Credit checking giant Equifax left Reg reader Thomas flummoxed when it told him to send copies of the front and back of his debit card when he asked for a credit report. Equifax has said the request for debit card photocopies was down to human error, but defended its use of email in processing credit reports. Sending anything …
Think that's bad?
The Co-Op bank's automatic phone-computer-thingy called me last week. The first things it wanted were my date of birth and credit card details. Clever, eh?
Paris because it combines gross stupidity with unwise public behaviour.
Imprint of house keys too?
Yet more proof that nobody has any clue what they are doing anymore.
I would love to hear the excuses from them when all this information ends up on a laptop, on a train, with auto login enabled, and all data in plain text, as this seems to be the norm now.
Email business letters
I thought it had been decided that email constitutes a business letter, and as such must contain the registered company name and address... which equifax's doesn't.
Also, the standard disclaimer at the end of their message seems to acknowledge that email sometimes goes astray... seems very contradictory to their request!
As much as I don't trust the postmen/women, some things are better done with snail mail.
This happened to me as well
I placed an order with J.R. Music World via Amazon.com (in the US) using a Visa with a non-US address. About a day after I placed the order, I got an e-mail from JR requesting that I reply with a front and back scan of my credit card. They didn't want to process the order because of the international billing address.
I would not be surprised if this happens frequently. Mail-order companies ask for faxed copies of credit cards if they're not certain about the identity of the customer. The Internet equivalent is a digital scan/photo by e-mail.
The irony of this---increasing the risk of identity theft with extra measures to verify identity---is not small.
Not just Equifax!
I recently requested copies of my credit file from all three of the credit reference agencies, by the old-fashioned but much cheaper expedient of sending a request by post.
Equifax and Experian sent the reports within a week, but CallCredit wrote back demanding that I send proof that I actually lived at the address I gave. Bear in mind that I've lived here for over ten years, I'm on the electoral register, and I've had copies of my credit report from all three agencies sent to this address twice in the past two years.
CallCredit wanted me to send original credit card statements and/or utility bills to them. These are exactly the kind of documents an identity thief could use to open an account in my name, so I declined, and offered to send photocopies.
CallCredit persisted in their demands, so I faxed photocopies of the first two pages of the reports which Experian and Equifax had sent, along with a note observing that CallCredit's two rival companies clearly believed that I lived at the address.
A few days later, I received my credit report from CallCredit. They also sent the pages that I'd faxed to them. What a bunch of numpties.
Another daft example: egg (yes, *that* egg) was perfectly able to check my identity to the level necessary to support a card application, but then decided that I needed to supply further identification at the point I wanted them to give me the contents of the file relating to that application.
Part of the trouble seems to be that the Information Commissioner's standards for identity checking are more specific than those applicable for money-laundering - and part seems to be the general stupidity of the financial services companies (to whom, don't forget, those sub-prime Structured Investment Vehicles seemed like a good idea).
Getting your credit report by post is always a good idea since the £2 charge is regulated by law: get the report online for however much the agencies think they can get away with and you'll only see the same data.
That form doesn’t look at all like the sort of thing that one agent has come up with in response to one request, my guess is it’s a standard communication they use over and over again in response to these types of queries
This would indicate a process failure and at least a failure in work instructions
If whoever wrote the communication is sufficiently inexperienced to not know what they are requesting is crap, then what are they doing writing it, much less communicating it to other staff?
If this is one agent who has decided to go it alone then why? Why did he feel he needed to? What was so wrong with the work instructions and tools he was given that they necessitate writing your own documentation for basic requests?
I would imagine that for a credit reference agency the communications involved in “please confirm you identity” are bread and butter, used every day. For such an agency not to have an arsenal of relevant, pre-prepared literature on hand is ridiculous and smacks of amateur hour
I’ve spent the last 10 years amongst other things working with a variety of helpdesks and helping them create and maintain processes and work instructions. In my experience helpdesks sending out standard mails containing glaring errors like this is nearly always a big red flag
Either they are lying about simple human error (and the implication that the human involved was low key) or the department involved has little oversight and is forced to come up with its own processes etc at a low level, constantly winging it. Scary situation since these are the self appointed guardians of your credit reference
On the other hand it would help explain why so many people I have known have ended up with such glaringly obvious errors on their credit reference
What a joke!
Secure email box ?
Do the monkeys at equifax not know that email hops through 100's of computers before it arrives in their 'secure box', giving anyone who has the tools 100's of opportunities to intercept the email and send it on without anyone being any wiser?
No wonder we live in this age of fraud and theft..ignorance.. it's not an excuse!
Still better than Centrica
The "Security Specialists" at British Gas/Dynosecure asked me to send all contact details and my PASSWORD in clear text over email to them. Along with full address information in the mail which house and phone number it is about.
They also did not reply, confirm or by any means acknowledge an email sent to them on the subject
That is called largest UK security specialists at their best. British Gas fronts for Group4/Securicor so this statement is fully factually justified.
Tagging this with Ms Hilton as she is probably more qualified regarding security than one of the largest home security providers in the UK.
Probably more common than you think...
I used to work for an IT retailer in Coventry that did this very thing. Certain orders weren't processed until we had a fax or email with both sides of a card visible. These were then kept in an easily accessible cabinet.
Promoting dangerous security practices
This is the most unprofessional piece of tripe I've ever seen from a supposedly reputable online company. Emailing copies of sensitive financial documents? If my bank or financial adviser asked me to do this, not only would I be instantly moving to another bank, I'd be doing exactly what Thomas has done and thow them to the media wolves.
Banks and credit card companies make a big meal out of never, ever using email to communicate sensitive financial data. As a developer of eCommerce websites, I know firsthand the extent of security processes and standards involved in handling credit card transactions online. By asking a customer to submit such information in this form and manner, Equifax has committed a serious breach of the procedures established by the credit card companies. If Thomas' debit card is either a Visa or Mastercard, the response of either company will be to immediately suspend Equifax's licence to conduct transactions through their systems.
In an age when we are pulling out all stops to educate John Q Public about security awareness, this level of incompetence cannot go unpunished. Such idiocy reflects badly upon everyone in the eCommerce industry and undermines public confidence in the security of online transaction processing. A full audit of all Equifax systems and procedures is called for; at the very least the IT management responsible for implementing such an insecure system should heavily fined and sacked.
Come on, you've all missed the obvious...
About as bright as a previous ISP of mine who (without being prompted) emailed me "reminders" of my email user account name and password when the time came to renew services. I was aghast and phoned them to complain. I was informed that it was standard procedure as many customers forgot their details and therefore couldn't access their accounts when the time came to renew services. The customer services person was adament that their emails were totally secure and suitable for sending user names and passwords despite being unencrypted.
Only when I complained in writing did the company apologise and change their default "helpful" attitude across the board.
I'm constantly amazed by the attitudes of (IT) companies which should know better. Having said that, most of them probably advise HM Government!
Paris obviously, because even she isn't that insecure - or maybe she is...
I can top all these.....
My previous credit card supplier sent me a PIN letter as I hadn't used the card for a while. I hadn't asked for it and would not have known if it had failed to arrive. When I rang them up to query this they said it was a standard marketing practise to get me to use the card more. They also said that they would sometimes send out extra cards for the same reason and again without being asked.....
Yes I did cancel my card, they asked me why????
Re: I can top all these.....
In regards to PIN reminders, I can't be certain but I suspect one of my cards was hit due to this. This was around the time when chip&pin cards were being issued and Tesco I believe sent out the card and PIN at the same time like most card issuers.
Both would have been sent separately, but because they are sent at the same time, they arrive in the same post! Easy pickings.
And of course around that time the local postie had his bag nicked (unattended). I never got a new card or PIN from Tesco, though can't be certain they did issue them, but sure enough soon after I got hit with fraudulent Amazon transactions. I should add that I'd never used the Tesco card as I only got it for a 0% balance transfer.
As for Equifax. I signed up to their service a few years back, and I think it was them who only required me to supply details of the last two addresses I lived at! That was it.
However, to be fair, most companies can request your credit file anyway to check up on you.
Is snail mail any more secure?
We've got a new postman, and everyday seems to bring another piece of misdelivered mail. One last week felt like a bank card. (It was in a "discreet" plain envelope that just shouted "bank".) And presumably there are human beings, aside from the postie and unintended recipients, who have access to snail mail and could pinch, say, 0.05% of that being delivered to Equifax. (And if they're really smart thieves, then, after reading it, they'll put it in a new envelope and add it to the next day's post. Who would know?) I'm probably wrong on the details, but I'm sure its possible for rogue employees to read snail mail.
Is the risk greater than that of a plaintext email be snarfed by someone at an ISP? I can't quantify either. Certainly it's happened. But my emails rarely pass through a dozen SMTP relays (NOT HUNDREDS). And separating the genuine missives from the spam seems beyond human ingenuity. Finding this stuff at the packet level, would be even more impressive - particularly if its a jpeg of a credit card. Surely there are easier ways to get ill gotten gains from the web?
That said, I'd won't be trusting my financial details to an unencrypted connection any time soon. But maybe that's down to my faith in tin-foil millinery. ;-)
This is not good
I for one would be very suspicious of a company asking you to do this it does concern me such a reputable company would start asking this. Anyhow, I have tipped off a relevant organisation who may well be going to have words with Equifaxc very soon as it's helpful to have contacts in this industry.
Equifax will give all your details away to spammers
About a year after I used Equifax (with a unique email address) I started getting spam to that address, it was paypal phising scams!
They tried to tell me that this unique email address containing their company name was randomly guessed by the spammers and yet somehow I didn't get all the other randomly guessed email addresses at my domain.
"we operate a very secure system -
you tell me your credit card details
and I don't tell anybody else"
I got cold called by a "third party company" offering a service on behalf of a store card I own. Would I like to give them all my personal details so they could give me a trial of their ID theft protection service?
Neither they or the call desk for the store card seemed to understand why I thought the idea a little dodgy.
Card over email
Hmmmm... maybe ask them to send you their bank account details so that you can verify who they are before sending them your information... and maybe they'd be interested in helping transfer $50,000,000 (FIFTY MILLION DOLLARS US) from a secure account in Nigeria that your great uncle Sigmund left upon his death, you'd cut them in for a small percentage of course.
Normally even asking someone where you can download their public GPG/PGP key results in a "youwha?" type response.
The difference with snail and electronic mail is where liability rests - you post someone sensitive documents and the postie (or anyone else) gets caught opening it and they're in trouble - you email someone sensitive documents in an unencrypted format and you'll probably just get told it was your fault for being a plonker.
Email is VERY secure
Why on earth are we all so paranoid about email security? It's just as secure if not more so than the alternatives.
Have you never overheard one of your office colleagues talking to his or her bank and giving out their date of birth and mother's maiden name over the phone? Or passed the office fax machine and seen a forgotten confidential memo there? Or sent something through the post and had it lost? Or taken your utility bill and passport to your local building society branch for them to photocopy, only for them to put it on the wrong pile and lose it or have the office cleaner pick it up off the floor the next morning?
Email is a darned sight more secure than the alternatives, as it goes more or less straight to the intended recipient, and is generally logged in the process. Unless you're the police, or work for the recipient's IT department (in which case why should you be any more untrustworthy than if you work in the post room?), how exactly do you propose going about intercepting someone else's email??
It's so frustrating with free and open public key encryption available.
There is no reason for *anyone* to send you sensitive information or request it without using encryption. It's very easy to use, free to get hold of, and plenty secure enough for this kind of thing.
You can also verify that the email you received was the one sent, that the person who sent it is who they say they are and they can verify that they are in fact talking to the correct person.
All it needs is a secure key exchange.
eDirectory.co.uk worth a mention
I've ordered a couple of times through them. The first time I was quite amused that they printed my complete debit card details on the packing slip. I decided to give them a second chance and added a note to my order asking them to please not do that again, but the package arrived complete with its incredibly sensitive packing slip.
Oh dear. Never again.
Email is NOT secure
Email has no security. It might be reliable - but getting less so due to the quantity of spam.
As a former email system admin, I had the ability to look at any email while it was stored in our queue. I had no interest to do so, but sometimes a mail will stick in a queue if there is something wrong with the address for example. In that case, you might look to see if there's something obviously wrong. Addressed to Amason.com, for example. Or sometimes badly addressed emails can loop back.
To repeat, unencrypted email has no security. The chances of someone looking at it are low, but only due to the volume of email in general.
I have sent passwords by email, but not with reference to the account to which it relates. Normally I would send the account name by email and the password by phone.
Secure email systems
I used to work for a large UK financial company who dealt with pensions, we decided to stop using postal transfer of data, but weren't about to use standard email. In order that all of the little pension schemes, who couldn't justify getting a leased line or ISDN into our company to transfer their data, we setup 'secure email' basically just browse to an SSL web page, identify yourself and post the document from there, all the apps hosted in the DMZ of my company, minimal effort required on the part of the customer. Why can't someone like Equifax do this?
The local copper told me that they used Fax for secure stuff.
I explained then how I could easily get a copy of all faxes sent and received...
he was horrified at the simplicity of it.
Nothing very high tech. Just one step above phone tapping by opening the local phone cabinet in the street and fitting a 20m range RF bug (£20 or less) to your van ...
Most security is an illusion if someone is motivated. A lock only keeps out a casual burglar, and sometimes not even.
Haven't they heard of Photoshop??
Forget about the security of email, how about the security of the scanned image? With not too much trouble, one could EASILY change the information sent. Just move around the last 4 digits of the number (instead of wxyz use yzwx which has the same checksum). Changing the name and address is just as easy. Just have a similar document that has the forged address, and cut/paste it onto the document to be sent. I don't trust anything that is sent as an image, as it is just too easy to alter.
When will people learn? Probably never!
As I pay for utilities by direct debit, with online billing, I don't have any utility bills to send ...
Hundreds of mail hosts?
To sort out the confusion a little...
e-mails will rarely go through more than a couple of mail hosts. For example, when you're sending e-mail from your ISP to a friend/colleague who works for a corporation, the e-mail will frequently pass through something like this:
1) Your system (of course)
2) Your ISPs internal mail system
3) Your ISPs external mail system
4) The recipients external mail system
5) The recipients internal mail system
6) The recipients system
Of course, this is just a simplistic example. An unencrypted e-mail can be examined (and a copy made without your knowledged or consent) at any of these points.
Now onto the "hundreds"...
Because of the way the Internet works, transferring data between systems can take pretty much any route. Usually these routes are fairly obvious and take the shortest/fastest route (least cost) but in theory there's nothing really stopping some of the data packets going around the world while others just take the easy hop across the street. In any case, you cannot be sure of the exact route that all of the data packets that your e-mail is made up of. If one of the routers that it passes through makes copies of the packets and re-assembles them, you'll never know. It's this enormous unknown that also makes unencrypted e-mails so insecure.
Mind you, you're more likely to "lose" your personal details by printing them out and leaving them on your desk (or by having spyware on your or the recipient's systems) than you are to have Internet routers snoop them from data packets.
Bank fraud prevention department
While certain terrible, I can't help but thinking that the actions of some banks fraud prevention departments beats it hands down.
Don't know if it's all banks, but certainly if you're an HSBC client and they detect what they think is a fraudulent transaction on your credit card you get a phone call. Wonderful, except that firstly they withhold their phone number so you can't use caller ID to confirm who's calling, and secondly before they'll go into any details they expect you to provide your security information to confirm who you are! I mean really, you phoned me, you know who I am but who the hell are you? Amusingly if you mention this to them it seems to go right over their heads! Someone I know refused to give out his info until they proved who they were, suggesting that they confirm the value of the last transaction he'd made. They refused so he declined to speak to them further.
"As a former email system admin, I had the ability to look at any email while it was stored in our queue."
Of course you could, no one is denying that. As an employee of the organisation concerned you can read emails. Big deal. If you worked in the post room and your job was opening all the mail you'd be able to read all the mail too. Why should one be any more secure than the other?
Clearly you have to trust the employees of the organisation to whom your sending your personal information, however you send it. But people worrying about email seem to think it's wide open for all and sundry to read if they choose to, which simply isn't true in general.
I trust email. On the other hand, I *am* always very careful before I connect to my mail server using a convenient wifi hotspot called "Free Public Internet (passwords harvested here)".
Par for the course
Sadly, this kind of thing is all too common.
There are plenty of people in clerical jobs who understand computers simply in terms of what they can do, rather than fundamentally how they do it. It's the main reason, I would submit, that 'business people' clash with 'IT people', and vice-versa.
Assuming that the Equifax source quoted is of the business category, there is a rationale that makes perfect sense from their perspective. They would see it something like this:
1) User sends email
2) Internet delivers email to Secure.Portal@Equifax.co.uk (or whatever)
3) An Equifax team member who has access to the Secure Portal email box (and no-one else) processes the email.
Meanwhile, at a system level:
1) The user's PC could have any amount of spyware or keyloggers
2) Any of the dozens of email repeaters en route might be untrustworthy
3) Any network device in the delivery route may have a packet sniffer in place
4) The company's own email administration staff might be subverting traffic
Unfortunately, business users only ever tend to concern themselves with business risks. They'll recertify ACL lists of group email accounts, but never worry about how to ensure that the email itself is untainted.
I spend a significant amount of time at work explaining to end-users why they don't want what they think they want.
Utterly bloody clueless comes to mind. THESE are the people entrusted with keeping track of peoples entire credit history?
Be afraid, be very afraid.
That Thomas is me...
... thanks, John, for picking this up.
Some of the comments reminded me of another bit of entertainment I've recently had when an automated phone system called me, claimed to be my phone/broadband provider Virgin Media and demanded to know my password before proceeding. I called back and found, yes, that had actually been them. Sigh.
Much better is Citibank, although it could be argued that they are a wee bit too cautious: They don't accept messages (crafted on and sent from their online app to them) with "dangerous" characters such as single quotes and in telling you drop the text and reliably clear the form.
Email Servers are not Quite Random
What the wasters do is settle their servers down just outside the Equifax gateways. This is where the concentration of juicy clear text email is.
Just like spying on large corporations-- just sit outside their gates and watch the traffic. Even better if you can grab a choke point outside the gates carrying a large percentage of the traffic.
So, security by hoping to hide in an ocean of spam is misleading, unless the sender and receiver are random (which isn't the case when communicating with and entity like Equifax, which wants information which can be usefully employed for ID theft).
You all still don't get it
"What the wasters do is settle their servers down just outside the Equifax gateways"
And how exactly do you propose to do that, short of working for BT or LINX or something? More importantly, how do you propose to do it without being caught?
"The user's PC could have any amount of spyware or keyloggers"
So you're saying that sending a form in by registered post and then having someone key it in at the institution concerned, rather than sending it to them in an unencrypted email, is immune from this? (And why do you think large corporations and financial institutions are so paranoid about filtering web and email access, not giving users admin rights on their desktop PCs, etc. if not to minimise the risk of precisely this sort of malware being installed.)
Remember, everyone is criticising Equifax for asking for data to be emailed to them. If they'd asked for it to be posted no-one would have batted an eyelid but I've yet to see ANYTHING to suggest that email is any more likely in practice to be intercepted than a letter.
@ Rolf Howarth
You obviously do not have enough of an idea about the general way how emails get transmitted across the wire. It is very simple to run a packet capture (network sniffer) for just one minute and pull out all the email details from that data. The only way to give email a modicum of security is to ensure it is encrypted end to end.
Email is secure - PAH! Twat.
Actually, having written a number of email clients, I *do* know how email is transmitted. And yes, of course it's possible to eavesdrop on the SMTP traffic - *if* you have physical access to the network.
If I send an email from my home to my insurance company or whatever, how exactly do you propose to sniff those packets? Sure, you could park outside my house and tap my phoneline, or try to hack my (encrypted) WiFi connection. But frankly, why would you bother?
If you really want my debit card receipts that badly why not just search my trash (I shred most of them, but there's bound to be a few at the bottom of an old carrier bag that I've missed) or better yet, just get friendly with the kid on minimum wage who works on the checkout and sorts all the receipts at the end of the day. And once you've seen the receipts what will you do with them? And why should I care unduly?
The one time someone did try to use my card fraudulently my bank actually phoned me up and said there were some suspicious transactions, did I recognise them? No? Ok, no problem, we've refunded them already. End of story.
There's lot of things I worry about (loss of liberty and living in a police state, for example) but email security isn't one of them. I don't have anything particular to hide but if any one of the hundreds of organisations that are allowed to snoop into my private life wanted to find out what I get up to they wouldn't have to intercept my unencrypted email to find a few paltry debit card receipts - they'd just ask my bank.
All this talk over the relative security of email vs snailmail misses the point entirely.
The point is that Equifax are requesting card details that they do not need in order to 'prove' identity. By supplying a photocopy of the card, you share exact details of your bank account, exact details of the name on the card, start date and expiry date, card number, security number, and even your signature to an organisation who are not going to use it to conduct a financial transaction and therefore have no need of that information. Its a perfect opportunity for forgery equalled only by having your card stolen.
Were I dealing with an organisation who's security awareness and controls were so lax, I'd not trust their email administrator, I'd not trust their post room, and I wouldnt trust anyone within that organisation even to dispose of the photocopy securely.
Equifax and other credit agencies are in a unique position of trust. On their records depent every consumer's ability to purchase goods and services
The fact that they 'require' such details is an utter disgrace and the financial institutions who fund them should be kicking their backsides into the middle of next week.
A good experience with HSBC
they called me once and asked for my security details first, and the CSA was absolutely fine when I explained that a work colleague years ago had his card stolen and the theives called shortly after pretending to be the bank and took all his security details.
Therefore we agreed that we would take it in turns; I would ask them for a letter and they would ask me and so on. Perfectly acceptible comprimise with a totally understanding CSA - plus, I always see a number come up when they call me.
One last on snail vs email
These two sentences are from a covering letter in application pack for a job at a local POLICE FORCE:
"Enclosed you will find an application form which needs to be completed and returned to us by...[Date] We accept applications by post to the above address but for speed and _security_ we recommend _emailing_ them to the address given."
"Actually, having written a number of email clients, I *do* know how email is transmitted. And yes, of course it's possible to eavesdrop on the SMTP traffic - *if* you have physical access to the network."
I've written E-mail and IM clients myself. And I appreciate your point that it's difficult to cause trouble unless you're directly involved in the communication route.
But I still wouldn't trust unencrypted email as far as I could spit. This story is entirely analagous to someone requesting that I, "Photocopy my credit card, front and back, then attach the copies to the back of a postcard and send it to PO Box 123, UK".
The Royal Mail mail be trustworthy. But do I trust that every pair of hands my envelope passes through is whiter than white? No, I'd be a fool.
Multiply this by a thousand and you have the current wild-wild-west state of the internet. Maybe my message will get through unmolested. Maybe it's even probable.
Would I trust that as fact? Good God, no....
YMMV, of course.