Not your 'average' bank fraud

Many thanks

The problem reported here will, of course, have been resolved by now. However, ... .

Re. the card readers used by some banks, etc. for verification via the input of a unique numerical code provided via a mobile phone message, is each reader unique? If not, and a fraudster had managed to ascertain one's PIN somehow (it does happen), could they not use an intercepted code to gain access to one's account by entering it into a similar card reader? This would not, I fully accept, be a case of hacking the card reader, but it might be another potential security weakness.

Whilst I cannot do that because, as far as I know, there isn't one to provide, I can assure you that I write from personal experience that illustrates the falsehood of your assumption that what I'd written about this is inaccurate and misleading.

Furthermore (although this is not the same thing), I once had my credit card hacked and discovered this only when trying to use it to make a face-to-face payment for goods and, upon repeated decline of the card, I called my bank and received its confirmation that it had indeed been hacked and they'd accordingly closed it and ordered a new card which should be with me in a few days. The bank also advised that the new card details would be known to them before I physically received the card and that its PIN would not have changed (as this would be up to me to do, should I so choose, upon receipt of the replacement card). I bore this in mind when trying to make the same purchase a couple of days later only to find that the new card number was once again declined because it, too, had been hacked - and this was before I had even received the card itself. That experience, added to a more recent one (albeit not involving the use of a mobile phone) taught me that there are many and varied ways in which a determined and knowledgable hacker can access one's bank account and details.

Sorry but I don't buy your feeble excuse. You are just scare-mongering. Sweeping generalisation as is your wont.

Excellent research, Bryn. Social engineering at its best and a similar approach to the mobile diversion that I referred to. The scary thing is that, like the mobile SIM swap there is nothing that you or I or the banks can do to guard against that happening.

Which makes me start thinking about finding a bank that uses the card reader. The card readers are, as far as I am aware, common across the banks that use them. They do not need to be unique as they use the same software (public key encryption, I believe although I could be wrong). To beat them, using your example, the fraudster would have to :

1) know all your bank account details

2) your PIN number

3) intercept your phone line as in your example

Quite a tall order and easier pickings elsewhere I would suggest.

My bank gives me the information to put into the card reader online - no mobile phone is involved at that stage.

But I do get a text message afterwards asking me if I really meant to make that payment.

What you choose to buy is your prerogative, just as it is mine to relay my own experience, to which you were not and would not have expected to be party. You have no idea what might or might not be "my wont". If you don't like what I've written, that's fine but do bear in mind that I didn't especially appreciate having to write it either; it would have been dishonest for me to write otherwise. As to the perception of "scare-mongering", I am not selling anything any more than you're buying it, but I would not regard the plethora of advice and warnings issued by banks and other financial instutitions and commentators about the vital need for vigiliance and diligence in respect of secure operation of bank and credit/debit card accounts as inherently "scare-mongering"; if you do regard it, or some of it, as such, however, I suggest that you address your concerns to those who do the issuing.

None is involved at any stage with my online banking operation as I have neither given my bank my mobile number nor requested that they use that facility as part of its service to me.

Easier pickings for some, to be sure, but this is no deterrent to the determined expert.

Anyone visiting my website will find my bank details (and I am far from alone in that - anyone wishing to advertise ways to pay will do this) - but then anyone receiving a payment from my bank account will have those details too.

Accessing someone's PIN is by no means as easy but it can be done.

Phone line interception is more common than perhaps you realise, as has been publicised in respect of scam calls in which the caller manages to hack the phone line of, say, your bank when you want to call back in the hope of ensuring that the call received was genuine (see, for example, Top tactics to watch for, at http://www.which.co.uk/consumer-righ...em/phone-scams ).

Not the easiset series of tasks to accomplish successfully, but for those with the expertise it's no bar.

There's some confusion here I think. Fraudsters will search for any means to intervene with a person or into a process and perpetrate the fraud. Not all of that is what I would call hacking (although I'm not going to be a willing participant in posts about defining "hacking".)

The phone line fraud for example is not a hack on the bank's phone line. Its the fraudster phoning a number, persuading the recipient to be willing to do something, and then remaining on the line because of the way the UK landline phone system works. Which is that the fraudster does not end the call, and when the victim picks up the phone to make an outgoing call, in reality they are speaking to the fraudster or an accomplice, who are impersonating the bank. The bank are not involved, its not their phone line. Its a fraud, but not a hack as I would term it.

Advice is to wait at least 5 minutes (or 10 minutes or as long as you want) before using the same landline when the system will have disconnected it. An alternative is to establish one has a clear line by e.g. phoning a friend and asking them to identify themself to you (as the fraudster wouldn't be able to do that), or use a different phone to call the bank on a number from their bona fide website or the paper statements (not a number given by the caller).

For myself I use online banking with a card reader but inherently consider a mobile device too risky. No mobile messages, except they have it in case they have a fraud alert. (And when I would call back on the numbers on the back of my bank card or on the statement).

Fair comment; interference does indeed take a number of forms including but not limited to what some might define as "hacking" (and I'm not about to get involved in discussions of that definition either!)

That's correct - it's really more a hack - or at least wilfully fraudulent misuse - of the called party's phone line with the recommendation on the fraudster's part for the called party to call his/her bank in the knowledge that this won;t be the result. Best protections against this are for the called party to wait at least a couple of minutes before phoning his/her bank or phoning said bank from a different phone line, as indeed you suggest, but one has to be aware of this first!

Same here; I also find that not including use of the mobile facility does not reduce what I can do when banking online.

When I worked in a regulatory organisation, on occasion we were briefed on consumer fraud trends. Fraudsters have lists of phone nos. which are bought and sold between them.

I suspect my landline appears on such a list - because I worked at home and answered the phone during the daytime. For a fraudster, that puts me in a group more likely to be elderly, more likely to succumb to a fraud (or more likely to be confused and easily led - I'm sorry to say that). So about 70% of our calls are from scamsters of one sort or another. Most of them sound like they are located half way across the globe. I have trained all my family to give absolutely no information to an unknown caller, no information about our address, home, names, ages the weather viewed out of the window let alone any financial matters. And even when we are assured the call is bona fide, t think very carefully before proceeding to give ANY information, but consider calling back, or taking other steps to verify what is being said or suggested.

As soon as I establish a call is unsolicited, I end it by saying I don't take such calls and they should take me off their list. (And my number is registered on the telephone preference service). Thankfully, when I get to the confused stage of life (which I hope will be when I've reached a great age) I will be able to trust my children to manage my financial affairs..........

Were everyone to share your wise vigilance and diligence at all times, matters would be made considerably harder, though not impossible, for fraudsters, the most determined of which would get fed up with cold calling and try other methods. That said, the fact that there are people who can hack into the systems of NSA, GCHQ and like national security organisations is likely, however, to give some people pause for thought about how much easier it seems - and indeed ought! - to be to hack into their banks...

yawn.......

And yet more complete and utter rubbish from you. Are you that insecure that you feel the need to post such gibberish in the vain attempt that someone will take you seriously? You raise 'pontification' to a whole new level. Hacked into GCHQ ? Where do you get these ideas from?

Desist.