Sep 302010
 

After discovering there had been fraudulent activity on one of my credit cards held with Barclaycard on the 16th September, and my subsequent contact with them that didn’t get anywhere on the 17th, I had a missed call on the morning of Sunday 19th September from a withheld number, which I assume was from Barclaycard’s fraud department, but they made no further attempts to contact me that day. I finally received a call from them on Monday 20th.

What the chap I spoke to said didn’t quite fit with what appears to have happened so far – based on those previous calls – but I wasn’t going to argue with him. My real goal at this point was to get everything sorted out -and in particular, a new card with a new number and restored access to my account online. However, I’m noting what claims and denials were made here in the interests of completeness – because I’ve already written about the issues in my two previous posts. Pertinent to the fraud itself, the first two things he told me were:

  • Firstly, that the faux-me rang on the 14th and only attempted to set up online access, but that he didn’t succeed in getting past their security. And, apparently, this triggered their alarms and they then put a block on my account and my card.
  • Secondly, that the faux-me also rang a number of times to check the balance on my account, with no mention of dates and whether or not these calls were successful.

Now, as I said, these statements don’t quite ring true for me.

Firstly, the claim that he failed to bypass security and set up online access to my account:

If the fraudster failed to do this then my own online access was not compromised in any way shape or form. So why was it blocked? (I did ask him this, and he said this was their normal procedure, and that I’d have to set it up again when my replacement card arrives – but I find the idea of blocking something that wasn’t compromised in the first place somewhat pointless. It only makes sense to me that my uncompromised access was blocked if new online access was set up – i.e. by the fraudster pretending to be me.)

Also, if they flagged up possible fraud due to this attempt at impersonating me on the 14th, why did they wait until fraudulent transactions were made on my account before attempting to contact me? This just beggars belief! I think it would have made much more sense to contact me immediately, at which point I would have confirmed it wasn’t me who had called them – especially given that he said my card was blocked at that point. What if I’d tried to use the card myself?

Then there’s the reaction of the operator I spoke to when they first contacted me about this card fraud. The woman quite clearly reacted with surprise when I said I hadn’t rang to set up online access. And similarly, the woman I spoke to when I rang them on Friday night, who also asked me to confirm whether or not I’d rang them to set up online access.

Surely, if they had identified possible fraud when this – allegedly failed – attempt was made on the 14th, at which point they are claiming to have blocked both access and the card, then it would have been flagged as such on the account, and the first woman wouldn’t have reacted with surprise, and I wouldn’t have been asked to confirm it yet again when I rang them.

Secondly, the fact that the fraudster made other calls pretending to be me:

Were they before or after this call on the 14th? And were they successful, or unsuccessful? If they were before and unsuccessful then, surely, that means Barclaycard had its first warning sign that bit earlier – so why did they not react then by contacting me? If it was after and unsuccessful then that would have either been later on the same day, or on the 15th, or on the 16th prior to Barclaycard calling me – so again, why did  they not attempt to contact me at each of these points? (In both cases, of course, the assumption is that the fraudster was trying again to bypass Barclaycard’s security even though he’d allegedly failed before. This, at least, strikes me as plausible given my own experiences with them – he may already be aware that it’s possible to bluff his way through it, even if he’s failed before – but only if we accept that previous attempts failed.)

So, in summary, despite the very distinct impression given by my earlier contacts with Barclaycard, they are now saying what appears to have happened didn’t happen – nobody bypassed their weak security.

The two points above weren’t the only outcomes of that call. The third item of note is that I said previously that I was concerned that there might be other transactions that I had not yet been made aware of, but guy told me those two fraudulent transactions were the only two that had been attempted, and there had been no other transactions at all since my last statement. So that’s alright, then.

The fourth thing, though, is that telephone security is being improved – there is now a telephone password on my account, from which I will be asked for two random characters in future. Why was it not like that before? And why the change now? It’s enough to make me think their telephone security was weak before and they’ve now realised it – perhaps fraudsters have managed to get around it, or something, just like this chap said hadn’t happened to my account. Who knows?

So,  to revise that summary slightly: Despite the very distinct impression given by my earlier contacts with Barclaycard, they are now saying what appears to have happened didn’t happen – nobody bypassed their previously weak security, but they’re strengthening it slightly anyway, just in case, even though it was obviously perfectly good before because nobody was able to bypass it. Or something.

Unfortunately, that’s not quite the end of the story. What happened next actually annoyed me somewhat.

I received my new card, with a little sticker on it giving me a freephone number to ring in order to get it activated. That’s nothing new, and it’s a sensible precaution – the cardholder receives a card, calls the number, answers the security questions and activates the card. Better that than a fraudster is able to intercept it in the post and make use of it.

Wait a minute? What was that third item? Oh yes, “answers the security questions”.  Well, with the improved security, where I give them two digits of my password, that’s okay. Previously, of course, the security questions would have lacked a password and would consisted of things that aren’t actually all that secure. However, that isn’t why I’m mentioning the card activation. This is:

When I rang the number, and an operator took the call, the organisation name he gave wasn’t Barclaycard, it was “CPP” – which I recognise as a company who I’ve known of for most of the 20 years I’ve been with Barclaycard. Card Protection Plan is – or once was – the expansion of those letters, and way back in the mists of time a cardholder could register his cards with them so that if his or her wallet was lost or stolen, and all cards with it, one call to CPP was all that was necessary to get them all cancelled and replaced. And they also provided a snazzy little key fob to attach to your keys with a serial number and freepost address on, so that if they were lost then whoever found them could pop them in the post to CPP, and CPP would ensure they got back to their rightful owner. Woo!

I subscribed to it for a couple of years, but I finally got fed up repeatedly trying – and failing – to get all my cards registered.

These days, it seems, CPP handle card activation on behalf of Barclaycard (and probably others, but this is the first time I’ve got through to them when activating a card).

This means that I had to give my answers to my security questions, including the two random letters from my password, to a third party company. Needless to say, I’m not entirely impressed with that arrangement – even if I do recognise the company.

And nor am I impressed with the real reason they are handling the card activation – which is to say, paraphrased because I’m typing this from memory, “Okay, Mr Hudd, that card is now activated. Barclaycard also asked us to talk to you about purchasing insurance against identity theft.”

Get me to call you, so that you can try to sell something to me. Nice.

Unsurprisingly, I declined.

VinceH