Tesco Credit Card Security

An open letter to Tesco and the Financial Regulator.

CC: Financial Regulator, Dublin 2
CC: Tesco Ireland, Gresham House, Dun Laoghaire, Dublin
CC: Tesco Customer Service, PO Box 73, Baird Avenue, Dundee DD1 9NF
CC: Tesco Card Center, PO Box 5747, Southendon-Sea, SS 11 9AJ

RE: Tesco Credit Card Security Procedures

Sir/Madam,

I would like to file a formal complaint about Tesco Personal Finance security procedures for contacting customers by telephone. I have been contacted twice by their staff in recent weeks, and I was shocked by their call procedures in both cases.

The first time I was contacted, via a private number, the staff member wouldn’t introduce themselves or who they represent “for security reasons”. They then proceeded to ask me for personal information to authenticate myself to them. When I explained that there was absolutely no way I was going to authenticate myself to someone that is unwilling to authenticate themselves, they cited the Data Protection Act as justification. I hung up.

At this point I guessed it was Tesco Personal Finance that was contacting me, but there’s no way I could have been sure of this until it was confirmed by the second caller a week later, who at least had the courtesy to introduce themselves and the company. However they also asked me to authenticate myself, which I again refused to do. When I complained about the procedures they didn’t attempt to resolve the situation in any way, they simply cited chapter and verse back at me.

I understand why Tesco was trying to contact me; I received a letter about an overdue amount on my account and sent a cheque to bring it in order on the 31st of March. I accept that was my error and apologise to Tesco for the inconvenience, although in my defence I would add that I changed banks recently and simply had no way to pay the outstanding amount, as my previous account was closed automatically by my old bank before the new account was fully open.

I would also add that if Tesco had invested in just one Irish staff member to handle payments locally, or had invested in an online account management tool for Tesco credit cards, I would have been aware of the issue earlier and they would have received the payment already. I understand the service is outsourced, but Tesco can’t afford 50 or 100k for these simple features?

That’s neither here nor there though, my issue is with the security procedures. While I understand the need for these procedures, their implementation in this case is incompetent at best and dangerous at worst. Consumers are told every single day via various sources not to respond to hoax emails or phone calls, not to give authentications details to just anyone, yet here is Tesco ringing me out of the blue, on a private number, asking for my date of birth and mother’s maiden name.

Please change these procedures to protect Tesco customers, and the customers of other financial institutions whose senses may be dulled by these nonsensical security procedures. A security professional could and should be contacted to discuss the best way to go about it, but even someone like me with the most basic interest in security can suggest something better:

  1. The call shouldn’t come from a private number. The number doesn’t even have to work inbound, a simple recorded message can be used to authenticate.
  2. The staff member should introduce themselves by name.
  3. If allowed by data protection law, the company should be introduced. If this is an issue, tell them that their personal credit card provider is calling, but due to data protection law further details cannot be disclosed. I would be very surprised if the Data Protection Commissioner wouldn’t allow this, but they can and of course should be contacted to confirm this. Rest assured it won’t cost anything.
  4. It should be explained to the customer that the provider is trying to get in touch to discuss the details of the account, but for security reasons they need to initiate contact by calling the freephone number on the back of their card.
  5. Apologise for the inconvenience.

You can even automate this part of the procedure because no actual conversation will take place; not a bad idea in my opinion given the inability of Tesco’s staff to work off-script. Again though, I’m not a security expert, and one should be consulted. I’d strongly suggest Bruce Schneier of Counterpane Systems as one of the most respected experts in the industry.

But of course you should do your own research into this and not take my word for it, since I could be anybody; in much the same way that I don’t take the word of someone that rings me out of the blue. Seeing a pattern here? Please, do something about this idiocy. It’s dangerous.

This is an open letter, the full content will be published on my website at the following address:

http://verbo.se/tesco-credit-card-security/

All recipients are welcome to respond there or by email to [REMOVED] instead of in writing. If you would prefer that your response remain private, please make this clear in same. I reserve the right to post a summary of responses on my website.

Yours sincerely,
Adam Beecher

15 thoughts on “Tesco Credit Card Security”

  1. I experienced this a couple of weeks ago. It wasn’t a private number that called me, it was a UK landline (which I’ve no longer got a note of, however I tried to call it back at the time and it returned a re-order tone).

    My credit card company’s First Active. Note that First Active, Ulster Bank, Natwest, Tesco (maybe more) are all under the RBS umbrella. So the same company calls you.

    I was livid that the caller knew my name, but would tell me hers or where she’s calling from. She demanded to know personal details about me, yet refused to tell me what company she’s calling from and in relation to what.

    I found it was First Active / RBS by Googling the number. Turned out I was a couple of days late paying my credit card bill. Wow.

    I’ve since paid the credit card off in full and closed the account. I’ll use another credit card provider in future. I’ve also closed a savings account I had with First Active and a current account with Ulster Bank.

    RBS will never have any of my custom again.

  2. Yeah, the CID today wasn’t hidden, it was +441702279960.

    Interesting that it’s RBS, thanks for that. I thought it was run by HBOS via Bank of Scotland, which was one reason I was lax to move to my new personal bank, Halifax, as it’s another HBOS member. The only other thing holding me back is the convenience of being able to use the card as my Clubcard, and of course the points earned on spending on the card. It’s a sort of double-whammy of clubcard points.

    I’ll see what they have to say for themselves, but their response would want to be very good to keep me as a customer. I haven’t been brilliant at clearing the card recently because some of my own customers are pushing the envelope on my payment terms, but I keep the limit very low so I could clear it tomorrow if I chose. Or I could just run it at the zero rate most providers offer for transfers.

    So it’s no real loss for me to leave, in fact it could be a plus. I await their response with bated breath. Of course it’ll take a few days, because I had to post the complaint, because bankers are crap at email too…

    adam

  3. I got a text message from a UK number at 5am about a year ago to tell me to call a UK number that my credit card had been cloned. I went back to sleep, and phoned the number on the back of my credit card the next morning to find it genuinely had been cloned and they were going to reimburse me for the various charges.

    But, it got me thinking, just how hard would it be to text people at random in another country asking for their details, card numbers, mother’s maiden name, etc? Not too hard at all it would seem.

  4. Also, interestingly, I have an MBNA platinum card as well as my own Mastercard, purely because the platinum card has a cheque book and a credit limit of 10k so I can write myself a 10k cheque at any stage should I ever need it. I use it to pay my rent, and when I give the cheque to my landlord, I immediately EFT the funds to MBNA. There’s usually a day of overspill between my LL lodging the cheque, and the funds reaching MBNA – and would you believe they charge interest for the day? Dick Turpin wouldn’t even have chanced that one.

  5. My instinct is to say that it’s not a suitable mechanism for communication from a bank, but on thinking it through it’s probably not all that bad if orgnised properly, since caller id is relatively hard to spoof. Of course I’ve no doubt it wasn’t organised at all in your case.

    I think the only way forward really is that all forms of communication from banks need to be agreed in advance; i.e. the bank should notify you of the possibility of communication via a particular mechanism, and inform you of the source so you can add it to your address book and/or whitelist.

    I’ve little sympathy for you on the MBNA front I’m afraid, they’re the Ryanair of credit card issuers and I wouldn’t expect any better from them.

  6. Just for context : I once got a call from a Dublin number where a guy with a strong Nigerian accent claimed to be calling from “Your bank” and was looking for personal details. I asked him what bank and he responded “The main branch here in Dublin”. I wonder how many people did he catch….

  7. I had a call like that a couple of years ago, from a UK number, but it was a tad unprofessional, because I could hear the goings-on of an Internet cafe in the background, and then an ambulance went past outside the door, which has to have been open. Honestly, I’m not making it up.

  8. Just off the phone with a customer care person, calling because they preferred not to have their name published on t’Interwebs. Which is fair enough I guess, although they could have put that in the letter/email/comment. I’ve asked them to follow up with something in writing, and I’ve assured them that I won’t publish their name.

    The gist of the conversation is that some procedures, in particular not giving the name of the company, weren’t being followed correctly, and that the two employees in question will be talked to about this. They will also consult – presumably internally – about the general issues.

    Something, but a bit non-committal and quite defensive. I’ll post more details when I’ve received the latter and thought about it.

    adam

  9. Should have added: they called from a private number. They were aware of it, but if it was me, I’d’ve found a way to call from a public number.

  10. And this morning I received a letter from them about the account dated the 31st of March. That’s a full 2 weeks to deliver, and no, the bank holiday isn’t a valid excuse. Again, if they had a presence in Ireland…

  11. I received the letter yesterday, the 23rd, dated the 15th. It was not satisfactory. At all. I’ll be posting it and my response in a follow-up post later.

Leave a Reply