Barclaycards 'hit by fraudsters'
A bill for £10,000 on a credit card would be a concern for most people - but imagine if that spending was not by the cardholder, but by fraudsters in a single day.
Two pensioners have told BBC Radio 4's Money Box that they each had around £10,000 worth of fraudulent transactions put on their Barclaycards.
In both cases the criminals managed to dupe the card issuer's telephone banking system and procedures to spot suspicious transactions.
Barclaycard insists it has an excellent track record in fighting fraud. It says the transactions have now been removed from the two customers' accounts.
Bob, from Exeter, was shocked when he discovered a fraudster had racked up £9,200 on his credit card in a single day.
The criminal had made 16 successful individual transactions of between £500 and £750, all at Apple stores in Bristol.
The purchases were believed to be for iPhones and other electronic goods.
Bob says he cannot believe the transactions were allowed to go through.
"They actually bought 16 items of £500-plus on the one day and nobody picked this up. I am absolutely amazed," he says.
Bob became even more concerned as he became aware of how his card and Pin number had been obtained two weeks earlier to make those 16 purchases in Bristol.
As they investigated the fraud, Barclaycard revealed to him that the criminals had phoned up pretending to be him.
The fraudsters had said he wanted to notify the bank of a change of address and phone details.
They answered the security questions correctly and so managed to get the address and contact numbers on the account changed.
Four days later they phoned pretending to be Bob again, answered the security questions, and asked for a new Pin number. Barclaycard sent it out.
Eight days later, they phoned for a third time, again passed security, said Bob had lost his card and requested a new one.
Barclaycard agreed and, within three days of the call, the fraudulent spending spree began.
Bob only noticed something was amiss when he logged on to his account, and discovered the details of his card on his computer were different from the ones on his card.
"I noticed that the last four digits on my online account were different," he says.
"So I called Barclaycard and they said to me my card had been reported lost and stolen so I had been sent two new cards."
But Bob says the call centre worker did not mention anything about a recent change of contact details or a request for a new Pin number, so he thought everything was fine.
"Had they said they had sent it to a different address, is that correct? And they had also sent new Pin numbers, I think the whole thing could have been stopped there and then," says Bob.
David from Stockport had almost exactly the same experience.
Again fraudsters pretending to be him phoned Barclaycard to change his contact details.
Shortly after, they called to report the card lost or stolen.
And again a huge number of transactions, this time exceeding £10,000 and completely out of keeping with David's normal spending pattern, were not picked up.
In David's case they were in Ireland, a country he had not visited for years, and again largely spent at computer, mobile phone and electrical retailers.
David says he has a lot of questions for Barclaycard to answer.
"How did he get through security and why didn't such obviously suspect transactions not trigger some suspicion before they allowed the racking up of £10,000 on my card?" he says.
Barclaycard admits there was an error by the agent handling the second call purporting to come from Bob, in not realising when the request for a new Pin number came in, that just four days earlier Bob had apparently changed his contact details.
Barclaycard says it has paid him £150 in recognition of the error.
It says neither Bob or David were charged for these purchases and both now have passwords to make their telephone banking more secure.
"Barclaycard takes all fraud extremely seriously. We monitor transactions for fraudulent behaviour and have an excellent track record in preventing fraud," the company said in a statement.
"With 11.4 million UK customers, fraud is an issue we are constantly fighting with a tiny fraction of our customers affected and, when they are, we take all necessary steps to resolve the situation and ensure that the customer is never left out of pocket."
Bob and David still do not know how the fraudsters managed to fool the bank's telephone security system three times and why the glut of expensive transactions was not declined.
Bob asked for the tapes of the telephone calls or at least a transcript. So far Barclaycard has refused to release either. It has told Bob which questions the fraudsters managed to answer correctly.
How these details were obtained by the criminals is still a mystery. Barclaycard says it is unable to confirm if it had passed details of the fraud to the police or changed its security procedures as a result of the fraud.
Money Box showed Bob and David's credit card statements to Paul Rodgers, the chairman of the industry body Vendorcom, which works with retailers and card providers to prevent fraud.
He believes the pattern of spending should have triggered alerts.
"The statements are pretty worrying. Normally if you have made two very similar transactions within a very short time frame the card issuer would be straight onto you," he says.
"If those sorts of figures are not being picked up, then there is clearly a problem at some stage in the chain."
This happened to me, in the last week. Again someone managed to change the address details of my account over the phone, using details such as my date of birth. It's evidently too easy. The fraudster in my case only managed 1 fraudelent transaction before Barclaycard detected it, so in my case they did detect the crime and get in touch with me.
The have put a secret password on my account, now, I guess this should always have been the case.
A year ago my Barlays debit card was used to purchase goods abroad. Two goes of £800 approx. The bank picked up the second, but it was done over the Christmas break which meant that new cards etc could not be sorted out quickly. As a result I had no access to my Barlays account for some days. Fortunately we also have an HSBC account. I must say that Barclays did get onto the fraud after the first attempt and sorted it as quickly as they could. No doubt they would have been able to stop the fraud but for the holiday period. It seems the card was cloned at a petrol station. Obviously with the price of petrol now one is unlikely to fill a tank and pay with cash!!
David, West Sussex
I too had my address changed, new cards, and new PIN's issued. Not Barclaycard but RBS. The same happened. Someone phoned and moved us to Scotland. This was about 4 years ago so the methods have not changed. We believe that it all started with a Van hire where we had a corroberative scan performed on our credit card.
The really serious issue is that the person was able to find out security information that was UNIQUE to us. We always thought that the call centre had been sloppy but we were not in a position to find out. We are not aware of any succesful prosecution in this case despite there being pictures of the perpetrator. In a previous incident with HSBC we had our security stolen from the HSBC security centre. along with 90+ other people from the SAME BANK BRANCH. The police were succesful in that case.
Martyn, Lee on the Solent
In July over £2353 of online fraudulent charges were made on my Barclaycard Visa. In addition to the major charges there were also payments to Google checkout.I was called by Barclaycard on the morning of 27th July to notify me. So far so good but I couldn't understand how the fraudster had both obtained my card details and breached the verify by visa system.
On the 3rd of August I went online to make a purchase on my master card, when it came to complete the transaction I was directed to the verified by visa/mastercard system. I tried to enter the three requested characters from my password but it wouldn't accepted them, I re-checked and re-entered them 3 times. At this point instead of my transaction being rejected I was invited to create a new password. The only security information beyond my card details requested was my date of birth, one of the most public pieces of private information available.
Job done, my purchase completed and an instant email confining my order. However there was no email from Barclaycard to notify me that my verify password had changed. I called Barclaycard again and they confirmed that my verified by visa/mastercard password had been changed on 13th July the date of the first fraudulent purchases, I received no Email on that date waning me of the change.
I have several Barclaycards, and in the past I had one occurrence where someone had got my details somehow and attempted buying through Apple online. Thankfully that was detected by the system and was blocked.
More recently I've had the opposite problem. When buying online, even after passing the security details the payment is still rejected until I call up and get it unblocked. Oddly, sometimes rather than calling up to unblock it, switching to a different Barclaycard often works too. It is a fine line between blocking fraudulent transactions and not blocking ones you do place yourself. There needs to be a better way to do this than the compromised chip and pin system.
I own a small mail order company and because I personally vet all transactions the fraudulent transactions are fairly easy to spot. However when I report these to the bank, unless they have already been reported as stolen, the bank couldn't care less. In all my years of processing credit card payments I have never known the banks willing to take my reports any further, even when handed with proof of fraud taking place.
The reason for the banks apathy is that ultimately it is the retailer that pays if they process a fraudulent payment. It does make me cross that in the press the banks state that fraud is a priority. It might be if they had to pay and not the already suffering retailers.
I have had contact over the phone with Barclays Bank in the last week. On each occassion I told them that I did not know my telephone banking number and was asked other so called security questions. Predictably these were my mother's maiden name and my date of birth; the pieces of information virtually every check uses. In one occassion I was asked a slight variant - my age next birthday. Even my hesitation did not raise concern with the Barclay's staff to prompt deeper questioning.
The whole area of telephone banking security is flaky, reflecting that statistically with millions of customers the effort of rigorous process is in most cases commercially unattractive. In other words to keep the wheels turning Barclays would rather take the occassion hit; £10,000 a day per customer being below their level of concern.
G N D, London
Working at an online retailer I see fraudulent transactions on a daily basis. Transactions where the cardholders address has been changed with the bank is less common but a concern as they have no risk to the retailer. Suspect sales are normally easy to spot by human eye but a computer would have difficulty.
I did recently find transactions on multiple customer cards for one address, all were fully authenticated. When I managed to get the fraudster to call me he could not give a reasonable excuse why 15 people all lived at the same address and all ordered days apart within the last month.
There is also a problem with reporting frauds like this. I have only known one person to be arrested for fraud due to a sale from our company but that was only because police were investigating a separate fraud. I could give police dozens of addresses but they do not have the manpower to investigate. They also would not take action on my information.
I believe a lot of banks do not have strong enough procedures for change of address. There is enough information on people, through public records and the Internet, to answer the basic information questions banks require. Date of birth, current address and full name can all be easily obtained and are sufficient to change an address with some banks.
I had my identity stolen a few years ago. Someone opened a mail redirection service from a house I'd moved from a year earlier and applied for a number of bank accounts and credit cards. Fraud detection was picked up at 5/6 of the companies with the exception of Barclaycard who opened a new account and sent out a new credit card. What was more amazing was I still had a Barclaycard with a £10k limit on my new address and they just created a new account on my old address. I had to inform them and they asked me to write to them to let them know!! Unreal.
BBC Radio 4's Money Box is broadcast on Saturdays at 1200 BST, and repeated on Sundays at 2100 BST.