| « The RedirectException | The Road to CHECK FILE » |
Originally posted by "Tann San"...
Not too long ago, my Halifax ATM card got deactivated because I misentered the PIN number three times in a row. So, the next day, I went into the main bank branch to get some cash from a teller.
I headed to the counter with my card in hand and some ID in my pocket. I explained the situation and asked to withdraw a few hundred pounds to carry me over until a new PIN number arrived. After taking my ATM card, she handed me a slip and asked me to sign. I did that, and she then counted out the money and gave it to me. No questions asked.
Let's count the WTF's:
- (Obvious) Me monging up my PIN three times
- The teller did not ask for ID, aside from the defunct card
- She did not compare the signature to anything, as I never signed the back of my ATM card
- I didn't actually use a signature, instead drawing a big circle with a cross through it
- She did not notice that the card wasn't signed, nor that my "signature" looked like the X-Men symbol
- I was given the cash with no security questions whatsoever
As my mind was boggling at these things, she said "I noticed that you didn't respond to our letter about changing your account to a higher rate. Would you like to speak to my co-worker about that?".
I remembered the letter from a few months ago, and figured I might as well convert the account then and there. So, I went to a tiny office with her co-worker, who then lackadaisically explained why my current account sucked and how the higher rate one was miles better. He said this all while blankly staring into space; I looked over my shoulder to see if he was just reading the pitch off a cue sheet stuck to the wall. The higher rate account was a better deal, so I agreed to switch. And this is where the WTFs start with him.
The banker tapped my account number from my ATM card in, and then printed out a sheet that summarized my details: name, DOB, address, phone numbers, etc. He slid it across the table and asked me to double check that the details were correct. At this point, I could have been any mugger off the street who just withdrew several hundred pounds and had the full details of whoever I mugged. I'm fairly sure I could have closed the account and withdrawn the funds in full, without any security challenges.
Ironically, two days later I get a letter from Halifax telling me that I should stop using their phone banking service and switch to their ultra secure online service.
At least the teller was bright and cheerful whilst giving me the cash.
Re: Halifax Bank Security
2008-04-07 10:32
•
by
s.
(unregistered)
|
Okay, just for your convenience: He put the card in the ATM then entered the PI Number wrong three times. At first he made a mistake around 95th digit, at the other at 98th digit. The third time he got so nervous he just got to enter 3.141593 and his access got disabled. |
Re: Halifax Bank Security
2008-04-07 11:37
•
by
Grovesy
(unregistered)
|
|
having worked there, it's not much better internaly.
You could prety much handcraft a 'TransferFunds' message and dump it on the queue... nice... |
|
TRWTF is that they didn't require sheet of paper with a personal letterhead to establish identity!
|
|
A few years ago, my security lecturer told us all about his wife going into a branch of Natwest and getting them to issue her a new PIN - which they did on the spot with no security checks! Scary.
Then again, more recently I needed a note of how much interest I'd received in the year to put on my tax return. After a few days, a massive wad of tractor-feed paper arrived, full of names, account numbers and balances - none of them mine. That was the same Halifax Bank of Scotland featured in the main WTF here... Then there's Barclays, whose credit card site has a bizarre password system requiring passwords to be all alpha (no numbers or symbols) with at least two different letters from each row of the keyboard, non-adjacent, plus a few other details. They don't actually tell you this, just reject every attempt at a password you enter; eventually, I called the helpdesk, which helpfully informed me that one particular word does meet all the requirements. Brillant security. |
| « The RedirectException | The Road to CHECK FILE » |
adiener:
