Dan Q

Tag: banks

That’s Not How Email Works, HSBC

I have a credit card with HSBC1: you know, the bank with virtue-signalling multiculturalism in their ads.

Not long ago I received a letter from them telling me that emails to me were being “returned undelivered” and they needed me to update the email address on my account.

“What’s happening?”

Posted letter from HSBC saying that emails to me have been returned undelivered, held in front of a screen showing a recent email from HSBC sitting in my Inbox.
I don’t know what emails are being “returned undelivered” to HSBC, but it isn’t any of the ones sitting, read, in my email client.

I logged into my account, per the instructions in the letter, and discovered my correct email address already right there, much to my… lack of surprise2.

So I kicked off a live chat via their app, with an agent called Ankitha. Over the course of a drawn-out hour-long conversation, they repeatedly told to tell me how to update my email address (which was never my question). Eventually, when they understood that my email address was already correct, then they concluded the call, saying (emphasis mine):

I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.

This is the point at which a normal person would probably just change the email address in their online banking to a “spare” email address.

But aside from the fact that I’d rather not3, by this point I’d caught the scent of a deeper underlying issue. After all, didn’t I have a conversation a little like this one but with a different bank, about four years ago?

Phone screen showing a live chat interface. The other party says "I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address." and then "Thank you for being so understanding and patiently waiting. Thank you for contacting HSBC, if there is anything else you need please feel free to come back to us. Have a pleasant rest of the day.", before ending the conversation.
Perhaps I should be grateful that they didn’t say that I have to change my name, which can sometimes  be significantly more awkward than my email address…

So I called Customer Services directly4, who told me that if my email address is already correct then I can ignore their letter.

I suggested that perhaps their letter template might need updating so it doesn’t say “action required” if action is not required. Or that perhaps what they mean to say is “action required: check your email address is correct”.

Edited version of the letter, now saying 'What's happening? We need to ensure that the email address we're using for you is correct' and 'Action required: Please check that you've been receiving our emails and that the address in your account is correct'.
Say what you mean, HSBC! I’ve suggested an improvement to your letter template.

So anyway, apparently everything’s fine… although I reserved final judgement until I’d seen that they were still sending me emails!

“Action required”

I think I can place a solid guess about what went wrong here. But it makes me feel like we’re living in the Darkest Timeline.

Scene from Community episode 'Remedial Chaos Theory'. Pierce lies injured on the floor, tended to by Annie and Abed, while Jeff swings a flaming blanket around his head. Troy stands in shock at the door, holding a pile of pizza boxes.
You know the one I mean. Somebody rolled a ‘1’, didn’t they…

I dissected HSBC’s latest email to me: it was of the “your latest statement is available” variety. Deep within the email, down at the bottom, is this code: 

<img src="http://www.email1.hsbc.co.uk:8080/Tm90IHRoZSByZWFsIEhTQkMgcGF5bG9hZA=="
   width="1"
  height="1"
     alt="">

<img src="http://www.email1.hsbc.co.uk:8080/QWxzbyBub3QgcmVhbCBIU0JDIHBheWxvYWQ="
   width="1"
  height="1"
     alt="">

What you’re seeing are two tracking pixels: tiny 1×1 pixel images, usually transparent or white-on-white to make them even-more invisible, used to surreptitiously track when somebody reads an email. When you open an email from HSBC – potentially every time you open an email from them – your email client connects to those web addresses to get the necessary images. The code at the end of each identifies the email they were contained within, which in turn can be linked back to the recipient.

You know how invasive a read-receipt feels? Tracking pixels are like those… but turned up to eleven. While a read-receipt only says “the recipient read this email” (usually only after the recipient gives consent for it to do so), a tracking pixel can often track when and how often you refer to an email5.

If I re-read a year-old email from HSBC, they’re saying that they want to know about it.

But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.

An easily-avoidable security failure there, HSBC… which isn’t the kind of thing one hopes to hear about a bank!

Zoom-in animation showing two tracking pixels at the bottom of an email, rendered visible in red and blue.
Tracking pixels are usually invisible, so I turned these ones visible so you can see where they hide.

But… tracking pixels don’t actually work. At least, they doesn’t work on me. Like many privacy-conscious individuals, my devices are configured to block tracking pixels (and a variety of other instruments of surveillance capitalism) right out of the gate.

This means that even though I do read most of the non-spam email that lands in my Inbox, the sender doesn’t get to know that I did so unless I choose to tell them. This is the way that email was designed to work, and is the only way that a sender can be confident that it will work.

But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).

Surveillance capitalism has become so ubiquitous that it’s become transparent. Transparent like the invisible spies at the bottom of your bank’s emails.

The letter from HSBC again, but this time corrected to say 'We cannot conceive that there's anybody left who hasn't given up on trying to fight back against surveillance capitalism. Action required: turn off your privacy software so we can watch you read our emails. (We'll be letting anybody you live with read them too.)
I’ve changed my mind. Maybe this is what HSBC’s letter should have said.

So in summary, with only a little speculation:

  1. Surveillance capitalism became widespread enough that HSBC came to assume that tracking pixels have bulletproof reliability.
  2. HSBC started using tracking pixels them to check whether emails are being received (even though that’s not what they do when they are reliable, which they’re not).
    • (Oh, and their tracking pixels are badly-implemented, if they worked they’d “leak” data to other people on my network6.)
  3. Eventually, HSBC assumed their tracking was bulletproof. Because HSBC couldn’t track how often, when, and where I was reading their emails… they posted me a letter to tell me I needed to change my email address.

What do I think HSBC should do?

Instead of sending me a misleading letter about undelivered emails, perhaps a better approach for HSBC could be:

  1. At an absolute minimum, stop using unencrypted connections for tracking pixels. I do not want to open a bank email on a cafe’s public WiFi and have everybody in the cafe potentially know who I bank with… and that I just opened an email from them! I certainly don’t want attackers injecting content into the bottom of legitimate emails.
  2. Stop assuming that if somebody blocks your attempts to spy on them via your emails, it means they’re not getting your emails. It doesn’t mean that. It’s never meant that. There are all kinds of reasons that your tracking pixels might not work, and they’re not even all privacy-related reasons!
  3. Or, better yet: just stop trying to surveil your customers’ email habits in the first place? You already sit on a wealth of personal and financial information which you can, and probably do, data-mine for your own benefit. Can you at least try to pay lip service to your own published principles on the ethical use of data and, if I may quote them, “use only that data which is appropriate for the purpose” and “embed privacy considerations into design and approval processes”.
  4. If you need to check that an email address is valid, do that, not an unreliable proxy for it. Instead of this letter, you could have sent an email that said “We need to check that you’re receiving our emails. Please click this link to confirm that you are.” This not only achieves informed consent for your tracking, but it can be more-secure too because you can authenticate the user during the process.

Also, to quote your own principles once more: when you make a mistake like assuming your spying is a flawless way to detect the validity of email addresses, perhaps you should “be transparent with our customers and other stakeholders about how we use their data”.

Wouldn’t that be better than writing to a customer to say that their emails are being returned undelivered (when they’re not)… and then having your staff tell them that having received such an email they have no choice but to change the email address they use (which is then disputed by your other staff)?

</rant>

Footnotes

1 Long, long ago I also had a current account with HSBC which I forgot to close when I switched banks… 20 years ago… and I possibly still owe them for the six pence the account was in debt at the time.

2 After all, I’d been reading their emails!

3 After all, as I’ll stress again: the email address HSBC have for me, and are using, is already correct.

4 In future, I’ll just do this in the first instance. The benefits of live chat being able to be done “in the background” while one gets on with some work are totally outweighed when the entire exchange takes an hour only to reach an unsatisfactory conclusion, whereas a telephone call got things sorted (well hopefully…) within 10 minutes.

5 A tracking pixel can also collect additional personal information about you, such as your IP address at the time that you opened the email, which might disclose your location.

6 It could be even worse still, actually! A sophisticated attacker could “inject” images into the bottom of a HSBC email; those images could, for example, be pictures of text saying things like “You need to urgently call HSBC on [attacker’s phone number].” This would allow a scammer to hijack a legitimate HSBC email by injecting their own content into the bottom of it. Seriously, HSBC, you ought to fix this.

× × × × × ×

Article posted at UTC on .

No comments

Halifax Shared My Credit Agreement!

Remember that hilarious letter I got from British Gas a in 2023 where they messed-up my name? This is like that… but much, much worse.

Today, Ruth and JTA received a letter. It told them about an upcoming change to the agreement of their (shared, presumably) Halifax credit card.

Except… they don’t have a shared Halifax credit card. Could it be a scam? Some sort of phishing attempt, maybe, or perhaps somebody taking out a credit card in their names?

I happened to be in earshot and asked to take a look at the letter, and was surprised to discover that all of the other details – the last four digits of the card, the credit limit, etc. – all matched my Halifax credit card.

Carefully-censored letter from Halifax, highlighting the parts that show my correct address, last four digits of my card, and my credit limit... and where it shows a pair of names that are not mine.
Halifax sent a letter to me, about my credit card… but addressed it to… two other people I live with

I spent a little over half an hour on the phone with Halifax, speaking to two different advisors, who couldn’t fathom what had happened or how. My credit card is not (and has never been) a joint credit card, and the only financial connection I have to Ruth and JTA is that I share a mortgage with them. My guess is that some person or computer at Halifax tried to join-the-dots from the mortgage outwards and re-assigned my credit card to them, instead?

Eventually I had to leave to run an errand, so I gave up on the phone call and raised a complaint with Halifax in writing. They’ve promised to respond within… eight weeks. Just brilliant.

×

Article posted at UTC on .

3 comments

The 55 Words you Can’t Say in Faster Payments

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Step aside, George Carlin! Sam Easterby-Smith – who works at The Co-Operative Bank – wants to share with the world the 55 words you can’t say in a UK faster payments reference (assuming your bank follows the regulator‘s recommendations):

So you know, this list is provided by Pay.uk the uk’s payment systems regulator. This is their idea of how to protect people from abusive content sent via the payment system.

Of course (a) all abusive messages must contain one of these English words, spelled correctly and (b) people are not in any way creative.

We’ve called it out and they are making us do it anyway.

  • bastard
  • beef curtains
  • bellend
  • clunge
  • cunt
  • dickhead
  • fuck
  • minge
  • motherfucker
  • prick
  • punani
  • pussy
  • shit
  • twat
  • bukkake
  • cocksucker
  • nonce
  • rapey
  • skank
  • slag
  • slut
  • wanker
  • whore
  • fenian
  • kufaar
  • kafir
  • kike
  • yid
  • batty boy
  • bum boy
  • faggot
  • fudge-packer
  • gender bender
  • homo
  • lesbo
  • lezza
  • muff diver
  • retard
  • spastic
  • spakka
  • spaz
  • window licker
  • gippo
  • gyppo
  • golliwog
  • nigger
  • nigaa
  • nig-nog
  • paki
  • raghead
  • sambo
  • wog
  • blow Job
  • clit
  • wank

Excellent.

Mobile phone, held in a white person's hand, showing an online banking screenshot: a payment to John Smith is being configured, with the reference set as "Minge fuck slag".

The big takeaway here, for me, is that it’s okay to send you money and call you a “dick head” (so long as I put a space between the words), “fuckface”, or “shitbag”, or talk about a “blowjob” (so long as I don’t put a space between the words).

But if I send you money to pay “for the bastard sword” that you’re selling then that’s a problem.

×

Repost posted at UTC on .

2 comments

Email Tracking and Paperless Banking

A few weeks ago, my credit card provider wrote to me to tell me that they were switching me back from paperless to postal billing because I’d “not been receiving their emails”.

This came as a surprise to me because I have been receiving their emails. Why would they think that I hadn’t?

Dan, near his front door, reads his mail. His facial expression suggests that he's about to exclaim "What!?"
This is a re-enactment but I promise the facial expression is pretty much right.

Turns out they have a tracking pixel in their email to track that it’s been opened, as well as potentially additional data such as when it was opened (or re-opened), what email client or clients the recipient uses, what IP address or addresses they read their mail from, and so on.

Naturally, because I don’t like creepy companies tracking what I do on my own computers and try to minimise how much they can do so, I read most of my mail with remote content disabled:

An email from a credit card provider; images aren't displayed, but their alt-text is visible and the email is perfectly understandable. At the top, a banner reads "To protect your privacy, Thunderbird has blocked remote content in this message."
“To protect your privacy from fucking creepy banks misusing features of HTML emails, Thunderbird has blocked remote content in this message.” only tells half the story.

Jeremy just had something to say on this topic, too, based on his recent reading of Design for Safety by Eva PenzeyMoog:

Do you have numbers on how many people opened a particular newsletter? Do you have numbers on how many people clicked a particular link?

You can call it data, or stats, or analytics, but make no mistake, that’s tracking.

Follow-on question: do you honestly think that everyone who opens a newsletter or clicks on a link in a newsletter has given their informed constent to be tracked by you?

Needless to say, I had words with my credit card provider. Paperless billing is useful to almost everybody but it’s incredibly useful for blind and partially-sighted users (who are also the ones least-likely to have images loading in the first place, for obvious reasons) because your computer can read your communication to you which is much more-convenient than a letter. Imagine how annoyed you’d be if your bank wrote you a letter (which you couldn’t read but had to get somebody else to read to you) to tell you that because you don’t look at the images in their emails they’re not going to send them to you any more?

Even if you can somehow justify using tracking technologies (which don’t work reliably) to make general, statistical decisions (“fewer people open our emails when the subject contains the word ‘overdraft’!”), you can’t make individual decisions based on them. That’s just wrong.

× ×

Article posted at UTC on .

1 mention

Note #18572

Hey @LloydsBank! 2009 called and asked if you’re done sending your customers links to unencrypted HTTP endpoints yet. How do you feel about switching this to a HTTPS link rather than relying on an interceptable/injectable HTTP request?

Text message: "Follow this link to download your free Lloyds Bank Mobile Banking app. http://www.lloydsbank.com/mobileapp"

×

Santander to Accept Homemade Deeds Poll

For most of the last decade, one of my side projects has been FreeDeedPoll.org.uk, a website that helps British adults to change their name for free and without a solicitor. Here’s a little known fact: as a British citizen, you have the right to be known by virtually any name you like, and for most people the simplest way to change it is to write out a deed poll: basically a one-person contract on which you promise that you’re serious about adopting your new name and you’re not committing fraud or anything.

FreeDeedPoll.org.uk
This web design looked dated when I made it and hasn’t gotten any younger, but the content remains valid as ever.

Over that time, I’ve helped thousands of people to change their names. I don’t know exactly how many because I don’t keep any logs, but I’ve always gotten plenty of email from people about the project. Contact spiked in 2013 after the Guardian ran an article about it, but I still correspond with two or three people in a typical week.

These people have lots of questions that come up time and time again, and if I had more free time I’d maintain an FAQ of them or something. In any case, a common one is people asking for advice when their high street bank, almost invariably either Nationwide or Santander, disputes the legitimacy of a “home made” deed poll and refuses to accept it.

Abbey National and Abbey (former names of Santander) crossed out and replaced with Santander.
You’d think that Santander of all people would appreciate how important it is to have your legitimate change of name respected. Hang on… haven’t I joked about their rebranding before?

When such people contact me, I advise them of a number of solutions and workarounds. Going to a different branch can work (training at these high street banks is internally inconsistent, I guess?). Getting your government-issued identity documents sorted and then threatening to move your account elsewhere can sometimes work. For applicants willing to spend a little money, paying a solicitor a couple of quid to be one of your witnesses can work. I often don’t hear back from people who email me about these banks: maybe they find success by one of these routes, or maybe they give up and go down one an unnecessarily-expensive avenue.

But one thing I always put on the table is the possibility of fighting. I provide a playbook of strategies to try to demonstrate to their troublemaking bank that the bank is in the wrong, along with all of the appropriate legal citations. Recent years put a new tool in the box: the GDPR/DPA2018, which contains clauses prohibiting companies from knowingly retaining incorrect personal data about an individual. I’ve been itching for a chance to use these new weapons… and over this last month, I finally had the opportunity.

A man signs a document.
Print this. Sign here. That’s pretty-much all there is to it.

I was recently contacted by a student (who, as you might expect, has more free time than they do spare money!) who was having trouble with Santander refusing to accept their deed poll. They were willing to go all-out to prove their bank wrong. So I gave them the toolbox and they worked through it and… Santander caved!

Not only have Santander accepted that they were wrong in the case of this student, but they’ve also committed to retraining their staff. Oh, and they’ve paid compensation to the student who emailed me.

Even from my position on the sidelines, I couldn’t help but cheer at this news, and not just because I’ll hopefully have fewer queries to deal with.

× ×

Cardless Cashpoints

My mobile banking app, showing me a special six digit code.
The mobile app presents you with a special six-digit code that is used to withdraw the cash.

RBS Group this week rolled out a service to all of its customers, allowing them to withdraw cash from an ATM without using their bank card. The service is based upon the same technologies that’s used to provide emergency access to cash by people who’ve had their cards stolen, but integrates directly into the mobile banking apps of the group’s constituent banks. I decided to give it a go.

The first step is to use the mobile app to request a withdrawal. There’s an icon for this, but it’s a bit of a mystery that it’s there unless you already know what you’re looking for. You can’t make a request from online banking without using the mobile app, which seems to be an oversight (in case you can’t think of a reason that you’d want to do this, read on: there’s one at the end). I opted to withdraw £50.

Next, it’s off to find a cash machine. I struck out, without my wallet, to try to find the nearest Royal Bank of Scotland, NatWest, or Tesco cashpoint. The mobile app features a GPS tool to help you find these, although it didn’t seem to think that my local Tesco cashpoint existed, walking me on to a branch of NatWest.

Cash machine: "Do you wish to carry out a Get Cash or Emergency Cash transaction? [No] [Yes]"
The readout of the cash machine demonstrates that the roots of the “Get Cash” system lie in the older “Emergency Cash” feature: the two are functionally the same thing.
As instructed by the app, I pressed the Enter key on the keypad of the cash machine. This bypasses the usual “Insert card” prompt and asks, “Do you wish to carry out a Get Cash or Emergency Cash transaction?” I pressed Yes.

Entering a 6-digit code from a mobile phone into a cash machine.
The number displayed upon the screen is entered into the cash machine.

The ATM asked for the PIN I’d been given by the mobile app: a 6-digit code. Each code is only valid for a window of 3 hours and can only be used once.

A cashpoint asking for the PIN a second time, and then asking for the amount of money to withdraw.
The cash machine asks for the PIN a second time, and then asks for the sum of money to be withdrawn.

I’m not sure why, but the ATM asks that the PIN is confirmed by being entered a second time. This doesn’t make a lot of sense to me – if it was mistyped, it’d surely fail anyway (unless I happened to guess another valid code, within its window), and I’d simply be able to try again. And if I were an attacker, trying to guess numbers, then there’s no difficulty in typing the same number twice.

It’s possible that this is an attempt at human-tarpitting, but that wouldn’t be the best way to do it. If the aim is to stop a hacker from attempting many codes in quick succession, simply imposing a delay would be far more effective (this is commonplace with cash machines anyway: ever notice that you can’t put a card in right after the last transaction has finished?). Strange.

Finally, the ATM asks what value of cash was agreed to be withdrawn. I haven’t tried putting in an incorrect value, but I assume that it would refuse to dispense any cash if the wrong number was entered – this is presumably a final check that you really are who you claim to be.

Cash machine: "Please take your cash and your receipt."
It feels strange taking money and a receipt from a cashpoint without first having to retrieve my card. I spent a few minutes after the experience with a feeling that I’d forgotten something.

It worked. I got my money. The mobile app quickly updated to reflect the change to my balance and invalidated the code: the system was a success.

The banks claim that this will be useful for times that you’ve not got your card with you. Personally, I don’t think I ever take my phone outdoors without also taking my wallet with me, so the chance of that it pretty slim. If my card were stolen, I’d be phoning the bank to cancel the card anyway, so it wouldn’t save me a call, either, if I needed emergency cash. But there are a couple of situations in which I’d consider using this neat little feature:

  • If I was suspicious of a possible card-skimming device on a cash machine, but I needed to withdraw money and there wasn’t an un-tampered ATM in the vicinity. It’d be nice to know that you can avoid having your card scanned by some kid with a skimmer just by using your phone to do the authentication rather than a valuable piece of plastic.
  • To send money to somebody else. Using this tool is cheaper than a money order and faster than a bank transfer: it’s an instantaneous way to get small sums of cash directly into the hands of a distant friend. “Sure, I’ll lend you £50: just go to a cash machine and type in this code.” I’m not sure whether or not this is a legitimate use of the service, but I can almost guarantee that it’ll be the most-popular. It’ll probably be reassuring to parents of teenagers, for example, who know that they can help their offspring get a taxi home when they’ve got themselves stranded somewhere.

What do you think? If you’re with RBS, NatWest or Tesco, have you tried this new mobile banking feature? Do you think there’s mileage in it as an idea, or is it a solution in need of a problem?

× × × × ×

Article posted at UTC on .

2 comments

Bank Security

Having found by coincidence a (minor, perhaps exploitable as part of a more-complex attack) security problem with the website of a major high street bank, one would think it would be easier than it evidently is to get it reported and fixed. Several phone calls over a couple of days, and the threat of making a complaint about a representative if they didn’t escalate me to somebody who’d actually understand what I was explaining, I’ve finally managed to get the message through to somebody. How hard was that? Too hard.

If this still doesn’t work, what’s the next step? I’m thinking (1) change banks; (2) explain why to the bank; (3) explain why to the world. Seriously, I expect better from the people looking after my money.

And on that note: time for bed.

Edit: Meanwhile, we see that the PlayStation Network hack may have resulted in the theft of personal information from users’ accounts. While most of the media seems to be up in arms about the fact that this might have included credit card information, I’m most pissed-off about the fact that it might have included unencrypted passwords. Passwords should be stored using irreversible encryption: there’s no legitimate excuse not to do this, these days (the short version for the uninterested: there is a technique which can be used to store passwords encrypted in a pretty-much irreversible format, even if the hacker steals your entire computer: it’s very easy to do, protects against all kinds of collateral damage risks, and Sony evidently don’t do it). If any of Sony’s users use the same password for their email account, social network accounts, online banks, etc. (and many of them will, despite strong recommendations to the contrary), the hackers are probably already getting started with social hacking attempts against their friends, identity theft attacks, etc. Sony: you are a fail.

Article posted at UTC on .

3 comments

scan.co.uk

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Ruth wrote:

We are in the process of ordering a new computer. Most of the bits are coming from Scan. Now, their range is lovely, and their postage policy is reasonably sensible, but they have a dumb policy on debit cards.

If you pay with a debit card (instead of a credit card), you can only have the goods delivered to your registered home address. Now, that might seem ok, because where else are you going to want stuff delivered, right? Wrong. You might want thehardware delivered to your place of work because you’re never home during the day. It might be something your buying for a technologically inept relative and you might want it to go to their home, not yours.

Or, like me, you might be a lazy student who uses their mother’s address in far-off North Yorkshire as their home address so they don’t have to change it twice a year.

Things like this which penalise people who don’t use credit cards make me cross. If anyone knows otherwise, please say, but to me it seems that it’s all just a big conspiracy by the banks to make us all use a really, really inferior product.

Anyway. Out of a desire not to have the computer bits go to Yorkshire, we’ve given the money to Dan who’ll be placing the prder with his credit card and getting it sent to our new house in PJM.
—-
On the subject of the post, my mother called me last night to ask for my new address so she could re-direct some letters from the university. So the items in question will have travelled from the campus to PJM (that is, over the road) via North Yorkshire. How very, very silly.

Anyhoo folks, I’ve got to go to work. Oh yeah, and house-warming party tonight, number 72 PJM. Punch and cake provided; if you want anything else, bring it with you.

Forcing people to have deliveries sent to their registered address cuts down on card fraud, which is moderately freqent at mail order computer hardware stores on account of the high value, discreetness, and availability of the goods. It’s not possible to accurately perform such checks on credit cards, but it’s easy to with debit cards.

Many banks give special dispensation on their student accounts; allowing them to – for example – submit two addresses which they will automatically switch between throughout the year – or allow two registered addresses to function for card checks (while still delivering the statements to one). Ask your bank if they can do this, and, if they can’t, write a letter to inform them that there are banks that can. If you’re not willing to let your feet do the talking, there’s no way to let these large organisations listen to you.

There’s no reason not to own a credit card unless you feel you cannot trust yourself to do so – or the banks won’t give you one! For many such cards, there is no interest if you pay them off immediately each month (which can be automated thanks to wonderful schemes like Direct Debit): this increases the flexibility of your purchasing power (particularly when purchasing from overseas) without costing you a penny. On a side note, owning one that you only ever use in this fashion increases your credit rating (which is checked when buying a contract mobile phone, getting a mortgage, applying for credit on a car, or whatever). Just for examples’ sake; if you owned an unused credit card, you could have ordered these computer parts and – odds are – immediately transferred the money from the bank account to the card, thereby giving you the bits sooner.

All of that said, I think I’ve quite aptly (and almost entirely) undermined the sense in preventing expensive goods being delivered only to the registered cardholder’s address, because as we’ve just seen there’s always a way to circumvent such checks by routing the money other ways: this leaves a longer paper-trail (banks and credit companies are, by law, required to keep better records for longer than companies that happen to process card transactions), but is otherwise a sensible way to commit fraud without triggering the little alarm bells that debit cards have hanging from them. So yeah; perhaps Scan should be a little less draconian.

Now Chip-And-PIN in the UK: there’s a flawed, insecure, badly-implemented system.

 

Reply posted at UTC on .

1 comment

HSBC Account

HSBC have closed my bank account with them: a bank account I’d had with them since they were Midland Bank, back when I was still in high school. I hadn’t used it for, well – anything at all – for the last 9 months or so, and didn’t know it had been closed (they’d never told me) until I decided to check my balance last week and had my card stolen by a machine.

I went along to see them today, mostly out of curiosity as to what had happened. The cashier sent me to customer services, who seemed quite confused when they were unable to access my account details on the computer. They eventually found my details and had explained what had happened. The final balance, they informed me, was minus 6 pence.

Me: I’m not sure I can settle that six-pence debt all at once. Perhaps I can take a loan with you, and pay you back – I don’t know – eight monthly installments of a penny each, to clear it.

Her: That won’t be necessary.

Me: Umm, okay then… I could probably spare about sixpence… <checks wallet> Would you take a cheque?

Her: We’re happy to write-off the debt.

Me: I’m not sure I could live with myself knowing I’d cost you that sixpence. I mean; I’ve been with HSBC since before it was HSBC… almost ten years, now –

Her: <getting a little scared now>

Me: – and you’ve been great to me. There was that time you refused to give me a student account for no apparent reason, so I took my business to NatWest. And then there was that time I argued with your technical support staff about your facist web browser compatability policy for your online banking. And that time you keep posting me new Solo cards, one a month, for fun. And that time just five minutes ago that I queued for almost 12 minutes just to be told my account had been closed and the bank hadn’t even written to me to tell me. After all of that, how could I possibly steal sixpence from you?

Her: Is there anything else I can help you with, sir?

Dan 6 – 0 HSBC

Article posted at UTC on .

5 comments

Online Banking

NatWest phoned me today in response to my complaint the other day that their online banking service refused to support Opera, my web browser of choice, seemingly for no good reason. I threatened to take my account elsewhere. Regardless, they’ve promised to look into it and try to make the site Opera-compatible, and I’ve said I’ll give them ’til Christmas.

Let your feet do the talking, people. It’s the only way that big companies (and banks) pay any attention at all.

Article posted at UTC on .

No comments