It could be as simple as leaving an infected USB stick with a keylogger outside someones house. Wait for them to pick it up, plug it in and then you have their passwords.

Or in this case, it is convincing someone over the phone you are someone else.

in 9/10 cases of “hacking” it is actually social engineering. It’s just far simpler to convince someone to do your bidding then do that tappy keyboard wizardry.

Here is an excellent article about a tech reporter who got hacked for his Twitter handle, the unfortunate collateral being the complete wiping of his laptop:

http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/

Really interesting to read how it was accomplished all through social engineering of someone on the phone.

Last year, some thieving goits walked into my bank with (bad) fake id (passport!) and cleared me out. Security checks weren’t properly followed and, despite the cashier saying the whole transaction didn’t ‘feel right’, still let it go through on shaky identification.

As per the OP, i had massive problems phoning up to sort this out, and due to failing the obscure questions actually got blocked as well, however the bank would not talk to me at all! In fact, now i think about it, i was blocked on a “recent transaction” i got the value wrong for – i was about 20pence out…

I got it back as the CCTV proved it wasn’t me – but police weren’t interested, the bank was in the middle of a mall with good CCTV too. Ho hum.

The morale of this story is that nowhere is safe, no amount of due diligence on the public side will help if some scrote is going to steal something. The secondary morale is that, the criminal will have a much easier time getting your stuff than you will have proving that it was your stuff in the first place…

P

The morale of this story is that nowhere is safe, no amount of due diligence on the public side will help if some scrote is going to steal something. The secondary morale is that, the criminal will have a much easier time getting your stuff than you will have proving that it was your stuff in the first place…

I think my morale would be seriously low after that happening.

The security question thing is worrying. I’ve forgotten them before, and been prompted. I guess you have to know vaguely what it is, but even so, not great! I phoned up pretending to be my boss, to get his corporate card statements sent to his home address rather than the office. Muddled through with hardly any of his personal details!

chakaping – Member

Has your wife mysteriously disappeared by any chance?Or have you recently been befriended by a Nigerian prince on the interweb?

I just got off the phone with HSBC
Saturday night I was told to ring up next day to report it the fraud team. After waiting 50 mins yesterday morning I was told that the fraud team don’t work on Sunday and to call back today. Another 40 mins on the phone just and the fraud team just told me they cant do anything and that I need to go into a branch and show them ID which I feel more comfortable with rather than everything being done facelessly over the phone.

HSBC = shower of s#@t

The last government changed the rules about the Police being involved for bank account / credit card fraud.
It’s 100% the banks job to sort and take the risk, until they have enough evidence to hand over to the fraud squad to help bust a major fraud ring.

Have know the double pronged fraud where they go for the mobile phone and bank account together. Quite an elaborate sequence of swapping addresses, ordering replacement SIM, and insecure telephone hotlines. Think one of the security questions was something like “what bank account number do you pay the direct debits by?” , which is not at all difficult when the victim had binned a bank statement without shredding.

I did buy my wife from Nigeria funnily enough?
and her brother is always emailing me asking to borrow money.

Go to company check website and look for COAN LTD it was dissolved in 2008 but that does not mean the bank account has been closed and still may be used for “clearing” transfers unknown to the origional account owner – it’s easier these days to get access to an existing account than set one up! Chances are it will have been sent onto multiple accounts via online banking then withdrawn as cash – my business works in card data security (PCIDSS)

A friend had his HSBC bank account emptied of £11k in a similar way to andersop even though the branch they walked into was in London and his account was held in Middlesbrough.

Could this be linked to my mobile not being able to receive calls all day Friday and Saturday?
I had to speak to Vodafone on Saturday who had to update some settings as some diverts had been set up but not by me.
I didn’t know anything about it until three people told me they had been trying to ring me.

Definitely incredibly stressful and horrible feeling throughout. I wouldn’t wish it on anyone.

re the comments on internet banking security. The issue here was phone banking. HSBC uses a keypad thingummy to get on to the internet site. I assume this is more secure than either a single password or asking questions and giving access regardless of whether you can answer them.

My experience of HSBC’s anti-fraud people is very good (eg card declined at US hotel reception and as I got out an alternative card to pay with they phoned to confirm it really was me in the states and reactivate the card). Nothing like the service OP is experiencing (not doubting the story, commenting on the inconsistency).

I recently went on a trip to Italy and had all kinds of problems with First Direct declining card transactions as they seemed “unusual”. I guess I should be grateful, but it was bloody annoying at the time !!

Write everything down, keep a note of every conversation times, dates, who you spoke to. I had a blooming nightmare when my CC got done. I fear money from a bank account will be even harder to retrieve.

When I asked if I needed to do anything i.e. cut cards up they said as long as I phisically have my cards and my internet banking keypad in their eyes I’m classed as secure.
That’s all good and well until I refer back to them letting anyone in through telephone banking.

Latest update.

I had to go into branch and verify myself by showing them my id.
Whilst in the branch I had to speak to the fraud department who ran through the whole situation, this included listening to the conversations I had when I reported it and the conversation the person who stole the money had when he completed all the fraudulent transactions.
It turned out that I got all 3 of the security questions wrong (see op) but they still let me in and the thief also got the questions wrong and they let him in to my account to do whatever he wanted including setting me up the £2000 overdraft and emptying all the accounts.
HSBC’s security is even more of a joke than I thought.
The end result is HSBC have accepted its fraud and are refunding me the money today or tomorrow and after some persuasion issuing me new cards (maybe not needed but for peace of mind)
I’m not normally a complainer but in this instance I have logged a complaint and due to the severity it has gone quite high up the tree and is being investigated.

Good news.

I am amazed they didn’t want to issue you new cards though. It costs them pennies and even if the hole wasnt related to them they normally want to do it anyway as it’s cheaper than more money going missing.

HSBC…. grrrr

applied for a mortgage with them 2 months ago, ok for a week but then the madness started…

Asked for proof of id – fine – took to Branch – they did nothing for 10 days after that, then phoned to check something – two weeks later nothing had happened and then spent about 2 hours one day to call centres in ? 3 different countries. All polite and helpful except the UK one…

But they still managed to change my id and address details 3 x in 24 hours and then sent out a request for my financial details to an address I left 2 years ago where my STB-ex-wife lives…

And every time I rang them, or they rang me they insisted on asking my security questions, which as they had changed my address without asking, I got wrong… Even when they rang me to apologise, they insisted until I told them I wasn’t going to apply any further and to go a long long away.

Nationwide sorted the whole thing in 7 days

HSBC – Avoid

The business about your mobile phone not working sounds familiar but I can’t quite think what the story was.

Let me know if you do remember. Could be nothing related but you never know.

Sorry about your experience with HSBC as I’ve had nothing but good service from them. Including when my card was cloned and they informed me of it and had new cards out to me within days.

Did you have a call, email or text to your phone about your bank account? I can’t find anything on google about it but it was something like you answering the call or email and giving the person on the other end your details, they then somehow prevent you using your phone for a bit whilst they empty your accounts (so you cannot ring up and check with the bank!!)

I’m with Barclays who are evil bastard bankers of the highest order.

So far however they have proven to be reasonably competent evil bastards with excellent online banking and a good track record of flagging odd transactions and calling me about them.

So fair play.