SLA
Boy, back when I was an Incident Manager, I'd have killed for a six month + SLA on such a major incident!
The Royal Bank of Scotland and NatWest have issued customers with replacement cards as a result of last year’s Ticketmaster breach that hit around 40,000 Brits. The banks said on social media they were swapping out the plastic used by punters on Ticketmaster's website as part of efforts to ensure “significant levels of …
Vendors that 'loose' their customer's details should have to foot the bill for card replacements and any incurred losses in my mind.
Currently there isn't even a real slap on the hand for absolute carelessness handling card details.
They just don't care since there are no real consequences.
Vendors that 'loose' their customer's details should have to foot the bill for card replacements and any incurred losses in my mind.
What persuades you that Ticketmaster haven't had to pony up? I suspect the "early responders" didn't worry about who was paying, but prioritised their customers and their own security. Bottom dwellers like RBS and Natwest, well, I'd expect they only acted after they'd managed to ensure that Ticketmaster were paying, and that is why the delay.
Outside of the third world, RBS always has been amongst the most disreputable banks in the world. Fred the Shred should have been put in concrete wellies and thrown into the Firth of Clyde, in front of a partying audience.
Indeed, they may well be getting a less favourable transaction fee now. Unfortunately we’ll end up paying it in “booking fees”.
(In my case it was my Amex card number that got stolen, but it only came to light after the subsequent BA incident. I haven’t flown with BA in years but it seems someone started testing the numbers they had to see which were still working... it’s good to get alerts on card transactions!)
A couple of months after I’d phoned and asked if it needed changing due to Ticketmaster and British Airways. “Not at all” they said.
Then they did it without warning, meaning repeat payments screwed up. Typical. Except PayPal somehow managed to get the new card number without me needing to tell them...
The first I heard of it was when I received one of those net promoter score surveys from their security team without having called them in the first place.
Cue; twenty minutes on the phone between three departments before I found out this reason.
What made it worse was that my card ran out at the end of this month anyway.
Last year I was unfortunate enough to be caught up in the NewEgg shopping cart malware issue... Apart from a couple of notifications I received from them, along the lines of "Hey! Guess What? We've been hacked! Fancy that...", I've seen or heard nothing from them.
However, I did immediately call my bank (Bank of Scotland) and demand a replacement card for the one used on the NewEgg site. At first they did their best to talk me out of replacing my existing plastic, suggesting that I could just keep an eye on transactions and call them if I saw anything suspicious. At that point I suggested that if they didn't want to send me a new card, pronto, I would happily cancel my card account there and then. Funny old thing, they changed their mind...
During that process (it was, for me, the first time I've been involved in a potential loss of my card details), I made careful notes of all the places I had to contact (those I remembered on the day and those that were identified during the subsequent sweep-up) to change my details. I now have that list, which I can re-use when needed.
The reason my bank tried to talk me out of getting a new card was because it costs them to do so. If you are involved in anything like this, DEMAND an immediate replacement of your card. No bank can reasonably refuse - and you should not be doing business with one that tried to refuse you. The reason is simple - the more of us that demand that banks do this, the greater the expense to the banks from having to. It's only when the cost of having to continually re-issue cards reaches a point of irritation that banks will actually bother to do anything about it.
For example, for those with smartphones [such as those with smartphone banking apps] there is no technological reason that your bank could not include, with your mobile banking app, a piece of software that generated a one-time pad that could be used with all card purchases, among retailers who supported that use... This would mean that instead of using a fixed 3-digit CV2, the number could be 4, 6, or 8 digits and would change with every transaction... This one change is not it itself a cure-all (your phone can still be stolen or lost) but it makes it incrementally harder for criminals. For non-smartphone users, banks could issue hardware tokens...
The cold hard truth is that card fraud hasn't yet reached the level where it's hurting the banks. Until it does, we won't get a more secure solution. If, by demanding our rights, we can accelerate that process, we stand to benefit through (significantly) reduced risk of being defrauded or inconvenienced if we're unfortunate and have our card details compromised.
Hit them where it hurts - and they will do something about it.