Community

I agree, I can remember years ago being very confused when presented with "UB Dartford" - I'd never been to Dartford - turned out it was United Biscuits (HQ in Dartford) central bank a/c - pertaining to their subsidiary "Pizza Hut".

Brititsh Airways is another one - a central bank a/c at Harmondsworth (Heathrow) irrespective of which Airport in the world you actually bought the ticket. Other multinationals like Hertz (Tulsa Oklahoma) are the same.

I'm not keen.

My own experience of biometric access control at my HQ in New York was that I had to register both thumb prints and yet my aggregate error rate was 20% - being blamed for not putting my thumb in the right position on the reader - which means to me the design of the reader is at fault for allowing me to place my thumb in the wrong position.

If my PIN is stolen (and I'm not a fan of CHIP n PIN either), then I can change it and ask for another one. If someone is able to present my biometrics as their own - then there's nothing I can do about - I can't change my fingerprints, blood, saliva, retina, veins, voice etc.

Like with DNA matching (see my separate blog on that topic in Aug 2009 - https://www.finextra.com/blogs/fullblog.aspx?blogid=3190), if the technology is just sampling my results, and coming up with a hash equivalent, then its not impossible for that to be impersonated / reproduced.

How much of that data is going to be transmitted around the world, via what routes, is it going to be secure in transit, how long is it going to be held in cached memory, and will it be secure at rest? Will it survive / detect a man-in-the-middle attack?

Whereby, falling back on the good old Signature, when I was transferring £125,000 yesterday via CHAPS, RBS called up my Signature on File, checked my Passport & Debit Card, and recorded me on CCTV. I was happy.

reading the original Swiss article, as I suspected the amounts were in Swiss Francs not US Dollars - I think the Wired correspondent just couldn't cope with doing a currency conversion.

2 comments I would offer :

Lloyds Bank : per the demographic data, there is no mechanism for any Bank to actually validate on-line the veracity of this data against 3rd Party Registers, so when I am prompted at Account Set up to provide any of this data such as Fathers First Name, Mothers First Name, my Place of Birth, Name of First School (or others such as Mothers Maiden Name, or Name of Dog [I've never owned a Dog]) - I actually provide totally fictitious values - just a character string (with hyphens) to minimise potential for a dictionary attack - but no-one could ever guess what the values are as held on file, and so I'm 'safe'.

RBS : as one of the other correspondents said, you can't set up a new Payee without using a Chip Card Reader; you also have to use the Chip Card Reader again if you want to change any of the details such as the Payee Bank Account. A recent enhancement was that the first time you then try to make a Payment to that Payee, you have to confirm the payment with the Chip Card Reader all over again. So its isn't enough to have opportunism to get hold of the details of the Card, you still need the Card itself.

It's not even the large multinational chain you need to worry about.

If you consider even a medium size hotel could have 5,000 visitors per annum, especially in a tourist area. I recall staying at a boutique hotel in Oxford for my daughters graduation, and was interested to note that the Hotel Reservation, Booking, Invoicing system was all Excel-based, and yet the Reception was of course un-manned after 11pm and you just let yourself in, and given the turnover of staff the Password was there on a Post-It - all you needed to do was help yourself at 3am. 

I've used this system over many years. I always assumed that RBS staff opened the envelope and under a dual control procedure verified the contents before creditting the account.

Something must have gone seriously amiss for them to simply trust the number on the outside of the envelope and not check the contents.

What if I never put anything inside the envelope other than the Credit Slip - could I then claim that they must have lost/stolen the Cash?

Hi Robert,

In the UK we've pretty much adopted the FATF recommendations - that means you have to present yourself in person with a Government-issued Photo ID such as Passport or Drivers License, plus a proof of Address less than 3 months old, such as a Bank Statement or Utility Bill.

National Insurance Number (SSN) doesn't really figure unless you're applying for a Tax-exempt product such as an ISA (Individual Savings Account) which only allows you to open 1 per annum.

I know in Germany you can go to your local Post Office and have them validate your identity credentials as above and then the Post Office sends your authenticated application form off to the Credit Card Company.

I agree that there there are plenty of other types of disputes, such as Bank Charges and Cheques, that are not covered by the change in legislation, and it would be interesting to see if the idea still holds.

No need to go to Court as a first resort : this case originated back in June 2009; since November 2009 there has been a change in legislation : you now have up to 13 months to query a transaction - no matter what MasterCard bylaws state.

http://www.moneymadeclear.fsa.gov.uk/products/credit_cards/credit_cards_getting_help.html
(reproduced verbatim below)
"If there is an unauthorised transaction on your credit card account you should dispute it without undue delay (and no later than 13 months after the transaction).
It is for the bank, building society or credit card company to show that the transaction was made by you and there was no breakdown in procedures or technical difficulty.
If you've not authorised the payment then your credit card company must immediately refund you the transaction amount unless they have some evidence suggesting you may not be entitled to a refund because of the way you have acted. In these cases the credit card company must investigate the claim, but must do so as quickly as possible."

Banks & Credit Card companies now have to keep all the data readily available for 13 months, just in case you make a claim a year later. They can't dismiss your claim citing they no longer have any records of the event. If they didn't keep any records, then since they can't prove their case - you win.

No need to go to Court as a first resort : this case originated back in June 2009; since November 2009 there has been a change in legislation : you now have up to 13 months to query a transaction - no matter what MasterCard bylaws state.

http://www.moneymadeclear.fsa.gov.uk/products/credit_cards/credit_cards_getting_help.html
(reproduced verbatim below)
"If there is an unauthorised transaction on your credit card account you should dispute it without undue delay (and no later than 13 months after the transaction).
It is for the bank, building society or credit card company to show that the transaction was made by you and there was no breakdown in procedures or technical difficulty.
If you've not authorised the payment then your credit card company must immediately refund you the transaction amount unless they have some evidence suggesting you may not be entitled to a refund because of the way you have acted. In these cases the credit card company must investigate the claim, but must do so as quickly as possible."

Banks & Credit Card companies now have to keep all the data readily available for 13 months, just in case you make a claim a year later. They can't dismiss your claim citing they no longer have any records of the event. If they didn't keep any records, then since they can't prove their case - you win.