Shredding? Passwords? How far does your bank go to protect your identity?
As banks warn us to be ever more vigilant about fraud, could they be doing more to prove their own identities to us if they need to make contact by phone?
It is normal practice to ask customers to give some details to verify their identity.
But some customers in Scotland have recently been targeted and lost money to telephone fraudsters who tricked them into revealing their bank details.
Have you been contacted by your bank over the phone - what was your experience?
Do you think the banks should do more to prove they are who they say they are when contacting you?
Or maybe you think enough is being done already and more security checks will not make a difference.
Perhaps you have been the victim of fraud following a telephone call.
Why not share your thoughts?
We asked for your comments, a selection of which are below. The debate is now closed.
MOST RECENT COMMENTS:
In my view it seems to me that any business, be it banking-related or otherwise, is only doing what they have to do when it comes to checking security; they do "enough" to ensure that in a court of law they don't have to bankroll any losses - but when it's the other way round and the customer is liable they make no effort at all. Perhaps I'm just cynical of banks given events in the last 18 months?
Joel Bennison, Crawley, Sussex
What annoys me about banks is the fact that most do not have a freephone number. I wanted to register with my bank to join their new Securecode system. I tried to do it online but failed at the first fence, because my card expired the same month as I was trying to register and the system would not accept that, I ended up having to call their helpline, and as usual went into a queue. Ten minutes later I put the phone down. The secure code is their idea and not mine. So banks, let's have a freephone please.
Why are banks making "unsolicited" calls anyway? To flog more products we don't want and have never asked for. I hung up after finally relenting and answering one of the seven plus calls a day I received from by bank and they have now stopped. These are not service/emergency calls but sales calls; don't pretend anything other than these calls are motivated by trying to wheedle more money out of us.
I have to say that I listened to your article on this topic in complete and utter disbelief. On 15 February 2009, I shall have been with my bank for thirty years and, in all that time, they have telephoned me only once. You must all be living on a different planet.
P. A. Moore, Seaford
I had to smile when listening to this report as we are trying to get our bank to ring us with no success! They did make us an unsolicited call a year ago. At least, we assume it was them. I was suspicious and ended the call. Now we actually need to talk with their financial advisor about our non-performing investment, they ignore repeated requests to please, get in touch. That's suspicious too!
My bank called me and asked for my password. When I queried it with them they said it was normal practice as they had to identify the customer. If I give that information out to a bogus caller they say they won't reimburse me for fraud as it would be my fault. How are we supposed to tell the difference?
The only calls from my bank have been sales-related, to try and tempt me to part with my money - and on the odd occasion this has happened I've asked them to write instead because I never discuss financial matters over the phone unless it's me who placed the call.
An automatic call identified as my credit card provider , asked for year of my birth. I was unhappy so put the phone done intending to ring the number on my credit card statement. On lifting the receiver the call was continuing and I could not clear the call. I had to put the receiver by the side of the phone to let the automatic call finish its run. Very spooked. I rang the credit card provider but was told that the wait was for 15 minutes. No further calls. Nothing suspicious on my statement which I called out from the internet and nothing on the routine mail one. I assume it was a trial scam, but it was very troubling, especially as I was in the house on my own.
Websites have multiple, verifiable ways of identifying themselves as genuine: SSL, certificates; the proper URL, etc. How is it that in over 100 years, the phone industry has never addressed this?
I was contacted by my bank following a cash withdrawal I made in Ottawa, Canada during a recent visit. When asked to prove my identity I responded that I was reluctant to do so as I could not verify that it was, indeed, an official call from my bank. This confused the caller as he did not expect me to react this way. I eventually agreed to their request after the caller said he had spoken to my wife within the previous 15 minutes (I didn't prompt him to say this) and I asked him for her full name and he provided this - my wife and I do not share an account. The point is that I think that the banks need to address this important issue as they are always telling us not to divulge personal information - so they need to introduce a better system for them to be able to identify themselves...
Alan Pooley, Billericay
I do not give out information to call centre operatives who refuse to provide their surnames or any information to identify them. This has resulted in my bank cutting off telephone and internet access, as I am a security failure. Again another company caused great upset by disallowing myself to do online shopping as it did not fit my profile. My bank will make every incorrect argument on an expensive telephone call to withhold the service they claim to provide. Not only do they state I do not know the age of my son. I am glad I received a negligee in my Christmas box - I took the telephone call from call centre regarding the details of my husband's purchase. I wonder if I owed the bank money would they provide a customer service. They are a smug organisation.
Mrs Elizabeth Saville, Llandudno
I had a Co-operative Bank business account. I asked the bank to hold a password on the account details which I then asked them to provide parts of (e.g. 2nd, 5th and 10th) when calling me.
Listening to the discussion about this issue, I have decided never again to answer those security questions when the bank contacts me. So far they've been genuine, but I realise I've been foolish in trusting that that's so. Yes, I want the bank to do more to identify themselves to me when ringing me - a password is a good idea, or, let's see, a series of questions that go on and on! No, it's a serious issue and it has made me more aware of security issues. P.S. I have had the experience of my credit card being used fraudulently, but that's a different matter.
Pauline Hammerton, Manchester
If my bank called me I would be very surprised. If anyone called me and asked for my PIN number they would not get it. This is somewhat similar to the internet scams, asking for you bank details. I never give this information out.
Mike, Friday Bridge
I was recently contacted by my bank who wanted me to identify my self which I would not do until they could produce evidence of who they were. This this did to my satisfaction, however they then preceded to provide information about my son's account and the details of his overdraft. The had assumed that is was him because we have the same surname and similar bank account arrangements. This problem of identification also applies to other companies who provide services.
Ross Walker, Nr Salisbury
When my bank does phone me, it has always been to try to sell me more services. I refuse to talk to them because they can't identify themselves, and then worry about what they wanted to talk about, only to discover that they were trying to flog me some insurance.
Recently I was called by my bank and after the initial abrupt request to confirm my date of birth or something I instead asked the woman on the phone to identify herself. "Tell me the number of my savings account," I said, and she said she couldn't do that. So I said that meant that she obviously did not work for the bank after all, and hung up. Later I got a call from someone more enlightened who gave me a number I could ring, but my overall impression was that they had thought plenty about their security but not at all about mine.
Steve Taylor, London
I regularly receive calls from one of my banks. They always begin by asking security questions which I refuse to answer. With increasing concerns about personal security I do not feel it appropriate that banks continue to contact customers and ask for any personal information.
Mrs S Rayfield, Worthing, West Sussex
It's always annoying to receive a call where I have to "identify" myself. However, I do understand the need for caution with my data - it's not good enough for the bank or similar to assume that the person who answers the phone is the right person. So, to protect myself... I ask them a few questions to check they do have my details... Nothing that would breach data protection rules but gives me comfort. For Example... In my date of birth. What do you get if you multiply the month of my birth with the day of my birth? (Often have to wait a moment whilst they grab a calculator!) In my mothers maiden name... Which letter of the alphabet appears twice? Not totally secure I know but it is helpful.
I had some real concerns a couple of years ago. Having gone through a number of calls from the bank asking me for proof of who I was when they called - I always refused to give any "identity" details as they "could not tell me what they were calling about" nor had any proof of who they were. I eventually contacted them to raise my concerns about their approach and particularly in the light that customers were being advised to be very vigilant about their personal details. I was treated like an idiot for making contact about this and told that because of customer protection they always had to establish who they were talking to. Only works one way obviously!
Anna Leaver, Cheshire
I used to work for Lloyds TSB and the reason the banks check customers ID is the fear of handing out confidential data to the wrong customer, but I'm sure you knew that. On the breakfast news this morning [10 January 2009] your correspondent incorrectly said that no bank has an agreed password system. This is untrue. Lloyds TSB has had this password facility in existence for its business customers for many years now and facilities exist for personal customers as well if required. I won't take it away from you that this is a major source of concern for customers and having worked in the industry I would not give out my information to an unconfirmed caller. I would suggest that the customer offers to go to a pre-agreed branch to discuss the matter. Phoning back on an 0845 number will cost the customer money and is no guarantee of security if you haven't verified it's authenticity independently.
Neil Webb, Norwich
I have been contacted by two banks, my credit card provider and my mobile phone network provider over the last couple of years, each time wanting me to give out information about my credit or debit cards or my bank account transactions. Twice I was overseas at the time and received the calls on my mobile, which was very distressing. One bank and the credit card provider understood when I refused to give info up front and I interrogated them instead - I asked for a name, location of the call centre and then for a number on which to call them back that I could verify against paperwork I had (or a website when overseas). I also asked them to tell me about my transactions, after all they had called me!! The mobile phone company were intransigent and threatened to cut off my phone within days if I didn't send them an immediate payment by debit card after my direct debit had failed for no fault of my own. They wanted it sent to a vague mobile phone number that I could not verify anywhere. I refused and they suspended my phone until I returned home and could make the payment another way. In their defence, I think they have now changed their methods, but I haven't missed any payments since then to know for sure. My advice to my elderly mother is never give bank information out to anyone who calls her. Always call back on a trusted number and go through regular security questions first. Its a shame, because I would welcome a call from the bank telling me information for example that I have just gone overdrawn, rather than receiving a letter two days later telling me they've imposed a penalty on my account - if they'd phoned I could maybe have dealt with it that day... I guess that wouldn't make them as much money...??
Jill Norfolk, Bracknell
I have a credit card run by a Bank. I received a phone call before Christmas. The caller identified themselves as my bank and asked me to confirm who I was. They began with confirming the post code. As my telephone number and postcode are in the public domain I refused to have any conversation and the caller hung up. Subsequently I telephoned the bank's help line to discover that the call was genuine and the bank was checking on an internet purchase that was only 30 minutes old. A genuine purchase as it happens. Except for the very poor beginning to the whole activity I thought that the bank's security was first class.
Ian Rawet, Shefford, Bedford
Banks are likely to call on very few occasions. In general, they will call if:- 1. A transaction has been made that doesn't match a customers general spending habit. 2. A transaction has been made where an account or card has not been used for some time or at all in the case of replacement or new cards. 3. A transaction has been made outside the country of residence. In my experience, the bank will normally call while the transaction is being processed - either while I am withdrawing at an ATM or making a payment in a shop. The only information they need is confirmation of your whereabouts so that they can match the point of sale to where the customer is located. They rarely call at any other time. But, when they do, for example to promote an offer, they do need to confirm who they are talking to. However, they ask specific details that cannot be linked to your account. For example, the first two numbers in your postcode, or the third and fifth letter of your maiden name, or even a couple of digits from your birth date, but they will never ask for complete information and should never ask more than one identifying question of this sort. I think any consumer would understand that these snippets of information are fair to give and it hardly helps fraudsters. However, I would be concerned if I were called regularly, or asked for any more details than this. For reassurance, it's good practice to call the bank back following a call if you have any cause for concern.
I was rung by my credit card company after omitting to pay my minimum balance. I was asked for my date of birth and a couple of letters from my password. I was then told if I paid my balance now I could avoid an additional charge and was asked for bank details. When I asked for some kind of confirmation that I was talking to the bank I was told "I can assure you that I am." I was then asked for my address in case my statement had been sent elsewhere and when I asked what address they thought it was I was told they are not allowed to give out that information. At that point I hung up. I have since written to my credit card company to complain and received a fairly dismissive reply suggesting that nothing was out of the ordinary. I have since referred to the Ombudsman and re-written to the card company's head office and am awaiting resolution.
David Woodford, Plymouth
My bank act no better than loan sharks. Telephoning from 8am in the morning until 9pm at night, even on Sundays. When they call they ask you to verify who you are by asking for your date of birth. You feel obliged to give this information. This is for the purpose of telling you that you are a few pounds overdrawn. It's a form of harassment.
K Doswell, West Bromwich
I have been contacted a few times by my bank and they were very surprised when I refused to give them any information and when I told them, for all I know they could be anyone calling. I got the impression that they thought I was just being silly. I told them that if it was important to put it in the post to me and not to call again. A few days after the last call I received information on them trying to sell me something but have not had a call since.
Peter Aston, Weston-super-mare
I was contacted by my bank by phone to check if a request to set up a standing order was genuine. I was not happy to discuss this over the phone and was offered the options of either calling them back or them writing to me. I opted for the option of receiving a letter from the bank. I was then able to take the letter to a local branch and discovered that it was an attempted fraud on my account and the bank passed this onto their fraud department and set me up with a new bank account. The only thing the bank didn't do that I requested was to let me know the outcome of the fraud investigation as I would like to know how my details were obtained by the fraudster.
I would like to know how my details were obtained by the fraudster
D Cowley, Manchester
When the bank or credit card people have phoned with a query and asked for ID verification, passing a piece of personal information with the caller is a good way to confirm IDs on both sides. I do like the way unusual transactions are flagged then checked with the account holder. Now - if only they wouldn't play around with variable interest rates and new issues of savings accounts all the time, I could get to like them!
Terry Hart, Swindon
Easy: Ask the bank to call you back in half an hour. Get out your latest statement. When they call back ask them to give you your account/card number. If they get that right choose a transaction, give them the date and value and ask them to tell you who the payee was. If they can't tell you then the second word is 'off'. You should take control and do not be intimidated.
You should take control and do not be intimidated
This problem is not limited to banks. I raised this very issue with the data protection office of my mobile phone company after receiving similar "cold calls" from their staff offering me unidentified "services" but requiring me to identify myself first. I have to date had no response, which I think reflects how seriously they don't take this issue!
Niall Davies, Edinburgh
I had my handbag stolen from work but had not noticed it was missing. In the afternoon I had a phone call from someone saying they were the police and that they had apprehended a thief outside my workplace who had in their possession my handbag. The policeman asked me to identify what was in my bag and then started to ask about my cheque book, account numbers, he was very plausible, and eventually asked what my PIN number was. At which point I refused to give the information and was told to "f... off". Obviously this was not the police! But I could so easily have been taken in and given him the info, so beware - don't even give details to anyone even if they say they are the police. At this point I realised my handbag had been stolen and alerted the bank.
Lindsey Axford, Oxford
I am with First Direct and never worry when they call. A variety of security check passwords and memorable dates are pre registered and so when they call they could ask for a given letter within a password or for a code word. They do not ask for full passwords or even address. I believe many other banks should follow this example.
I received a call, made from a mobile phone, from someone claiming to be Miss X, who said she was working for my bank, and who wanted to discuss my personal financial affairs with me. Before giving her any information, I took the precaution of ringing the number given on the bank's notepaper, and asked them to verify that she was their employee. They said they couldn't do that because it would contravene the Data Protection Act!
Since November I've been called by my bank approximately 10 times a day, 7 days a week, beginning at 8am and going on until gone 9pm on some occasions. All to tell me I've wandered over my credit limit a couple of times, which I already knew. I spoke to them on a few occasions and they asked me to confirm my personal details, which I refused to do and told them to contact me in writing. The letters never arrived and the calls continued so I ended up ignoring them completely. If you try to call the number back it tells you that it was a call from the bank and you don't need to take any action. But the calls continue... I have now gone as far as changing my number. I intend to complain about their harassing behaviour and know I am not the only one to have experienced this problem. It is shocking that a large established bank should resort to such tactics and surely something should be done?
Jason Haden, Manchester
My wife received a telephone call from the bank asking to speak to me (I was out at the time). They would not discuss the matter with my wife so she informed them to write to me which they said they would.
Mr H Johnson, Wigan
I was contacted one evening at 6:30 by someone who said they were from my bank, Abbey, asking for details to confirm who I was. I refused to answer their questions concerning my account details and put the phone down. Two days later I tried to use my debit card and it was declined twice. I phoned the bank and after several attempts was put through to the fraud department who after checking my account found that over £400 had been taken from my account. They said they would reimburse me the monies taken and would cancel my debit card and issue me with a new one. I was pleased with the final outcome but concerned about a phone call asking for my banking details.
I was pleased with the final outcome
Jim, Newport City
I think when a bank wants to contact a customer, the onus should be on the Bank/financial institution to identify itself properly first, before demanding our date of birth etc, to prove who we are. Do not rely on a phone number they give you to call them back - ask them where you can look up their phone number independently, to ensure you are actually calling a genuine bank!
Jeremy Blackman, Wimborne Minster
If my bank/card company etc. calls me and launches straight into "identifying" questions without properly identifying themselves I say, "Before I tell you that, how do I know who you are?" Any genuine company will be quite ready to satisfy me over that before proceeding. Usually they give me a number to call and I know what to ask them to satisfy myself (yes, I know you could fake that too). We can exchange partial snippets of things known to both of us. They fully understand my caution and are set up to identify themselves properly. Natwest has a lot of anti-fraud provisions, as do the card companies and I have been very impressed with them.
On your piece on Breakfast this morning it was stated that no bank uses a password system when contacting a customer on the telephone. This is incorrect. I bank with the Co-op bank and we have an agreed password which they will use if they need to speak to me on the telephone. I asked for this to be set up a few years ago when they rang me and asked me to identify myself. I pointed out that the bank themselves has asked customers never to give out such information, and it was the bank that needed to prove their identity to me. I later received another telephone call from the bank agreeing to set up a password on my account that they would use when ringing me in the future. I can see no reason why this cannot be used by all banks.
Our bank has rung us several times recently. I understand they need to verify who they are talking to. We refuse to give any details, and ring them back. They should provide a free number to do so, or use the post. We had a call this morning, we refused to give details and they are putting a letter in the post. This practice would stop if we all refused to give details.
Using internet banking, the banks seem to be their own worst enemy when it comes to fraud from phishing. Most not only don't prove who they are when trying to log in but often seem to change their internet address during the process to something unknown. With one bank, logging in a new window is opened with a hidden address bar so I know even less which site I'm really on without doing a check on their security certificate. They don't bother proving who they are to me which seems all to common. I've had banks with an invalid or out of date security certificate, others with help sections taking me off site to insecure third parties, then back again.
The comments we publish are not necessarily the views of the BBC but will reflect the balance of views we have received. Readers should form their own views on whether messages published represent undeclared interests, or views prompted by a common source.