Computer Fraud, Sunday Post & The Bank

by Les May

YOU do not expect to find the most penetrating and insightful journalism in a newspaper published by a company which also produces ‘Oor Wullie’, ‘The Broons’, ‘My Weekly’ and ‘The Peoples Friend’.  But yesterday ‘The Sunday Post’ carried a detailed article about a computer fraud which needs to be more widely known.

Briefly, one of the paper’s columnists, Donald MacLeod, had had what he described as a ‘six figure sum’ filched from his account in the space of a few hours and his bank had not considered it ‘unusual activity’ and halted further transactions..

MacLeod had received a phone call from his mortgage provider.  Or at least he thought it was his mortgage provider because the caller knew his roll number, monthly payment, type of mortgage and term left.  Fairly convincing stuff.  On the basis of what the caller said MacLeod decided to take up a cheaper mortgage option.  To set things in motion a copy of his driving licence was requested.

Because his bank had insisted having his driving licence number as a ‘third level’ security check MacLeod had unwittingly given the fraudster the key to emptying not only his account but the savings accounts of two of his children.  All it required was for the fraudster to apply for online banking facilities using the ‘third level’ security check and then use this facility to make a series of electronic funds transfers to…  No one knows where.

I’d probably have just mentally filed the article had a security conscious friend not shown me a letter they had just received from their bank, HSBC.  This requested that certified copies of two separate documents be sent to a PO Box Number.   One was to prove the recipient’s identity, the other to prove their place of residence.  Plenty here for a determined fraudster to steal someone’s identity.

The icing on the cake was that for ‘speed and convenience’, you could do it online with their ‘Jumio’ tool, (at least they didn’t call it an app).   And the information would go precisely where exactly?

The ostensible reason for asking for this information is to protect customers’ accounts. But it’s not clear how this offers any protection to people who bank with HSBC.   The only beneficiary is the HSBC.   It’s the bank’s way of protecting itself from further accusations that it has a sloppy attitude to the prevention of money laundering.  In 2012 it had to pay £1.2 billion because it had inadequate controls against money laundering.  Type the words ‘money laundering hsbc’ into Google or any other search engine, and see watch the hits roll up.

If HSBC was serious about protecting customers’ accounts it would go about this exercise in a different way.  First it would be honest about why it wants the information.  Second it would use what remains of its branch network to process this information for all its customers, not just the few who spot the danger in sending identification to a PO Box or over the Internet.   Determined fraudsters with access to a colour printer can easily produce fraudulent copies of letters purporting to come from HSBC and then harvest the identification documents which flow in.  They are unlikely to go to the trouble of opening a fake bank branch.