I discovered today that I have had my third credit card in a year cloned. To paraphrase Oscar Wilde: to have one credit card cloned may be deemed a misfortune; to have two cloned begins to look like carelessness; and to have three cloned brings on paranoia.
The irony is that I have spent a significant amount of time this year working to see established a national police e-crime unit. This was recommended by the House of Lords Select Committee inquiry (of which I was a member) on “Personal Internet Security” in August 2007 and the Home Office finally announced its share of the funding a few weeks ago. Work is now proceeding rapidly.
My personal experience highlights the scale of the problem and the need for proper collation of the data on what is happening and how the frauds are occurring.
The Select Committee report highlighted a concern that people are encouraged to report such problems through the banks, who will then file reports with the police as they feel appropriate. Many banks have seemed reluctant to involve the police – perhaps because they do not want statistics published demonstrating how weak some of their security arrangements appear to be – and the police are not keen to see the number of offences reported to them rise as it will make their “sanctioned detection” figures appear worse.
In the two earlier cases of cloning I was subject to, I pointed out to my bank that the last valid transaction that took place was in both instances with the same retailer (a restaurant I used to visit regularly until this happened). There was no indication from them that they found this information significant and that they would be contacting the police to have potentially dodgy waiters or card-readers investigated. I certainly never heard any more. When I asked today why no-one had ever come back to me, I was told that they couldn’t do that in case I went round to the retailer concerned “to sort them out” – even though I pointed out that I knew where it was already.
Today’s incident was different. I received an email from my bank (fortunately I didn’t delete it on sight on the basis that it was a phishing scam) saying that my account address had been changed and to ring the bank if this was not the case. It eventually transpired that the bank had acted on the basis of a phone-call from someone who not only had my card details, but could answer the security questions about my date of birth and mother’s maiden name (neither are particularly secret pieces of information for anyone). Properly, they had then contacted me again for confirmation. I was told that this form of identity theft was increasingly common and could lead to full-scale impersonation and the obtaining of further credit in my name. The address quoted in the address change would probably turn out to exist but unbeknown to the occupiers an arrangement would have been set up for mail to be collected from a sorting office. All of this seemed to provide adequate scope for police investigation, but when asked whether they would be referring it on they said they couldn’t say and were keen to advise me that there was little point in advising the police myself.
In the Select Committee hearings we were told that bank card details (with the security question answers) were available for sale in the darker corners of the internet for about £1 each. My experience has been personally illuminating but is clearly not unique.
Key lessons: first, more investment in the policing of these matters continues to be essential; second, leaving it to the banks to act is not enough; and third, not only is personal vigilance essential but we should all ask our banks to use as security questions something a little more robust than date of birth and mother’s maiden name.