NatWest 'spam' email cockup got me slapped with late payment fee, says angry Reg reader NatWest customers should watch out for lost credit card statements as an IT cockup has been blamed for one Register reader getting smacked with a late payment fee. A reader told The Reg how he was fined by NatWest for missing the regular payment on his credit card. The reader, who wishes to remain anonymous, receives his …
Re :- "Reader to ensure that they set up minimum payment as default direct debit, that way you never miss a payment (unless you have no bank funds)."
A standing order would be the better option in the potential "no bank funds" situation as NatWest charge you for a failed direct debit. Just saying like.
"Setup a recurring reminder to pay every month" - it's YOUR responsibility to make the payment, regardless of whether/if you get a statement.
This is why I refused to have electronic statements and insisted on a paper one each month when this first started. For some reason I trust the postal system to deliver something more than the electronic one. It can be hard to pay off a bill if you don't know how much it is,even if you know that it should be due.
Now my habits have changed and I have electronic statements, but then I also log in and check my accounts a lot more so it's obvious when the statement date has passed and the amount payable is clear.
Following must have been set up by a big boy who ran away if they don't use SPF
v=spf1 ip4:155.136.0.0/16 ip4:209.202.164.3 ip4:209.202.164.124 ip4:209.202.164.125 ip4:209.202.164.127 ip4:209.202.164.128 ip4:64.28.91.221 ip4:62.105.122.12 ip4:83.100.142.14 ip4:194.150.182.18 ip4:194.150.182.25 -all
To be fair they may provide the DNS record but not actually use SPF on their own servers. This is how I roll after getting repeatedly bounced by one particular ISP.
That said, there are other questions. Like; do Natwest really send outbound mail from more than 65,000 IPs? Doesn't this make it so broad as to be essentially meaningless?
That said, there are other questions. Like; do Natwest really send outbound mail from more than 65,000 IPs? Doesn't this make it so broad as to be essentially meaningless?
Or someone didn't actually understand how SPF works... Or their network is disorganised enough that it really does have outbound mail servers spread all over the subnet.
> ip4:155.136.0.0/16
According to whois, that's RBS' entire block of IP addresses. It's also only IP addresses that are matched and not DNS records.
The upshot is that any of those ~65,000 IPs can spoof the netwest.com domain.
It could be inferred that this was set up to circumvent other people's SPF implementations...
1) you know you spent money on your Credit/Charge card.
2) You know when your bill is due(approx)
3) you probably have on-line access to the account so that you can see the balance
so there really is no excuse for not paying your bill. Take some responsibility for your own actions.
This will probably get down-voted to hell but the above is really only common sense.
NatWest also offer reminders and alerts by SMS, so even if you haven't had the email or postal statement it acts as a trigger to check your account. Resilience is a great thing when leveraged properly.
NatWest appear to have made a mistake, but as had been said people really need to take some responsibility for themselves (and in fairness to the victim in this case he appears to have accepted his part in the mistake and "The real annoyance was NatWest's refusal to deal with the problem.")
The bloke said:
“The fee itself was a comparatively minor annoyance, but irritating nonetheless as I normally pay off my credit card shortly after receiving the reminder from the online banking system. The real annoyance was NatWest's refusal to deal with the problem.”
So how exactly is he failing to take responsibility? He's holding his hand up to having cocked up by not paying the bill on time, he simply flagged up the problem and used his personal expertise to suggest a resolution for the benefit of similarly scatterbrained other customers. This is commonly known as "being helpful"
If I was this bloke however one thing I would check would be that they'd not flagged it as a late payment on my credit history - this sort of blemish can look bad on mortgage applications, and he'd have a reasonable justification on this occasion for asking them to remove it.
In most of business one receives an invoice and then one pays the bill - it's generally the responsibility of the person wanting the money to send out the invoice.
It would save us a lot of time and effort and bookkeepers if we didn't bother to send out invoices but simply assumed all our customers would remember to send us the money - especially if we were then allowed to charge them for late payment.
And why WOULDN'T they assume that you will send them the money?
If you're old enough to use a credit card you should be old enough to know that if you use it to pay for something you owe the money. Also not unreasonable to assume you're not so thick that you missed the fact that you have a deadline to pay it by every month. I despise banks as much as anyone but why this assumption that you shouldn't be required to think for yourself and take care of your own affairs? (not YOU in the literal sense of course)
And if I could automatically charge a late payment fee to my customers like the banks do. Well I can actually but would they do business with me again?
Or I could take their internet domain I host offline. Tried that once with a substantial long overdue bill and got told I'd acted illegally under some kind of "restraint of trade" legislation.
>> Or I could take their internet domain I host offline. Tried that once with a substantial long overdue bill and got told I'd acted illegally under some kind of "restraint of trade" legislation.
That's the sort of thing tightwads do when you stand up to them - try and frighten you with "the law". You haven't broken any law as long as you've given them reasonable notice and they've not paid for the service. Fairly simple, you provide a service, you send them a bill, they pay the bill. If they don't pay the bill then they are in breach of contract and you are entitled to not provide them with further services until they do.
IIRC What you can't do, and this is contractual rather than the law, is hold their domain name to ransom (if it's UK, dunno about others). Ie if they can find some other sucker to host it then they can transfer it and you can't refuse over the overdue bill.
The "big boys" don't pussy foot around - don't pay the bill and "poof" your domain and the contents of your website are gone. Yes, the domain isn't just suspended, the services will be deconfigured and the web site will be physically deleted from the servers quite quickly.
I've been saying at work that we really need to apply the law on statutory interest on late payments. But the PHB won't even though the ones not paying are, as you'll probably recognise, customers we wouldn't be upset about if they took the hump and took their non-payments elsewhere. Don't see why we should provide free loads to all and sundry.
Anon for obvious reasons.
PS - I'm with the others. You spend the money, you know it's due, and you should have a rough idea when it's due. Though it's easy to overlook such things.
It's a good idea, I learned the benefits of watching my money through (bad) experience.
It's the work of a few minutes to knock together a spreadsheet plotting regular in/out transactions for your account(s), add some estimates for the less regular expenses like food/transport and you can quickly see when/if you're going to end up in the red.
Another useful tip is to make sure you have a no-annual-fee credit card, that doesn't charge interest if you pay off the bills on time. Put as much of your spending as possible on it, and pay just before the due date - online banking makes this easy. Quite a lot of things you might not expect can be paid by credit card actually can be - things like council tax or small (<£1) transactions in larger shops, for example. The basic idea is keep as much balance earning interest in your current account (if it doesn't, change banks) as possible rather than getting spent on debit card or cash transactions.
Also occasionally helpful is buying something on the credit card and returning it, getting the refund on a debit card - I've done this, but only if I was going to be returning something anyway.
> Good advice: my only improvement on that is to get a cashback credit card if you can. You can easily make 3 figures a year just from funnelling payment for things you buy anyway through the card(s).
Oh dear, another one who thinks this money grows on trees.
What really happens is that the CC company screws the merchant via transaction fees, who then increases the price of goods you were buying in the first place to cover it. Nothing banks do is ever designed to actually give you money which they haven't managed to screw out of someone else first.
Personally I'd rather the world banned these "freebies" and actually forced banks to compete on their ability to deliver a banking service, and nothing else, in particular for credit cards where the actual cost is invisible to the punter (and therefore these not-so-freebies actually look "free", unless you understand how the model actually works).
I know how the credit card cashback fee system works, and yes ideally the payment processors wouldn't have us by the short and curlies and charge as much. But until the system changes I'm going to take every opportunity I can to claw back as much as possible from the banks. Better the money ends up back in our pockets than they just keep it!
I know how the credit card cashback fee system works, and yes ideally the payment processors wouldn't have us by the short and curlies and charge as much
Payment processors charge approximately 1p per transaction. You're confusing their fee structure with that of acquiring banks.
What really happens is that the CC company screws the merchant via transaction fees, who then increases the price of goods you were buying in the first place to cover it. Nothing banks do is ever designed to actually give you money which they haven't managed to screw out of someone else first.
Oh dear, another one who thinks that there are no costs to a merchant when handling cash.
Why do you think supermarkets give you cashback for free? It's because the costs they incur storing, auditing and transporting cash outweigh the fees they are charged by their acquiring bank.
As a result, it's in their interests to offload as much cash as they can onto their shoppers before the day ends.
"1) you know you spent money on your Credit/Charge card.
2) You know when your bill is due(approx)
3) you probably have on-line access to the account so that you can see the balance"
...AND if you set up a direct debit with your credit card provider, then if you fail to or decide not to make a manual payment yourself then they will automatically collect the minimum monthly payment.
If he was getting his bill by post and the post was lost he would still be liable to pay a late payment fee, email is not a guaranteed method of delivery and the person should take responsibility for paying their debt on time no matter. A feeble excuse for an obviously feeble person.
Their ISP has most to blame as SPF is just a way to score an email as possible spam, and should not be used by default to block / delete emails, as someone who runs a hosting company myself we never block emails, we only provide spam scores to allow our customers to filter and block emails if they wish based on those scores.
But presumably you do use SPF in this score, so if it fell way below the default for being identified as spam (as in the case of most email providers, there is a default threshold) because the SPF does not match (now, if the SPF record was not there thats one thing, but not matching is a very serious indication something is wrong) then you should block it. I would agree it is a milder problem there being no SPF, but if the domain is setup to have SPF and the mail doesn't come from those IP's then its pretty shoddy to let it through as thats the owner of the domain telling you this isn't a valid email.
Using SPF to block is a no no in my book as as has been shown it often gets broken (especially with complex systems using many sending MTAs) and if you do block then the responsibility lies with you for blocking not with the sender for messing up their spf. SPF should be used to give an indicator of spammy-ness or hammy-ness not an excuse to block emails outright by an ISP and it is then the responsibility of the person receiving to decide if to block or filter or whatever and as such also their responsibility if they block legitimate emails.. Its like saying I sent you a letter, you don't like the look of the envelope and so you binned it without opening it first to read the contents, but it is still my fault.
The whole point of SPF is that the *sender* is declaring what are legit sources for email for the domain they're sending as. Anything else should then be treated as suspicious. I'd say if a party uses SPF then the onus is on them to keep it accurate, not for the recipients to make further speculation in case it might be innacurate in the first place!
And given the high propensity for malware to try to impersonate banks, I'd say binning it was a perfectly sensible action.
I publish an SPF for my domain, but don't use SPF to block incoming mail. My only use for SPF is to fend off backscatter. It lets other domains recognise that the sending address is forged and so can discard undeliverable spam rather than bouncing it. This has benefits for both the target domain and myself and no downsides.
I run Spamassassin, which does a good enough job of spotting spam with the aid of some custom rules that SPF blocking is unnecessary.
In SPF there are two flags ~all or -all The first says, this is soft fail and the latter says BLOCK all mail except from those listed here. Since the SPF record is published by Natwest, it was highly reasonable of us to adhere to their SPF records, especially since so much fraud is done these days pretending to be from banks. In fact, to ignore the records would probably be the worst thing to do because of fraud as this would mean phishing emails would get through even though Natwest are publishing a record..
Jonathan Gilpin
Director
Fluent Ltd
> In SPF there are two flags ~all or -all
There's also ?all, meaning "everything else should be treated as if we hadn't said anything at all". There's also "+all", which is there for orthogonality, but entirely harmful in practice[1].
> it was highly reasonable of us to adhere to their SPF records
Yes. If the domain owner says "this is forged", it's correct to believe it be forged...
Vic.
> Their ISP has most to blame
Not so.
> as SPF is just a way to score an email as possible spam
No it isn't.
SPF has no intentions of being anything to do with spam. SPF is a way for domain owners to make statements about how their mail servers will behave.
If a domain owner says "those servers *there* send mail for me; anything else is a forgery", it is appropriate for any receiving MTA to believe that domain owner, and deal with such stated forgeries as if they were - well, forgeries.
> as someone who runs a hosting company myself
Please tell us which one. I always like to know how much any prospective supplier knows about their field of endeavour.
Vic.
"If he was getting his bill by post and the post was lost he would still be liable to pay a late payment fee, email is not a guaranteed method of delivery and the person should take responsibility for paying their debt on time no matter. A feeble excuse for an obviously feeble person."
Erm no, not really. In business you generally find that if you want payment it is up to you to send an invoice and to make sure that the billed entity gets that invoice. It seems that if you are large enough you can offer a shite service, charge late fees and generally bully your customers because you are in a jolly club of arseholes who all act the same. It is their fault because their actions caused the problem. I'd be asking for an exemption in this case.
>If he was getting his bill by post and the post was lost
But this is the equivalent of them sending out a bill disguised as a leaflet for free dog walking with an official statement on the envelope saying "not from Natwest - we promise" - you might be reasonably expected to throw it in the bin unopened.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
