Skip to main content

OLD Confirmation of what?

Our new and hopefully to be regular window cleaner was due twenty quid. They asked for cash, which of course I do not have, or a cheque, which of course I could not be bothered to deal with as it would have meant finding the cheque book and I have no idea where it is. Instead, I asked them to get their office to call me with their bank details. The office phoned to give me a sort code and account number, so I went online and used the Faster Payment Service (FPS) to send them a quid. When they phoned a day or two later to tell me that they had the quid, then I sent the other nineteen. Now, every time I come home and find a compliment slip from them on the mat because they have cleaned the windows, it takes me about 10 seconds to use my Barclays mobile banking app to send them the twenty pounds that I owe them.

I bought a new car last month. Well, it was an old car. But new to me. I went to look at the car and paid a deposit by credit card. Since it was going to take a couple of days to make a small repair and get a new vehicle test/emissions certificate, I arranged to pick it up at the end of the week. The dealer gave me a piece of paper with his bank details in it. I set the dealer up as a payee for online banking and sent him a fiver. When I went pick the car up, the salesman confirmed to me that they had received the tenner so then I transferred the balance of a few thousand pounds.

The last time I had any building work done on my house, a few years back now, the builder sent me a letter with their bank details in it. I went online and set them up as payee on my bank account. I used my Barclays dongle thingy for the two-factor authentication (2FA) and sent them a tenner. When the builder called to tell me that the ten pounds had been received, I transferred the balance of a few tens of thousands of pounds to the same account.

Here’s something I’ve never done: got a sort code and account number by phone call, letter or e-mail and then transfer loads of money to it. I’d naturally assumed that this is what everyone did with our interbank immediate credit transfer system. First use the clapped-out 1950s nonsense about sort codes and account numbers to set up a path for the money to follow, then send a tiny amount of money to check that the route works, then use the route to send money as and when required.

Here are a few things other I would not do...

Tomorrow if I get a phone call from Barclays telling me that there is a police investigation into fraud going on, and that I need to move money from my current account to another safe account at Barclays, then I would ask them to send me a message to this effect via secure e-mail encrypted using my public key and digitally-signed using their public key that I can easily obtain from their web site. I’m just joking of course, Barclays cannot do this (although, interestingly, Facebook do). I’d tell them to message me using the Barclays mobile app that they already know is on my phone. If they couldn't do that, then I’d hang up. I would not transfer the money to an account that they ask me to use.

Next year, if I am in the process of moving house and I get an e-mail from my solicitor asking me to send the money for the house purchase to a new bank account with a new sort code and account number, then I will call them back and tell them that sending request for money using insecure e-mail channels is a prima facie case of professional negligence and that they will be fired unless they restrict all future sensitive communications to Signal, or at worst WhatsApp. Then, assuming that they do this, I will send them a fiver and ask them to call me to confirm it has arrived.

According to the consumer magazine people at "Which?", the "major banks have agreed to refund blameless victims of bank transfer scams."

But what does “blameless” mean?

Giving out your 2FA code over the phone when the bank has told you a hundred times that they will never ask for your 2FA code? Is that blameless?

It seems to me that if I send money to an account without taking reasonable steps to determine that I’m sending money to a legitimate destination then it’s kind of my fault. Am I blameless? How am I supposed to know what sort code and account number belongs to Bloggs the Builders and what sort code and account number belongs to Fred the Fraudster?

(And is it any of my business, under GDPR, what the real name of an account holder is anyway?)

How can people determine whether they are sending money to a legitimate account in the absence of a functioning digital identity infrastructure? Well, I suppose that in the absence of a working digital identity infrastructure for people or companies they could use some bank system to check that they name on the account that they are sending money to vaguely approximates the name that they may or may not know to be the correct payee name.

This is what has been proposed in the UK. The “payee confirmation” scheme was, according to the Payment System Regulator, supposed to launch in July 2019 although it now looks as if it will not be in place until later in 2020. Under this scheme, when setting up a new payment or amending an existing one, banks will be able to check the name that you enter into your online banking against the name on the account of payee person or organisation. What will happen is:

  • If you use the correct account name, you will receive confirmation that the details match, so you can proceed with the payment.

  • If you use a "similar" name to the account holder, you will be provided with the actual name of the account holder to check.

  • If you enter the wrong name for the account holder, you will be told the details do not match.

Bearing in mind that no such system exists, it’s not surprising that it’s taking banks time to put it together. It’s also plain as to what will happen: I set up a transfer to Bloggs the Builder and it gets rejected because the account is actually in the name of F.A. & S.F.A. Fauntleroy-Bloggs. This will of course result in endless calls to bank call centres.

Suppose dad’s name was Edward Antony Birch, but everyone in the family always called him Tony. Every transfer to Tony Birch would fail the payee confirmation

What would be better, of course, since everyone in the family and the builder knows that my dad’s e-mail address is tony@birches.org, would be to send the money to tony@birches.org and not 77-00-11 19134428.

Comments

Popular posts from this blog

We could fix mobile security, you know. We don't, but we could

Earlier in the week I blogged about mobile banking security , and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating… The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information. From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking. The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan...