Name and Shame: Halifax helps enable Identity Fraud
// August 14th, 2009 // News
I just got a cold call to my personal mobile from one of the UK Government’s new acquisitions, Halifax bank. I was expecting an unrelated business call, so when I saw an unknown number I answered a bit more formally than is my usual wont; the conversation went something like this:
Me: “Hello, Tom Godber speaking”
Them: “Er… (pause)… is that Tom Godber?”
Me: “Speaking, yes”
Them: “Right. It’s about your (financial product), but I have to ask you some security questions first. Can you tell me…”
Me: “Hold on, who are you?”
Them: “Oh, it’s Halifax. I need to ask you security questions to prevent fraud. So, …”
Me: “Prove it”
Me: “Give me something to prove you actually are Halifax. You could be anyone. Tell me the exact type of (financial product) I have with you, and then I’ll answer your questions.”
Them: “I can’t do that, for security reasons.”
Me: “OK, give me a number I can externally verify as belonging to the Halifax, which I will then call you back on.”
Them: “I don’t understand. If you just answer the questions I can tell you what this is about…”
Me: “No. I don’t know who you are and you refuse to prove your identity so I won’t tell you any of my secret information. What I need you to do is tell me which department you are in, and your name, and I’ll call you back via the number listed on the Halifax website for that department. Then I know I am speaking to the Halifax.”
Them: “Don’t worry sir, we sent you this information in the post as well and it requires no action. Have a nice day.”
I would like to ask Halifax how exactly this is different from the script an identity fraudster would use – a sufficiently compelling caller talking to a sufficiently incautious or distracted victim could easily compel the handover of enough information to compromise an account, and Halifax are training their customers to fall for it!
The eagle eyed will also note:
- The only personal information the caller gave me was my name, which I had already given them when I answered;
- I was forced to confirm that I had this financial product with a bank somewhere, unless I just hung up – but it could have been an urgent call, so it’s unlikely anyone would hang up without finding out more;
- Had I not asked which company the caller was from, they could almost certainly have tricked me into revealing which provider I had this product with; the guy didn’t even say he was from Halifax at first!
- Caller ID can be spoofed, so the number displayed on my mobile is no guarantee of anything (even if I knew what number Halifax’s call centres used).
One can only conclude that Halifax bank would like customers to give out all of their secret identity information to any person who calls up and asks about any financial product. This is absolutely appalling, and you can bet they’ll try and squirm out of any responsibility when victims of identity fraud have to spend months of their own time picking up the pieces.
Bootnote: there was indeed a letter sitting on my doorstep when I got home, from the Halifax. It detailed how much money Halifax had lost for me with this financial product over the last 6 months, and encouraged me to start putting more money in to gain further benefits. So this whole thing was really just a sales call, with all the benefits on their side and all the downsides on mine. Shocking.