New Card, Security Alert

Posted by @ 1:27 pm on Wednesday 23rd May, 2012.
Categories: Rambling on...

Right on schedule last week my debit card fell apart. The chip fell out of it. The same thing happened two years back and two years before that, IIRC. It's a design flaw, it's bound to happen eventually when a rigid chip is embedded in a flexible card. I've discussed the matter with my account managers a few times and all that they ever recommend is that I try avoid bending the card. That's difficult when it resides in a wallet which stays as much as possible in the back pocket of my trews - it's inevitable that it'll be flexed twixt butt and seat when I sit down anywhere. The irony is that I have a Flex Account...

 

Anyway, I'd phoned for a replacement card last week and it arrived this morning. I did all the right things - I signed the reverse side of the new card, I destroyed the old card, I broke the old chip, I updated all of my online accounts. It was only when I came to tear up the three-section folded accompanying letter that I noticed something odd... something worrying...

 

  • The upper section which had been between the card and the envelope bore a "carbon-copy" of the front of my card - the embossed characters had pressed the paper against the blue-printed inside of the envelope and the result was a clear-as-day blue-on-white "brass-rubbing" image of my card details.
  • The middle section had been pressed directly against the card-front and so the card's embossed details were indented into the paper. Again, apart from being reversed, the details were clearly legible.
  • The best bit was the lower section where the back of the card had been - the indents of the three-digit security code (and the last four digits of the long card number) are light indents filled with black pigment, and that pigment clearly wasn't dry when the letter and card were married together - there on the paper was a reversed yet clear black-on-white contact-print of my security code.

 

In short, all of the details needed to go shopping on the phone were there for anybody to read. Indeed, along with my name and address as printed on the letter, and a quick online search to find my D.O.B., there are sufficient details there to get through the phone-banking security checks and do some serious account-hacking.

Now I know that we're advised to take care when disposing of sensitive documents but when compiled properly these accompanying letters should bear no account details apart from the recipient's name and address, and the address of the issuing bank or building society, so the letters should be perfectly safe. Based on that assumption, some folk might just scrunch up their letters and dispose of them. And if they haven't noticed that the traces of their card details are there for others to see, and if that letter goes whole into the paper-recycling bin, and if some cheap-labour eco-migrant paper-sorter finds it down at the recycling centre, then it's phone-shopping party-time for somebody and financial hell for the card-holder.

I've told the phone-banking peeps about it and I've been into branch to show them the letter, they've never seen such a situation before and they're quite concerned about the security implications. They say that they''ll "take measures..." I should point out that this isn't the fault of the bank or building society, it's a problem at the agency that they contract to make and package the debit cards.

So please be advised: next time you get a new card, be careful about how you dispose of the leftovers. We give eco-migrants far too much already without giving them free and easy access to our personal savings.

One Response to “New Card, Security Alert”

  1. Scott says:

    That's a tad alarming. It'd be more alarming from a personal point of view if there was ever any actual money in my account, but nonetheless...

    😯

Have your say - submit a comment

THE SMALL(ish) PRINT... (updated 23/07/2016)

By submitting a comment to this blog you grant me permission to reproduce its content and to reproduce the submitted name/URL in attribution. I will leave your content in its intended place and in its unedited form unless one or more of the following apply:

If you ask me to modify, move or delete your content, I’ll consider making the requested change(s) so long as there’s no significant alteration of the context of the content or of any debate associated with it;
If you change your email address or URL, I’ll update these details in older comments so that I'm not displaying dead links;
If I decide to change the theme or layout of this blog, thus affecting the placement and/or visibility of comments, I’ll make whatever changes I see fit for the smooth running of this blog;
If any comment contains insulting profanity or other content which I deem to be causing or likely to cause trouble, I’ll edit or delete as I see fit for the smooth running of this blog. I’ll try to remember to display the reason(s) for whatever editing I do, so that folk aren’t left hanging wondering what happened and why. If you can at least try to "disguise" your swearing, it would be much appreciated.

Other things to consider:

Comments must contain at least 3 characters;
You can use some code in comments, feel free to give it a shot and see what works;
If adding pics, the recommended maximum dimension is 600px.;
Comments containing many links will be held for moderation;
I reserve the right to amend this policy in line with proven applicable current legislation;
Free Speech: you may well have the right to it, but you've no right to compel me to a) listen to it, or b) publish it!