Investec sending private details via Email

Z

z101

Guest
Investec are sending your account number to you by Email !!

Your pass word by text !!

Your username, which is unchangeble, via email !!

The 2 most unsecure means of communications just to save on postage. This apparently is because the 3.6% 12 month is an online account. How is that for an explanation for doing what every bank tells you never to do.
 
Details are sent through two separate channels which is much better than sending them both in the post as the probability that two pieces of post are stolen has to be much higher than you phone being stolen and your email being compromised by the same person. You can password protect your texts and your email, you can not do that to a letter.
 
Agreed that sending details by both text and email is more secure than postal mail. In the case of Investec, they require the completion of a postal form and then send details by text & email, it is a secure multi platform method.

However, it is quite unusual, especially in the day of phishing, for any bank to be sending account details by email.
 
So it seems 2 minus's make a plus. I think this is very poor. A secure multi platform method is not what I would call it. 2 insecure methods dont make it secure just because they dont cross over. People who exploit such things will find means of crossing them over and this banks methods are an open invitation to try.
I have spoken to someone earlier who is extremely well versed in all things computers and they say dont touch this one with a bargepole as he could come up with a couple of ways to try exploit this off the top of his head. Wont be risking my money until they move away from emailing details.
No Thanks!
 
Investec have the most consumer-hostile terms and conditions I've yet seen in banking:

4. Facsimile, Telephone And Email Instructions

4.1 Please note that, in respect of Online Accountholders and Online Customers, instructions may only be given by email and through the Website, unless otherwise agreed by Investec.

4.2 The Accountholder or Customer, as appropriate, authorises Investec to act on facsimile, telephone and email instructions. The instructions communicated may include instructions to pay money or otherwise to debit or credit any Account with any amount, close or otherwise amend an Account, or relate to the disposition of any money, or purport to bind the Accountholder or Customer to any agreement with Investec or with a third party or commit the Accountholder or Customer to any other type of transaction or arrangement whatsoever. Any instructions communicated and transactions completed will be unconditionally binding on the Accountholder or Customer, as appropriate.

4.3 The Accountholder or Customer, as appropriate, will be bound by the terms of any facsimile, telephone and email instruction.

4.4 Investec is authorised and entitled but not obliged to rely upon and act in accordance with any communication which may be from time to time or purport to be, given by telephone, facsimile or email by an Accountholder or Customer, as appropriate, without enquiry on Investec's part as to the authority or identity of the person making or purporting to make such communication.

4.5 The Accountholder will at all times accept the Transactions of Investec on any of its Accounts as conclusive evidence of any instructions.

4.6 Investec can refuse to act upon any notice, demand or instruction sent by facsimile, telephone or email transmission at any time without giving notice to the Accountholder or Customer, as appropriate, if in Investec's opinion the instruction, demand or notice is sent by an unauthorised person or if it is being used for fraudulent purposes.

4.7 Investec will use all reasonable endeavours to ensure that it is capable of receiving and acting upon facsimile, telephone and email instructions so in consideration of Investec agreeing to receive facsimile, telephone and email instructions, the Accountholder or the Customer, as appropriate, undertakes to keep Investec indemnified against all losses, costs, damages, claims, proceedings, actions, demands and expenses which Investec may sustain or incur through acting or failing to act upon any facsimile, telephone and/or email instructions whether that instruction was received by Investec or not. The Accountholder further agrees that Investec may debit the Account with any amounts, which Investec has paid or incurred in acting upon any facsimile, telephone or email instructions.
Click to expand...

So, essentially, whatever they say happened to your account is gospel. They don't have to provide any proof of this. They accept trivially-forgeable and interceptable email as a method of communication, and don't bother to verify if it's the real accountholder. If it goes wrong the customer pays for any mistakes they might make (and they'll take the money straight out of your account without asking).

I'm not familiar with Irish contracts, but is this sort of thing normal and is it the sort of thing the Regulator might have a view on? Or are banks allowed to do what they like in Ireland?
 
Sending Account Login & Password details in 2 paper mails in readily identifiable envelopes isn't exactly the pinnacle of security either though...

Besides, surely it's easier to compromise ones letter box than ones inbox + phone... Let's not forget either that this would also require foreknowledge that someone has applied for an account with Investec too, which gives the criminals, what? A few days to figure out your email address & phone number?

Once received (& deleted from the devices) you're in the same position as most other online banking customers (Login, Password / PIN, Security question(?)) & liable to exactly the same compromises, so be sure youre on a modern web browser with a real-time phishing filter.
 
Well, the Data Protection Commissioner seems to think that emails are very un-secure, and would prefer to see normal post used... several case studies on his website about this.
 
There's one there about 2 Credit Unions alright;

[broken link removed]

I received complaints from two individuals concerning e-mails they had received from two credit unions confirming details about online access to their accounts.
My Office contacted both credit unions for their views on the matter. It transpired that both credit unions were using the same third party vendor to supply their online account facilities.
When a customer registered to use the online facility, they received a confirmation e-mail that contained details about their account, including username, account number and password. A separate letter was sent to their home giving them a PIN number which would allow them to get online access to their credit union account.
Section 2 (1) (d) of the Acts requires that adequate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network. My Office entered into discussions with the third party vendor to address this issue.
The vendor’s initial concern was that when people registered, they would not remember their account details when they went to log on to the system at a future date and for this reason they were e-mailing the account details to the customers. As a solution, my Office proposed that when a customer was registering they should be encouraged to print off or otherwise record the details. This would eliminate the need to have confidential information transmitted to them via an unsecured e-mail.
The third party vendor agreed to change its systems to reflect this and to inform all of its clients that it was changing its systems for security reasons.
My Office was also concerned that one of the credit unions was using a free web-based e-mail service as a method of communicating with its customers. My Office took the view that this mode of communication was not adequately secure because the data controller could not adequately control access to the contents of such an e-mail account. The data controller had no record of access to the e-mails, even within their own organisation. My Office instructed the credit union concerned to stop using the free web-based e-mail account as a method of contacting customers. The credit union responded promptly and it changed its email to a more secure system.
This case highlights the need for all data controllers to be aware of the need for appropriate security when processing personal data. If there is a weakness in security, the matter needs to be addressed and a more secure method of providing the service must be established. Although I understand that the purpose of credit unions is to provide services to the community in a cost effective manner, this does not in any way exempt them from ensuring that appropriate steps are taken to protect customer data.
 
TSThomas said:
Sending Account Login & Password details in 2 paper mails in readily identifiable envelopes isn't exactly the pinnacle of security either though....
Click to expand...

Maybe ,but at least you know if someone has tampered with your post. A 100 savy people may have read your emails and texts and you would never know about it. A smart criminal is far more likely to access your info by hacking than trying to get someone to intercept two/three letter in the post. The odds for fraud become far higher of it happening. Worse still the customer seems to be responsible if it happens. I spoke to investec and you cant even change the user name they email you. Other banks are not using this system for good reason. Investec seem to think it's fine as liability is effectively on the customer. I would like to see how long it would take to get your money if your 20k vanished.

You would want to be nuts to go for this product in my view.
 
Ceatharlach said:
Maybe ,but at least you know if someone has tampered with your post. A 100 savy people may have read your emails and texts and you would never know about it. A smart criminal is far more likely to access your info by hacking than trying to get someone to intercept two/three letter in the post. The odds for fraud become far higher of it happening. Worse still the customer seems to be responsible if it happens. I spoke to investec and you cant even change the user name they email you. Other banks are not using this system for good reason. Investec seem to think it's fine as liability is effectively on the customer. I would like to see how long it would take to get your money if your 20k vanished.

You would want to be nuts to go for this product in my view.
Click to expand...

what you are saying is just wrong wrong wrong
i would challenge your friend to crack investecs security procedures in regards to pin numbers and im willing to put cash on it he cant

some aspects of investec are pretty amateur but the security is not
 
Thats why no other bank is using this system... why is it not good enough for them if it's safe. The reason is it's not safe. The are just trying to save on costs. A person in investec said as much when I asked them was this a cost effective means of security.
You can bank there.. I value my money too much for the risk incurred just to save investec money on overheads.
 
Rabodirect require the use of the Digipass when performing transactions. Therefore Bank of Ireland, AIB, etc. (i.e. anyone who don't use this or similar) all have comprised security... correct?

I guess my point is, different institutions will handle security... differently, hardly conclusive proof if one institution does something that the others don't.
 
The only way to test this is to have your security compromised and complain to the bank and data protection commissioner. I had a case against an intitution sending my statements to a relation of mine at a different address and never got a proper apology or action by DPC. i agree with previous posters that post is not better than email.
 
Investec are being very naive by sending your details unencrypted by e-mail and text. (Note: My expertise is software encryption.)

No system will be perfect, but Investec should invest in a system similar to Rabo's digipass. Their current system is incompetent.
 
I am a great believer in the 'Culture of Fear' and the entire population being scared witless by everything.

How many people have been defrauded by having their Investec logins stolen via email interception?
 
The guy I know who actually works in this area makes the point that some institutions are going to be targets of hackers/fraudsters moreso than others. He thinks Investec are asking for trouble by their approach to their security. You have no way of knowing where your email and text details are stored or who may have gained access to them. Just because they are separate mediums does not make it secure as the view seems to be that although neither are secure the fact that they are separate from each other makes them secure. This is naive as someone who wants to target this institution will put thought into bridging this gap.
I believe in the culture of due diligence with my own money. I assume you have money deposited with them then?
 
RMCF said:
I am a great believer in the 'Culture of Fear' and the entire population being scared witless by everything.

How many people have been defrauded by having their Investec logins stolen via email interception?
Click to expand...

I agree with you about the "Culture of Fear", but bank fraud really is a problem - it just doesn't get reported.

I personally have been the victim of someone robbing my ATM card and pin number from my post box.

There really is no excuse for poor security these days. It's just a case of implementing the proper system.
 
Yes I am a customer and am still not worried about my money being stolen to be honest.

I do know that fraud does happen around banking, but like all the terrible things you hear about, it happens to a very very small number of customers. No system is foolproof and every system can be hacked no matter how 'secure' it is. But the Culture of Fear would have us all believe we are just about to be killed by terrorists, have our bank account emptied, die of cholestrol, etc etc. These things will happen to a small number of people, the rest of us will be fine.

My money is in a 6 month term deposit. If someone got my login details what exactly could they do with it? I can't withdraw money with the details, so how could they?
 
UFC said:
I agree with you about the "Culture of Fear", but bank fraud really is a problem - it just doesn't get reported.

I personally have been the victim of someone robbing my ATM card and pin number from my post box.

There really is no excuse for poor security these days. It's just a case of implementing the proper system.
Click to expand...

But what is the "proper system"? Even Rabodirect sends both Account Details & Digipass by post... in which case your Account # & Digipass would have been taken just the same.
 
Just in case I was in any doubt about this company's competency. They have lost my original documents, which I requested to be returned. They returned photocopies they made and are claiming this is what I sent them. I suppose I could point out to them photocopies of doc's does not fulfil the 2004 legislation, so if they are the originals I sent then they shouldn't of opened the account by law. I guess one Garda's photocopied signature looks like the next original. Glad I am not trying to get my money back.

Good luck with this crowd. I'm done with them!
 
You must log in or register to reply here.
Back
Top