Comments on: Online security

By: Alex Bellinger

Alex Bellinger — Mon, 14 Jan 2008 15:30:10 +0000

Since the money went to charity, I doubt Clarkson would have asked for it back.
You’re right though, Ian, neither Clarkson or The Sun is likely to take their foot of the hysteria pedal

By: Ian

Ian — Mon, 14 Jan 2008 14:40:34 +0000

3-6 months is how long the process is likely to take. You would have had to have had a relationship with your sponsoring bank of some sort for longer than that or have a undoubted reputation. And yes - it is very easy to set up DD payments on the phone - that is what makes them a great way to bring efficiency to the payments system. And that efficiency is why it is important to try and paint a whole and entire picture of the DD system in this instance.

Has Clarkson got his money back? Unless he chooses to tell us I cannot imagine that any other element of the media will. You see, telling us that piece of information would act in such a way as to reduce hysteria which plainly is not in the interests of anybody concerned.

By: Alex Bellinger

Alex Bellinger — Mon, 14 Jan 2008 08:30:07 +0000

Here’s a scenario which happened to me when setting up a new insurance policy:

Call Centre: Would you like to pay your premiums by DD?
Me: Yes.
Call Centre: OK, I can either send you something to sign through the post or explain the details over the phone and get your agreement now.
Me: Fine, let’s do it over the phone.
Call Centre: We’ll send you the DD agreement.
Needless to say I’ve never seen the DD agreement slip. The above does show that it might be possible to ask a DD originator to set up details over the phone, with a few bank and address details.

By: Benjamin

Benjamin — Mon, 14 Jan 2008 07:44:11 +0000

Hi Ian. 3-6 months is a very small time frame in some of the fraud cases I have seen, but you are right, we shouldn’t be terrified, but we should certainly be more cautious than Clarkson was. Like many of us, he thought that you couldn’t do anything harmful with bank details. Has there been any clarification about him getting his money back? He was giving the impression that he hadn’t, although that bit is only part of the story of course.

By: Ian

Ian — Sun, 13 Jan 2008 23:35:20 +0000

Sorry Benjamin but it isn’t “a little more serious that that”. You don’t get to be a direct debit originator that easily. If you think you do then tell your bank that you would like to start originating DD’s and come back in 3-6 months and tell us how far through the process you have got. Even if the originator has vanished in a puff of smoke the originators bank carries the liability anyway so Clarkson still gets his money back. Being foolish with bank details is foolish but being terrified aboyt them is also foolish.

By: Benjamin

Benjamin — Sun, 13 Jan 2008 22:32:29 +0000

@Ian - it is a little more serious than that. Direct debit forms are relatively simple, with not many security safeguards (take a look at one and see how easy it is to obtain the information on there). In this instance, the transfer was to a charity, but what if the transfer had been to an account that had the money withdrawn and was closed. The incident raises some serious questions. I note that, for once, the Internet didn’t get the blame! Anyway, it is disturbing for both individuals and businesses.

By: Ian

Ian — Thu, 10 Jan 2008 09:05:13 +0000

The story as reported by the papers is very poorly written or Clarkson has been very poorly advised.

Becoming a direct debit originator like this charity is not a trivial process. You have to be sponsored by your own bankers who are effectively guaranteeing your ability to repay, on demand, any direct debit that is refuted by the payer. So Clarkson just tells his bank that it wasn’t him, his bank refund him - immediately - and get the money back from the originator. Hopefully the originator then informs the police of the details of te fraud and the prankster is pursued by the full weight and force of the law.

The process of setting up direct debits has lots of safeguards and it looks like lots of them were not followed. But regardless of those failures, this money has not been stolen, it’s just been moved somewhere that it wasn’t expected for a short period of time and can be moved back instantly.

Sadly, I expect that this wasn’t the way the story was reported because it is less easy to scare people with “Nothing really happened here” and scaring people is what the news media exists for.

[disclaimer : I use to work for a software firm that handled about 20-30% of all direct debit transactions that take place in the UK and spent what feels like half my life dealing with the direct debit system in a lot more detail than I would have liked]

By: Alex Bellinger

Alex Bellinger — Wed, 09 Jan 2008 16:58:29 +0000

The DD thing is disturbing. Presumably though it required a forged signature. Strictly speaking a criminal offence, in which case you’re protected.

Problem is for Clarkson, however, that most bank Ts&Cs, as far as I’m aware, offer you protection from fraud ‘unless you’ve been negligent with your bank details’. Perhaps in this case Barclays considers publishing details in The Sun as less than careful! Having said that I don’t suppose he’s asked for the money back.

Anyway, the negligence thing is a side issue. If HMRC has been negligent with your bank details and a fraud happens … yes, the consumer or small business is protected and any transaction should be reversed.

[disclaimer 1: I used to work in corp comms for various banks. disclaimer 2: challenge me if my memory of the above proves wrong or facts have changed!

By: Phil Connolly

Phil Connolly — Wed, 09 Jan 2008 15:42:31 +0000

That was a funny story. It’s a bit scary that someone can open up a direct debit on your behalf that easily though.