# Investec sending private details via Email



## z101 (17 Feb 2010)

Investec are sending your account number to you by Email !!

Your pass word by text !!

Your username, which is unchangeble, via email !!

The 2 most unsecure means of communications just to save on postage. This apparently is because the 3.6% 12 month is an online account. How is that for an explanation for doing what every bank tells you never to do.


----------



## ontour (17 Feb 2010)

Details are sent through two separate channels which is much better than sending them both in the post as the probability that two pieces of post are stolen has to be much higher than you phone being stolen and your email being compromised by the same person. You can password protect your texts and your email, you can not do that to a letter.


----------



## Lightning (17 Feb 2010)

Agreed that sending details by both text and email is more secure than postal mail. In the case of Investec, they require the completion of a postal form and then send details by text & email, it is a secure multi platform method. 

However, it is quite unusual, especially in the day of phishing, for any bank to be sending account details by email.


----------



## z101 (17 Feb 2010)

So it seems 2 minus's make a plus. I think this is very poor. A secure multi platform method is not what I would call it. 2 insecure methods dont make it secure just because they dont cross over. People who exploit such things will find means of crossing them over and this banks methods are an open invitation to try.
I have spoken to someone earlier who is extremely well versed in all things computers and they say dont touch this one with a bargepole as he could come up with a couple of ways to try exploit this off the top of his head. Wont be risking my money until they move away from emailing details.
No Thanks!


----------



## Plover (6 Mar 2010)

Investec have the most consumer-hostile terms and conditions I've yet seen in banking:



> 4.             Facsimile, Telephone And Email Instructions
> 
> 4.1               Please note that, in respect of Online Accountholders and Online Customers, instructions may only be given by email and through the Website, unless otherwise agreed by Investec.
> 
> ...



So, essentially, whatever they say happened to your account is gospel.  They don't have to provide any proof of this.  They accept trivially-forgeable and interceptable email as a method of communication, and don't bother to verify if it's the real accountholder.  If it goes wrong the customer pays for any mistakes they might make (and they'll take the money straight out of your account without asking).

I'm not familiar with Irish contracts, but is this sort of thing normal and is it the sort of thing the Regulator might have a view on?  Or are banks allowed to do what they like in Ireland?


----------



## TSThomas (6 Mar 2010)

Sending Account Login & Password details in 2 paper mails in readily identifiable envelopes isn't exactly the pinnacle of security either though...

Besides, surely it's easier to compromise ones letter box than ones inbox + phone... Let's not forget either that this would also require foreknowledge that someone has applied for an account with Investec too, which gives the criminals, what? A few days to figure out your email address & phone number?

Once received (& deleted from the devices) you're in the same position as most other online banking customers (Login, Password / PIN, Security question(?)) & liable to exactly the same compromises, so be sure youre on a modern web browser with a real-time phishing filter.


----------



## JoeB (7 Mar 2010)

Well, the Data Protection Commissioner seems to think that emails are very un-secure, and would prefer to see normal post used... several case studies on his website about this.


----------



## TSThomas (7 Mar 2010)

There's one there about 2 Credit Unions alright;

[broken link removed]

_I received complaints from two individuals concerning e-mails they  had received from two credit unions confirming details about online  access to their accounts. _
_My Office contacted both credit unions for their views on the  matter.  It transpired that both credit unions were using the same third  party vendor to supply their online account facilities._
_When a customer registered to use the online facility, they received a  confirmation e-mail that contained details about their account,  including username, account number and password.  A separate letter was  sent to their home giving them a PIN number which would allow them to  get online access to their credit union account._
_Section 2 (1) (d) of the Acts requires that adequate security  measures shall be taken against unauthorised access to, or unauthorised  alteration, disclosure or destruction of, the data, in particular where  the processing involves the transmission of data over a network.  My  Office entered into discussions with the third party vendor to address  this issue._
_The vendor’s initial concern was that when people registered, they  would not remember their account details when they went to log on to the  system at a future date and for this reason they were e-mailing the  account details to the customers. As a solution, my Office proposed that  when a customer was registering they should be encouraged to print off  or otherwise record the details.  This would eliminate the need to have  confidential information transmitted to them via an unsecured e-mail. _
_The third party vendor agreed to change its systems to reflect this  and to inform all of its clients that it was changing its systems for  security reasons._
_My Office was also concerned that one of the credit unions was using a  free web-based e-mail service as a method of communicating with its  customers.  My Office took the view that this mode of communication was  not adequately secure because the data controller could not adequately  control access to the contents of such an e-mail account.  The data  controller had no record of access to the e-mails, even within their own  organisation.  My Office instructed the credit union concerned to stop  using the free web-based e-mail account as a method of contacting  customers.  The credit union responded promptly and it changed its email  to a more secure system._
_This case highlights the need for all data controllers to be aware of  the need for appropriate security when processing personal data.  If  there is a weakness in security, the matter needs to be addressed and a  more secure method of providing the service must be established.   Although I understand that the purpose of credit unions is to provide  services to the community in a cost effective manner, this does not in  any way exempt them from ensuring that appropriate steps are taken to  protect customer data. _


----------



## z101 (12 Mar 2010)

TSThomas said:


> Sending Account Login & Password details in 2 paper mails in readily identifiable envelopes isn't exactly the pinnacle of security either though....


 
Maybe ,but at least you know if someone has tampered with your post. A 100 savy people may have read your emails and texts and you would never know about it. A smart criminal is far more likely to access your info by hacking than trying to get someone to intercept two/three letter in the post. The odds for fraud become far higher of it happening. Worse still the customer seems to be responsible if it happens. I spoke to investec and you cant even change the user name they email you. Other banks are not using this system for good reason. Investec seem to think it's fine as liability is effectively on the customer. I would like to see how long it would take to get your money if your 20k vanished.

You would want to be nuts to go for this product in my view.


----------



## mark123can (20 Mar 2010)

Ceatharlach said:


> Maybe ,but at least you know if someone has tampered with your post. A 100 savy people may have read your emails and texts and you would never know about it. A smart criminal is far more likely to access your info by hacking than trying to get someone to intercept two/three letter in the post. The odds for fraud become far higher of it happening. Worse still the customer seems to be responsible if it happens. I spoke to investec and you cant even change the user name they email you. Other banks are not using this system for good reason. Investec seem to think it's fine as liability is effectively on the customer. I would like to see how long it would take to get your money if your 20k vanished.
> 
> You would want to be nuts to go for this product in my view.



what you are saying is just wrong wrong wrong 
i would challenge your friend to crack investecs security procedures in regards to pin numbers and im willing to put cash on it he cant 

some aspects of investec are pretty amateur but the security is not


----------



## z101 (21 Mar 2010)

Thats why no other bank is using this system... why is it not good enough for them if it's safe. The reason is it's not safe. The are just trying to save on costs. A person in investec said as much when I asked them was this a cost effective means of security. 
You can bank there..  I value my money too much for the risk incurred just to save investec money on overheads.


----------



## TSThomas (21 Mar 2010)

Rabodirect require the use of the Digipass when performing transactions. Therefore Bank of Ireland, AIB, etc. (i.e. anyone who don't use this or similar) all have comprised security... correct?

I guess my point is, different institutions will handle security... differently, hardly conclusive proof if one institution does something that the others don't.


----------



## OPTIMUM (21 Mar 2010)

The only way to test this is to have your security compromised and complain to the bank and data protection commissioner. I had a case against an intitution sending my statements to a relation of mine at a different address and never got a proper apology or action by DPC. i agree with previous posters that post is not better than email.


----------



## UFC (22 Mar 2010)

Investec are being very naive by sending your details unencrypted by e-mail and text. (Note: My expertise is software encryption.)

No system will be perfect, but Investec should invest in a system similar to Rabo's digipass. Their current system is incompetent.


----------



## RMCF (22 Mar 2010)

I am a great believer in the 'Culture of Fear' and the entire population being scared witless by everything.

How many people have been defrauded by having their Investec logins stolen via email interception?


----------



## z101 (22 Mar 2010)

The guy I know who actually works in this area makes the point that some institutions are going to be targets of hackers/fraudsters moreso than others. He thinks Investec are asking for trouble by their approach to their security. You have no way of knowing where your email and text details are stored or who may have gained access to them. Just because they are separate mediums does not make it secure as the view seems to be that although neither are secure the fact that they are separate from each other makes them secure. This is naive as someone who wants to target this institution will put thought into bridging this gap. 
I believe in the culture of due diligence with my own money. I assume you have money deposited with them then?


----------



## UFC (22 Mar 2010)

RMCF said:


> I am a great believer in the 'Culture of Fear' and the entire population being scared witless by everything.
> 
> How many people have been defrauded by having their Investec logins stolen via email interception?


 
I agree with you about the "Culture of Fear", but bank fraud really is a problem - it just doesn't get reported.

I personally have been the victim of someone robbing my ATM card and pin number from my post box.

There really is no excuse for poor security these days. It's just a case of implementing the proper system.


----------



## RMCF (22 Mar 2010)

Yes I am a customer and am still not worried about my money being stolen to be honest.

I do know that fraud does happen around banking, but like all the terrible things you hear about, it happens to a very very small number of customers. No system is foolproof and every system can be hacked no matter how 'secure' it is. But the Culture of Fear would have us all believe we are just about to be killed by terrorists, have our bank account emptied, die of cholestrol, etc etc. These things will happen to a small number of people, the rest of us will be fine.

My money is in a 6 month term deposit. If someone got my login details what exactly could they do with it? I can't withdraw money with the details, so how could they?


----------



## TSThomas (23 Mar 2010)

UFC said:


> I agree with you about the "Culture of Fear", but bank fraud really is a problem - it just doesn't get reported.
> 
> I personally have been the victim of someone robbing my ATM card and pin number from my post box.
> 
> There really is no excuse for poor security these days. It's just a case of implementing the proper system.



But what is the "proper system"? Even Rabodirect sends both Account Details & Digipass by post... in which case your Account # & Digipass would have been taken just the same.


----------



## z101 (24 Mar 2010)

Just in case I was in any doubt about this company's competency. They have lost my original documents, which I requested to be returned. They returned photocopies they made and are claiming this is what I sent them. I suppose I could point out to them photocopies of doc's does not fulfil the 2004 legislation, so if they are the originals I sent then they shouldn't of opened the account by law. I guess one Garda's photocopied signature looks like the next original. Glad I am not trying to get my money back.

Good luck with this crowd. I'm done with them!


----------

