[BreachExchange] Barclays in major security breach as it admits posting out pin numbers with new cards

[Audrey McNeil]

https://www.theguardian.com/money/2017/nov/10/barclays-
posts-pin-numbers-with-debit-cards

Barclays has admitted it has a “known” technical problem that is resulting
in thousands of letters containing pin numbers being sent out in the post
alongside new debit cards. In the wrong hands, the card and pin can be used
to empty a Barclays account, with customers facing a massive battle to get
their money back.

The bank is in the middle of replacing the sort codes of at least 900,000
customers and, as a result, is sending out large numbers of replacement
debit cards with the new codes.

However, it has emerged that a technical problem has resulted in many
customers also being sent letters that contain their four-digit pin number,
sometimes in the same post, albeit in a different envelope.

The bank claims the problem affects “less than 1%” of customers, but it has
grave implications for any Barclays account holders whose card and pin
letter get lost in the post. Last week, Money reported how Barclays had
refused to refund a customer the £6,000 taken from her account after
thieves had stolen her replacement debit card before it reached her north
London home.

Fran Pitcher was adamant she had not disclosed her pin number to anyone.
But Barclays declined to refund her on the basis that the correct pin had
been used to access the money – mostly from ATMs – and therefore she must
have been negligent.

At the time, Pitcher, a Barclays customer for more than 40 years, said she
been sent an unsolicited pin with her second card. The bank said it had not
sent out a pin letter with the stolen card, but she said it was the only
logical explanation.

Within hours of publishing her story, Money was contacted by Colin Rose
from Bristol who said he was appalled to have read it, not least as he
could have found himself in the same position. The previous day, Barclays
had sent him a new debit card and a letter containing his pin number. They
arrived in the same postal delivery.

Fearful he could have become a victim of bank incompetence, he says he
spent hours on the phone to Barclays, only to be told it was a “known
issue” that was affecting some customers.

“I was alarmed, as in the wrong hands it would have allowed immediate and
full access to our bank account,” Rose says. “Barclays customer services
were unable to tell me where and how the despatch of the pin letter would
have been recorded and how that data might be accessed, if needed, by a
customer. The only thing the call handler could suggest was the filing of a
subject access request, which might or might not reveal that it had been
logged. That’s not a good enough explanation.”

Rose, a Barclays customer of 50 years, says the episode has left him
wondering whether he should continue to bank with it. “It is not clear that
it has total command of data and communication systems that customers are
entitled to expect these days. Its casual incompetence and the experience
of Mrs Pitcher is worrying.”

Barclays’ reputation has suffered in recent years, with the bank frequently
coming out worst in customer service and complaints tables. In September,
Which? said Barclays’ complaints score was the second worst among the big
banks, while in October, the Financial Conduct Authority said Barclays had
the single highest number of complaints in the first six months of 2017,
although the Lloyds group (which includes Halifax) scored the worst.

A spokesman for Barclays told Money: “We take the protection of customers’
funds and data extremely seriously. We acknowledge that for less than 1% of
customers receiving a replacement debit card, they also received a pin. Our
records show that for this small number of customers, the debit cards have
been safely received with no known fraud occurring.

“We have thoroughly reviewed the complaint from Mrs Pitcher and can confirm
that no pin was issued with the replacement debit card.”

The Financial Conduct Authority has made it clear that a bank must refund
customers any “unauthorised” transactions that appear on their account. The
regulator has said that a bank cannot simply say that the use of a pin
“conclusively proves” it was authorised. But that is what Barclays appears
to have done in Pitcher’s case.

The bank is overhauling its sort codes because it, like many others, has
been forced to rejig its business ahead of the introduction of rules that
require banks to ring-fence high street operations from riskier investment
banking activities.

The rules, which come into force at the start of 2019, are named after Sir
John Vickers, who recommended this course of action in 2011 after the
financial crisis. The Bank of England has estimated that about one million
customers could be affected, which suggests that Barclays is far more
affected than any other major bank.

Meanwhile, Pitcher says the fight to get her money back goes on and she has
engaged a financial expert to help her.

“As far as I am aware, Barclays refuses to send out debit cards by
registered post, presumably because it costs more,” she says. “It also
won’t let customers collect cards in the branch. Other banks send cards
that can only be used once the customer has activated them. If Barclays had
any of these I wouldn’t be facing a battle to get my £6,000. The bank has
behaved disgracefully.”

Barclays and TSB forced to repay fraud victims

The two banks at the centre of a payment fraud previously highlighted by
Guardian Money have been forced to jointly refund a couple £37,536 by the
Financial Ombudsman Service (FOS).

TSB and Barclays had initially blamed each other’s failures, after an
elderly couple from Yorkshire were defrauded of their life savings –
£134,000 – in 2016.

Fraudsters posing as investigators from TSB had claimed they needed help
from the couple to catch dodgy staff at the local branch. Over several
weeks, the scammers managed to convince the couple to make 16 payments into
bank accounts they were told were in their own names, or that of other
family members. In fact, the payments went into current accounts at
Barclays branches dotted around the country.

One of the payments, for £47,000, was made in person by one of the victims
in their local TSB branch. According to the FOS report, branch staff were
so concerned it was a scam that they phoned Barclays to check that the
account the money was due to paid into was in the victim’s name. However,
Barclays refused to confirm that, citing the Data Protection Act. The TSB
staff member insisted on being put through to Barclays’ fraud department.
After explaining he was worried it was a scam, the Barclays adviser still
refused to confirm the account name. Despite these doubts, the payment was
made.

Following Money’s intervention, almost £10,000 was recovered from a
Slough-based account. The FOS report says Barclays has accepted it could
have done more and has agreed to pay half the losses, (£18,768) plus 8%
interest. TSB should have halted the payment, said FOS, and therefore has
been told to pay the same.

Money understands there is an ongoing police investigation into the matter.
The police have said they are exploring whether the bank that received the
stolen funds might have been expected to ensure the account was not being
operated by criminals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171110/23df75b1/attachment.html>