A bit of an update on this: I took my computers off the internet and scanned them for nasties on Tuesday; I didn't find a thing. I checked my statements and - to be fair to Santander - they'd rectified the transactions immediately. All as working out as far as I was concerned. I just have to wait for my new card to arrive.
Until I tried to log in this evening to see if an invoice had been paid... and I couldn't log in. I rang Santander up and was told my account had been locked due to too many failed attempts; I've never failed before and even got my girlfriend to check the details I was entering tonight. I asked the lady on the phone when the failed login attempts were; and she said yesterday. Uh oh..
I was told I'd have new security details sent out as soon as possible, and they should arrive within 6 working days. Until then I can't use online banking and I still don't have a debit card; so I can't even check my balanace and view recent transactions from an ATM. I asked if I could do banking in person, and was informed that "No - as a business account holder you don't have a branch, so can't maintain your account in branch.".
I asked about telephone banking: "No, to authenticate with Telephone Banking you need the details that we're sending you by post.". I asked about closing the account: that takes 3 working days.
In short I told her I'd most likely have to leave Santander, as in the words of their security team - I needed increased visibility on my account at the moment to ensure there were no other dubious transactions. Here she is, telling me that someone has tried to log in to my account but that I'll have no visibility for up to another 8 days. I have no way of paying anyone, I have no way of ensuring invoices are paid, and I can't even service the account in branch. Ultimately, I'm locked out at the one time I need to keep an eye on it.
An absolute joke, and I am very sorry to read of the situation you have unfortunately found yourself in.
I totally understand that from Santander's point of view, they have to take measures in circumstances to prevent this getting any worse with whoever is trying to fraud you. However, as its a business account you have with them, I am very surprised that there isn't a way in their protocol for you to go into a branch, in a room which deals with these things, with proof of who you are, for you to at least see what's going on with your own money and situation.
Unfortunately, as has been said, fraud online is growing everyday no matter how much people and companies do, there is always new things people are coming out with of compromising any personal data that they can get their hands onto.
It's a lesson to us all that we must take extra caution with things in future. The world is becoming more and more techonology based, and with that becomes more opportunities for these people. I am just sorry it's happened to you in this way that's ultimately going to make you even more security cautious.
Good luck and I hope it gets properly sorted out soon.
Cheers, Sage!
Unfortunately, I can understand Santander's point of view too - I spent half of the phone call telling the poor woman last night that it was unacceptable and my account was moving next week, and the other half telling her I understand that it's not her fault and rules are rules. (She even let out a bit of a chuckle when I wished her a good evening after telling her how messed about I felt!) Ordinarily, had my card been blocked OR my online access blocked I would've been on their side and congratulating them. Even I must concede that, like @Robbo on the wing, their response to the card problem itself was brilliant.
I think my biggest gripe is - as you say - there's no way of me sitting down with a human and getting to the bottom of this. I understand from looking around previously that NatWest give business account holders access to a dedicated adviser at a specified branch local to them. Similarly, Metro bank would've printed me off a new card in branch the same day. On the flip side, for Santander to have been quick enough to ring me whilst the chap was still trying to use my card on the same store is very impressive.
As someone's who spent two of the last three years earning a living dealing with medical records and financial data (from the tech side as well, as a developer), and going through regular monotomous infosec talks - I always thought I was a tad paranoid if anything! But it just goes to show, that these people are inventive and creative - and ultimately you can't really blame yourself at the end of the day. Heyho, hopefully I'll work out what happened at some point!
Wake up call for us all, @LuckyReds. Hope it gets sorted without further stress.
I certainly remember that NatWest allocate a human to all business accounts. Well 3 years ago they did. And I find that even with my personal account with HSBC, I can drop into the Eltham branch (when I'm there), get answers, and resolve things. If you had even had that possibility, you'd have had the slight reassurance that the bank person could have checked your account him or herself while you sat there. I think that's the biggest surprise about Santander's behaviour in this case, and maybe once you are sorted it is worth taking it up with them, and perhaps Which and Martyn Lewis.
Honestly. Just change all your passwords and don't use the same password twice for anything. Use password phrases instead of one word and make them at least 10 characters. You could spend ages racking your brains and never get to the answer. Just be mindful of what data you give and where. Don't use your mothers real maiden name, never put first cars, pets or attach to any school groups on Facebook. If you can help it don't use Facebook at all. Find your porno name or any other things like that, never use. Don't open any emails you aren't expecting, especially those with attachments or links. Never connect to free wifi. Never put passwords on any site using http. Use online statements only. Be careful with free newsletters or subscriptions on low budget sites, use that password and email combo there and if it's compromised it can be used wherever else you have used it. If you are computer savvy at all then look up Kali Linux on You Tube and see what you are up against.
The list goes on. There are sites to check to see if your email address is potentially compromised.
Did you know Mark Zuckerberg was hacked and his password was dadada!
Brilliant advice all over, especially the tip regarding Kali.
I remember working for a company that had pen-testers come in to break our software and generally try and ruin our day. One afternoon we were in a meeting room together and I made a joke about whether they were doing any work or simply chatting, with a smirk one of the chaps asked me sit next to him. He had a list of all the developer's credentials for various bits of test software, and most worryingly, credentials for a support girl who was accessing live data from a hospital (so, via HTTPS). It was a simple man-in-the-middle attack over our wifi network, which unbeknown to me at the time, HTTPS didn't offer a great deal of security against really.
Awesome tip about HaveIBeenPwned too, I have email alerts for my normal email account but hadn't thought of running my work related one through there! Out of interest I ran an email address from back in about 2005.. makes for sad reading!
Wake up call for us all, @LuckyReds. Hope it gets sorted without further stress.
I certainly remember that NatWest allocate a human to all business accounts. Well 3 years ago they did. And I find that even with my personal account with HSBC, I can drop into the Eltham branch (when I'm there), get answers, and resolve things. If you had even had that possibility, you'd have had the slight reassurance that the bank person could have checked your account him or herself while you sat there. I think that's the biggest surprise about Santander's behaviour in this case, and maybe once you are sorted it is worth taking it up with them, and perhaps Which and Martyn Lewis.
Cheers, Prague!
As far as I know NatWest still do, in the end I was leaning towards NatWest but I can't really remember what tipped me over to Santander. From what I gather Metro Bank have a similar ethos - although their personal accounts are also brilliant for getting issues resolved face-to-face with no fuss. (Just ashame the cards don't last long, very flimsy)
I've kept a timeline of all the contact I've had since the initial phone-call, along with dates and times. I may well follow it up afterwards, I think it's worth pointing out that if I do leave Santander it's not a reflection of the individual employees who have been excellent - but rather the pretty frustrating protocol.
Re HaveIBeenPwned, I too got one pwning for my current address, it was because of the big LinkedIn hack. If I understand correctly that ought not to be a problem any more now that I've changed my LinkedIn password. No, I don't use the same password across multiple sites, despite what Uber implied to me. And I am pretty sure I didnt have the same password on Linkedin and Uber
Comments
Unfortunately, I can understand Santander's point of view too - I spent half of the phone call telling the poor woman last night that it was unacceptable and my account was moving next week, and the other half telling her I understand that it's not her fault and rules are rules. (She even let out a bit of a chuckle when I wished her a good evening after telling her how messed about I felt!) Ordinarily, had my card been blocked OR my online access blocked I would've been on their side and congratulating them. Even I must concede that, like @Robbo on the wing, their response to the card problem itself was brilliant.
I think my biggest gripe is - as you say - there's no way of me sitting down with a human and getting to the bottom of this. I understand from looking around previously that NatWest give business account holders access to a dedicated adviser at a specified branch local to them. Similarly, Metro bank would've printed me off a new card in branch the same day. On the flip side, for Santander to have been quick enough to ring me whilst the chap was still trying to use my card on the same store is very impressive.
As someone's who spent two of the last three years earning a living dealing with medical records and financial data (from the tech side as well, as a developer), and going through regular monotomous infosec talks - I always thought I was a tad paranoid if anything! But it just goes to show, that these people are inventive and creative - and ultimately you can't really blame yourself at the end of the day. Heyho, hopefully I'll work out what happened at some point!
I certainly remember that NatWest allocate a human to all business accounts. Well 3 years ago they did. And I find that even with my personal account with HSBC, I can drop into the Eltham branch (when I'm there), get answers, and resolve things. If you had even had that possibility, you'd have had the slight reassurance that the bank person could have checked your account him or herself while you sat there. I think that's the biggest surprise about Santander's behaviour in this case, and maybe once you are sorted it is worth taking it up with them, and perhaps Which and Martyn Lewis.
I remember working for a company that had pen-testers come in to break our software and generally try and ruin our day. One afternoon we were in a meeting room together and I made a joke about whether they were doing any work or simply chatting, with a smirk one of the chaps asked me sit next to him. He had a list of all the developer's credentials for various bits of test software, and most worryingly, credentials for a support girl who was accessing live data from a hospital (so, via HTTPS). It was a simple man-in-the-middle attack over our wifi network, which unbeknown to me at the time, HTTPS didn't offer a great deal of security against really.
Awesome tip about HaveIBeenPwned too, I have email alerts for my normal email account but hadn't thought of running my work related one through there! Out of interest I ran an email address from back in about 2005.. makes for sad reading!
As far as I know NatWest still do, in the end I was leaning towards NatWest but I can't really remember what tipped me over to Santander. From what I gather Metro Bank have a similar ethos - although their personal accounts are also brilliant for getting issues resolved face-to-face with no fuss. (Just ashame the cards don't last long, very flimsy)
I've kept a timeline of all the contact I've had since the initial phone-call, along with dates and times. I may well follow it up afterwards, I think it's worth pointing out that if I do leave Santander it's not a reflection of the individual employees who have been excellent - but rather the pretty frustrating protocol.
Re HaveIBeenPwned, I too got one pwning for my current address, it was because of the big LinkedIn hack. If I understand correctly that ought not to be a problem any more now that I've changed my LinkedIn password. No, I don't use the same password across multiple sites, despite what Uber implied to me. And I am pretty sure I didnt have the same password on Linkedin and Uber