Have Barclaycard fallen victim to social engineering? (Updated 19/9/10)

I received a partially automated telephone call from Barclaycard today – their systems had been alerted to possible fraudulent activity on one of my credit card accounts. When I initially answered the call and their robot explained this, my first thoughts were that it probably wasn’t fraudulent activity, and that I’d have to confirm a transaction I initiated a few days ago – I booked some holiday accommodation, and the last couple of times I’ve booked with the same company I’ve received a similar phone call and had to confirm that it was a genuine transaction.

However, I soon discovered that booking wasn’t what triggered the call, as the robot revealed two transactions and asked me to confirm if either of them weren’t genuine. Neither of them, one for £3 and the other for £3,762, were transactions I had made.

This isn’t the first time one of my cards has been hit by card fraud. The most recent case, a different card issued by a different bank, was only a couple of months ago, and I suspect that if I were to look back over my records it would probably be an average of one and a half strikes per year for the last few years. This might sound high, but I do have quite a few cards (although I strongly deny rumours that I have to have my wallets custom designed to cope – I just don’t carry them all at once!) and that’s bound to increase my chances of becoming a victim of card fraud.

The problem, as you might assume if you didn’t know any better, is not that I’m not careful with my cards. No, in fact I’m about as careful as it’s possible to be, from making sure my computer is safe and secure, and clean from malware, through to never throwing anything away that contains sensitive information without first shredding it, and everything inbetween. The only way I could be more careful with my cards is to never use them – which would defeat the object of having them in the first place, and I’m not keen on the practicalities of that.

The real problem is that potential card fraudsters have other means of obtaining details, not just from the card holders themselves.

For example, companies who take credit card payments being careless when disposing of paperwork. In theory, they should be holding paperwork for far longer than the life of any individual card, which means the dates and security code on the card in use should differ from their old paperwork – but that doesn’t guarantee that they do. And what if, due to a mistake when attempting to take a card payment, they dispose of paperwork believing it to hold incorrect details? One of my previous cases of attempted card fraud was caused by exactly that happening.

Another good example was where fraud hadn’t been attempted on one of my cards, but the card had to be cancelled and replaced anyway. In this case, according to what the bank’s security personnel told me, it had emerged that fraudsters had obtained details for all the cards in a batch – which presumably means a weak link in the bank’s own security somewhere.

Whether any of these methods – or any others I haven’t mentioned – were the fraudster’s source of my card details on this occasion isn’t something I know at this stage, and may never know (it’s only by pure luck that I was able to determine what happened in the first example above). Whatever means they used, that’s just the start of the crime, with the end being the bank contacting me today having been alerted to the possible fraud, and having it confirmed by me: Yes, it’s definitely fraud, those two transactions aren’t mine.

But there’s a bit between the start and end.

The Barclaycard telephone fraudbot quoted the amounts of the two transactions, and asked me to press a button on my keypad to say that I either did or didn’t recognise them. Upon pressing the one to say I didn’t I was put through to an operator, who gave the impression initially that I was going to say I didn’t recognise the £3 transaction, but seemed surprised that I also said it about the one for £3,762. She then asked to confirm when I last rang Barclaycard, and I said that it wasn’t recently – certainly not in the last few months, but probably much longer.

There was a pause, and she asked me to confirm that I hadn’t rang them today to approve the larger transaction. I repeated that I haven’t rang them at all, not today, and not in recent memory (and I again confirmed the transaction wasn’t mine). She commented that their records showed a number of calls from me recently (not just today), and I confirmed again that I haven’t rung them.

I was then asked if I’d set up online access to my Barclaycard account recently. I do have online access – but it wasn’t set up recently; I actually set it up many years ago. Her response to that was “In that case, we’ve got a problem” and she asked me to hold. A few minutes later she got back to me and confirmed that the two transactions were cancelled, and that my card was now blocked, and that someone else would contact me within the next 48 hours to follow this up.

After the call ended, I decided to try logging into my Barclaycard account in the usual way (which is for both my Barclaycards, not just the one affected), because it didn’t occur to me until afterwards that there may have been other transactions that they hadn’t picked up, and I thought it worth checking straight away. This shouldn’t have been a problem – when one of my Barclaycards was hit before, since it was the card that was compromised and not the online access to the account, my access details remained unchanged. When a card at my main bank was hit, since it was the card that was compromised and not the online access to the account,  my access details remained unchanged. When my card with Egg was hit… etc. You get the picture.

However, I can’t get in with my access details, and thinking about what the woman from Barclaycard said, I suspect I know why.

I suspect some of those calls from “me” to Barclaycard were along the lines of “My log-in details have been compromised… I need to sort this out…” – and if so, Barclaycard must have stood for it, cancelling the existing log-in, and setting a new one up. They would, of course, have asked for various security details – but just how secure are the details they ask for? The answer to that is “not very” – and, indeed, some of the personal information that makes up those security details may have been available to the fraudster, depending on where and how he got my card details.

So, today I’ve been a victim of credit card fraud – and, given the calls to Barclaycard, an element of identity theft – but it looks as though Barclaycard may have, on my behalf, been a victim of a simple bit of social engineering.

Obviously, it’s a good thing that this was spotted and is now in the process of being dealt with, but given what appears may have happened, I can’t help but consider what might have happened if it hadn’t been spotted so soon.

Back in November, I commented about a call I’d received from Barclaycard, in which they asked me for my debit card details. The reason for that call was that I’d forgotten to pay them (and there’s a reason for that – outlined in the addendum below) and so, as a result, I set up a direct debit payment for both of my cards with them. That direct debit is set for the minimum payment – and the logic of that is that if I forget to make a payment myself for a higher amount (be that the whole balance, or somewhere between the minimum and the whole amount), or if I simply can’t be bothered, I don’t get any late payment charges; the worst is that the minimum payment will happen automatically, and I’ll get some interest charged on the balance the following month.

With access to my Barclaycard account online, that direct debit could be changed to the full amount. Get the timing right, and my card could be maxed out, paid in full, and then maxed out again – with that payment effectively cleaning out my bank account and taking me into and possibly even beyond my overdraft facility. That would have a knock on effect, leaving me with no funds to pay bills, and so on, as well as excess bank charges and interest to pay. Under these hypothetical circumstances, the credit card company would be liable – but I doubt they’d repay anything other than the fraudulent transactions on the card without first fighting and arguing that they weren’t liable, which would prolong the agony, and in the meantime the damage would have been done.

In fact, although I know of two fraudulent transactions – for which the fraudster wouldn’t have needed to access my account online – I can’t help but wonder what else he has done. Why did he go to that length? Why did he get online access to my account? Has my direct debit been changed? Are there other transactions I’m unaware of? Can I therefore expect to see a large direct debit payment to Barclaycard to pay off fraudulent transactions that haven’t yet been spotted? Only time will tell (hopefully only 48 hours at most – when I get that follow-up call) – but it’s a worrying possibility.

On the bright side, the crook should be easy for the police to find. They just need to hunt for someone with wet trousers and who smells of urine – because when he was able to log into my account online, he would have wet himself with joy when he saw my credit limit.

Addendum: The reason for my late payment, mentioned on my previous post about Barclaycard.

Sometime last year, I started receiving text messages from Barclaycard, reminding me that my payment was due soon. After a few months, I came to rely on that text message as a seemingly reliable reminder: Instead of remembering that I need to pay by such and such a date, I simply waited for the text message to arrive, and I’d make a payment. Then, unexpectedly, the text message I received was actually slightly later, telling me that my payment was late. I cursed, and assumed I’d somehow missed the message reminding me to pay, and made a late payment. The following month, however, was a repeat of that month – and not entirely believing that I’d made the same mistake twice, I looked back through all my text messages. I definitely hadn’t received the reminder message.

The problem didn’t crop up for a while after that, simply because I hadn’t used that card for a while – until that fateful month when I paid late, and received the phone call from Barclaycard mentioned in my previous post about them. I’d forgotten what had gone wrong previously, and had expected that text message.

Why is this worth mentioning? Because of what I’ve since read on the Bent Society blog. If Barclaycard have been known to change the dates payments are due in order to catch out loyal customers who pay in full and on time, then does it not seem likely that the reminder text message suddenly stopping is another example of the same thing? Food for thought.

(Note: I believe customers can now sign up to receive these messages, but that’s a more recent option than when they were sending them to me anyway).

Update: 19/9/10

Barclaycard made an initial attempt at their follow-up call to me during the day on Friday, but I was unable to deal with them at the time, so I asked if I could be called back later. A time was agreed – 6:30pm. By 8pm I hadn’t received that call, so I rang them. Unfortunately, by calling them I was calling their call centre, which I believe is in India, rather than their fraud people who had called me on a withheld number, and who are probably in the UK.

The young lady I spoke to, having had this explained to her, said she would send a message to the fraud department, but she could only promise that I would be called back within 48 hours*. Sigh.

However, there were two positive outcomes of that call.

Firstly, I was able to confirm my recollection – as mentioned above – that when ringing Barclaycard, the security questions they ask leave something to be desired. That something being security.

Secondly, I was able to confirm that, yes, Barclaycard have indeed been the weak link here. This is because when I wrote the meat of this post on Thursday, I only speculated that Barclaycard had been socially engineered into setting up online access to my accounts for someone else. However, during this phone call, after being asked those faux-security questions, I was asked to confirm if I’d telephoned on the 14th to set up online access.

So there we have it. The fraudster telephoned them on the 14th, pretending to be me, in order to gain access to my accounts online – and the fact that I already have (or had!) that access didn’t trigger any alarm bells with them.

More alarming, though, is the fact that I was asked this when I rang them on Friday. Given that it seems obvious that the person I spoke to on Thursday, when they rang me, gave me the impression that she had realised there and then that the fraudster had previously telephoned them to set up online access, although she didn’t directly state that.  Should that not have been flagged on their system at that point?

Does the fact that it quite clearly wasn’t flagged up mean the fraudster is still able to log-in using his new acquired credentials?

* I appear to have a missed call on my phone from a withheld number from earlier this morning. That, I presume, was my call back. They don’t seem to have tried since, though.

Related posts