MBNA - Massive security breach

That's unbelievable. The card issuer should never be able to tell you your PIN, no matter how sure they are of your identity. The systems should only hold it in a hashed state - you can request a reset and the system will then print it on to fancy paper, in most outfits, onto specific printers only in secure areas. The simply isn't a way to display your PIN in most set-ups.
 
fireball said:
Egg wil display your pin on screen over the internet given sufficient 'security' data ...
Click to expand...

So what is sufficient security detail? MBNA obviously thinks that it is the date of birch and the 3 digit code on the card. Great.

But seriously, the issue they tried to explain to me was the sheer number of people who went on holiday and forgot their pin numbers. This apparently addresses that. That is a sad reflection on some of their card holders. They also said it was a commercial decision and they would pay any fraudulent usage.

Asked if they would compensate me for defrauding of my Barclays current account as a result of their actions (for their commercial benefit) they said NO.
 
Chris_Robb said:
No, absolutely no other info other than Date of Birth and the 3 digit number on the reverse. This could have been rung to any phone - not one registered to the owner.
Click to expand...

How would anyone other than yourself know the 3-digit number on the reverse?

EDIT > Oh, and the person who had stolen the card of course :o

- W
 
webcraft said:
How would anyone other than yourself know the 3-digit number on the reverse?

EDIT > Oh, and the person who had stolen the card of course :o

- W
Click to expand...

Hi! I saw your pre edit reply! I would be surprised if the average pick pocket in Rome was not totally aware of this little money earner from MBNA. We got done over in Rome 3 years ago. Because SWMBO and I both have 2 cards on each account - MBNA, COOP, BARCLAYs debit, we had to cancel the whole lot not just the ones in my wallet. This left us in a difficult situation but at least it meant that she could not go shopping.

Hence now we only carry one of each in mine and hers, so at least one will work, and on the boat, the spare ones go into the safe - a standard £40 chub job along with passports etc. (just don't install it near the fluxgate autopilot compass!)
 
How many of you use the same username and password for your online access? Facebook, Linkedin, YBW forums and in some cases online banking or share dealing sites?

Now consider that someone sets up a perfectly legitimate website and you register for it. By using your registered password it is entirely feasible that those details could be tried against a whole swathe of online sites.

Scary isn't it!
 
nimbusgb said:
How many of you use the same username and password for your online access? Facebook, Linkedin, YBW forums and in some cases online banking or share dealing sites?

Now consider that someone sets up a perfectly legitimate website and you register for it. By using your registered password it is entirely feasible that those details could be tried against a whole swathe of online sites.

Scary isn't it!
Click to expand...

This is another version of the Prejudice debate in the Lounge. What we need to do is take care but don't get paranoid.
 
Chris_Robb said:
So what is sufficient security detail?
Click to expand...
IIRC it is Full name, password, DOB, postcode, mothers maiden name - so quite a bit although all but 1 piece of information is not exactly secret!
Just requiring DOB is ludicrous - that information is "required" by some websites before you can make a purchase - at which point they have all they need to obtain your Pin number.
 
nimbusgb said:
How many of you use the same username and password for your online access? Facebook, Linkedin, YBW forums and in some cases online banking or share dealing sites?

Now consider that someone sets up a perfectly legitimate website and you register for it. By using your registered password it is entirely feasible that those details could be tried against a whole swathe of online sites.

Scary isn't it!
Click to expand...

Thats why I like Barclays Banks security with the card reader which generates the 8 digit number. HOWEVER that requires my Pin number, so MBNA would have exposed that.

If my house was burgled (say I was out for a walk) my laptop was on, and my wallet was on my desk, and my barclays widget was there (or they had one). They could clean out my current account - up to my overdraft limit. Thanks MBNA! Better remember to "lock" my laptop when ever I leave it.

Luckily my deposit accounts have a different access method, not as good but significantly different.

I take your point about common logins. All with a few exception are email addresses. For any that have money involved, I have a different password, but otherwise they are all the same. Sites like Amazon, which hold your card details are frankly a big worry especially over an unsecured wifi connection, and I keep deleting them off after every transaction.
 
"We got done over in Rome 3 years ago"


Haven't we all - 5 years ago in our case! Fortunately insurance helped.
The Roman fuzz were amazed when I suggested they have stool pigeons on that particular bus route.

I cancelled my MBNA card, so they send me new ones and one for my daughter that have never ever been requested - I just cut them up on receipt.
 
Last edited:
Chris - Perhaps you should seriously consider having different Pins for different cards/people.
You've been given suggestions on how to make them up and remember them.
At the very least you should now have a different pin for MNBA ...
 
fireball said:
Chris - Perhaps you should seriously consider having different Pins for different cards/people.
You've been given suggestions on how to make them up and remember them.
At the very least you should now have a different pin for MNBA ...
Click to expand...

Already done that but have closed the MBNA accounts. That level of risk is unacceptable even if just on misuse of MBNA, especially when abroad and unable to argue with them. Lots of cases where they have refused payment when a pin has been used.
 
nimbusgb said:
Now consider that someone sets up a perfectly legitimate website and you register for it. By using your registered password it is entirely feasible that those details could be tried against a whole swathe of online sites.
Click to expand...

I know someone who did exactly that when he was at school. He created a site a little bit like a primitive Facebook (before Facebook existed) for his fellow pupils. As well as the hashed password column for proper logins as one would expect, he also had a column in the clear purely for his own interest in what people used as passwords. I believe in a couple of cases he logged into Hotmail accounts with them. It's very very easy to do if passwords are shared between accounts.

Chris_Robb said:
Sites like Amazon, which hold your card details are frankly a big worry especially over an unsecured wifi connection
Click to expand...

The communication between your browser and the site should be protected by SSL if it's carrying card details. Some small business sites might have loopholes, but I would trust Amazon to get this stuff right. So people sniffing the wifi network should be a non-issue.

Chris_Robb said:
I keep deleting them off after every transaction.
Click to expand...

Doesn't that just mean you have to continually retransmit them, increasing your exposure to sniffing?

Pete
 
Pete,

Quote:
Originally Posted by Chris_Robb
I keep deleting them off after every transaction.
Doesn't that just mean you have to continually retransmit them, increasing your exposure to sniffing?

I take your point on that especially if one is on an open network. Trouble is that Amazons security is just a straight forward password typed in. I understood that that was not very clever. Once through that they would have access to my credit cards to buy anything, they don't restrict you to your address either.
 
You must log in or register to reply here.

Share this page

Top