Thursday, 29 September 2016

Bloody Banks @BarclaysUK

Earlier this week Barclays blocked my debit card. You wonder what horribly suspicious activity prompted this? Well, I had the audacity to try and top up my Monzo card! I have been frequently topping up my Monzo card since I got it in April, indeed, that is almost all I have done with my Barclays card since then (except Costco, who don't yet take Monzo). And yes, I had done so a few times since the name change. How the hell was that suspicious?

Then they texted me saying they would text from some short code number and ask me to reply. Well, sorry, but I can't text short codes. Eventually, much later in the day I got a call and had to go through DTMF hell to convince them the transaction was fine. Pain in the arse.

Today however I noticed I was mysteriously £13k overdrawn! I had checked earlier today and was fine, so something was up and I had caught it within hours. The phone app and on-line banking did not say why.


I went in to the branch and asked, and they could see that some Danish Auction house had authorised over £13k as a "recurring transaction".

We used to do cards for broadband some years ago, so I have some clue on the retail side of this, and as I recall, a recurring transaction only needs the card number, not the expiry to CVV code. This is so that regular card transactions don't fail on renewal of the card itself.

This is clearly suspicious. For a start, why would an auction house need to charge on a "recurring transaction" basis at all, and also why would anyone charge so much on a "recurring transaction" basis anywhere. Had I used the card number, expiry, CVV, and verified by visa for an on-line purchase, then fine - I would not want it blocked - but this was not me!

It was not an on-line transaction, it was a "recurring transaction" (so just card number), to a foreign company that has never ever charged my card before, and for a large amount.

What twisted logic do the banks use that does not make that suspicious?

Then more issues - I am told that they cannot do anything until it appears on my statement. Well, I have told a Barclays representative that the transaction was not me - really that is all I should have to do. It is not me that has been defrauded here, it is the bank. I am just a bystander here and I have done my bit. However, they are insisting that I spend yet more of my time contacting them again once it appears on the statement.

Moreover, when it was the Monzo card I was able to answer their questions that day, and so presumably could have reported the transaction as fraudulent. So why can I not do so for this one?

As a retailer I would want to know right away, so why not allow me to report this now so they can be told?

I am not 100% sure what was asked by the person on the phone (that the bank tellers was talking to) but I suspect they wanted me to put money in the account to cover this. She had clearly got a good impression of my annoyance and explained that I would not be prepared to do that. Bloody cheek.

Then she cancelled my card. This seems pointless if all that was used is my card number. My new card is as likely to be abused in this way to defraud the bank as much as this one. I have not lost the card, which is what she reported it as (so she made a fraudulent statement to her own bank!). Indeed, if someone wanted to have a go at me, they could just work out my next card number but as a recurring transaction they may not even have to do that for it to go through in just the same way.

So cancelling my card just causes me more inconvenience.

P.S. The Danish auction house are actually engaging with me more than my own bank!

P.P.S. In an effort to be constructive, after a lot of disagreement with Barclays on twitter today. What I think should happen is simple. I should (a) be able to see what is authorised but not yet on statement on app and web site; (b) I should be able to select and say "not me", perhaps with some dire warnings of being really sure and perhaps depending on levels of checks (e.g. chip&pin used?); (c) that should be the end of it as far a sI am concerned. I appreciate that Barclays may have to follow established rules on how to handle the issue, and dispute via Visa/Mastercard, and so on. But basically, that should all be hidden from me - not impacting my balance and not even shown on my statement. Only if merchant comes back with evidence it was really me should the bank ever need to contact me on the matter again. This could be done - the bank could do this all internally with no change to their processes when dealing with merchants or card processors. If people claim transactions are not them when they turn out to be, maybe the system then holds their balance at authorised until resolved in future as a black mark, but generally, the above system would be ideal. I could even live with there being an admin fee if I mistakenly claimed a transaction was not me.

Update: 1st October

The auction house cannot work it out - it was in DKK so not sure exact amount, and nothing with a card ending with the digits on my card. Odd. They did thank me for letting them know.

Has shown on my statement finally, and so I am on to Barclays now.

I am still on call with Barclays, and it has disappeared off my statement now - good job I took a screen shot. I did not know they were allowed to make statement items vanish like that - I would have expected a credit to appear to cancel it. That surely has to be bad banking practice to do that. Oh, and it has re-appeared!

Interesting, it was my old card used, not this one! A card that is invalid.

So they have admitted that it was a mistake but still want me to faff with a "claim". I have explained on my recorded call that I will do so for my consultancy fee as I am helping them out where they have been defrauded.

But let's be clear here - a frequent top up to Monzo is flagged as suspicious, but a "recurring transaction"; from somewhere I have never purchased before; for a large amount; from a foreign merchant; using an invalid old card number; is just authorised with no problem. To be clear here, this was not just a transaction that was submitted without authorisation - it was authorised by the bank. Somehow that is not suspicious.

Update: 5th October

They have credited the charge at last. Paperwork just arrived - talks of experiencing fraud being worrying, and discusses "my claim".

They want me to declare "I confirm that at no time has the above numbered card been out of my possession". Well, no - it was out of my possession before I got it, and after I shredded it. Grrr.

Wow, Barclays actually retweeted my criticism of them!


  1. Banks infuriate me regularly, blocking my debit card because I buy tech.. which I do regularly. And quite often blocking it on Friday and leaving me to find out when I can't do the shopping on Saturday. It doesn't suprise me at all they also completely miss genuine fraudulent charges.

    Mondo I've seen mentioned before, but it seems to be just a prepay card with a £100 minimum balance, which isn't for me (I've been looking for a bank sufficiently tech savvy that *if* they think something is fishy I just get a notification on my phone, click 'yes I'm OK with that' and the problem goes away. This mess of chasing call centres in mumbai is really wearing).

    1. Main reason for Mondo for me is the app - I get notified of any authorisation with details instantly on my phone, and so the chance of fraud is almost zero - I can be on to Mondo about it in seconds. Eventually they should have more banking features, and they have an API (which I have tried), so it will allow much more.

    2. Monzo do currently offer just a pre-paid Mastercard solution which you do need to initially top-up with £100 (you do not need to maintain a minimum balance and future top ups can, IIRC, be between £5 and £30k). Any transactions made show up on your iOS (and, as of today, officially Android) within seconds and you can freeze your card if you've mislaid it. Their support (when a card has been misused) has been excellent for my wife and a new card arrived within 2 days [live chat in application - ideal for my hard of hearing wife - and UK support]

      The click "yes, I'm ok with a transaction" idea has been mooted on the Monzo forums before, but Monzo have stated that under the card issuer agreements they've got to respond to all transaction requests within ~200ms - so a manual query isn't possible.

      However, they have just got their provisional banking licence and are hoping to start trailing a full banking solution early next year so hopefully it'll be the bank we need for the 21st century. [I am a small investor in Monzo, but this is all personal comments]

  2. Barclays have the worst phone customer service I've experienced over the course of years. Also one of the most complacent over fraud. (Of which I investigate and report a lot of).

    NatWest and HSBC have been great when reporting fraud. HSBC are the absolute best, on my first call to them I was given the direct number to the UK based department that deals with FasterPayment fraud.

    1. One's experience can vary here. I use my HSBC credit card only for long-term recurring transactions now, because almost any non-recurring transaction causes a spurious fraud hold. I mean, a few years back these guys blocked my card when my conveyancers they tried to take their fee -- because UK lawyers pulling money out of your bank account at the same time as a bunch of estate-agent-related transactions is deeply suspicious and must be fraud! But, similarly to this case, a few years before that they failed to notice a recurring transaction from a German gambling house which I noticed because the fraudsters had to give them my address too (as the billing address) and the gambling house sent a bunch of promotional welcome bumf to me via international post!

  3. Barclays cards now have randomly selected numbers, rather than just changing the last few digits, so predictability should not be an issue.

    1. Really, even do, a recurring transaction make work on the previous card number, and anyway, if it was only on card number, it can be picked at random and changed.

    2. Sure, it's a ridiculous situation.

      My rather terse comment is a result of typing it three times, first losing it by clicking the rather too prominent 'Sign Out' button, and then due to multiple google accounts & OneLogin & Google+ redirects.

  4. Barclays cannot get it into their heads that they should consider whether a transaction is regular as a factor in the fraud risk algorithm. Late one night last week I (genuinely) paid $75 to a domain registrar I'd never used before in mid-west USA. In the morning Microsoft presented the monthly Office 365 subscription that's being going out for about the same amount on about the same day of the month for over two years.

    No prizes for guessing which one Barclays blocked as suspicious.

    1. I had something similar with Halifax.

      Bought an iphone and a PayG SIM. Guess which one was blocked.

      Either they're both suspicious (so they should have blocked the iphone purchase, which I might have thought was reasonable as it was a big chunk of money) or buying a phone and SIM is not suspicious at all. The bank wanted it both ways.

    2. This, a thousand times this!!

      Amex regularly block recurring transactions on my card as being suspicious, even though they have been processed on the same day each month for the same amount, regularly for years.

  5. I have Monzo and I keep it frozen until I'm about to use it.

    Barclays need to sort out their anti fraud protection, I recently had some scum report my mobile stolen to Three and then they started calling Barclays telephone banking trying to guess transactions on my account to pass their security questions. Eventually after a lot of calls they got in. They then moved money from ISA/Savings/overdrafts etc and requested loans. They then activated Apple Pay over the phone and went spending.

    They then spent over £42'000 in 22 transactions in two London Apple stores and neither Barclays or the stores found anything suspicious. I should add every attempt to buy a new iPhone with my debit card has always been blocked.

    When I finally found out it took hours on the phone to get someone that could help and then they too said the transcations had to be paid before the could be disputed. They did very promptly give me a temporary credit of the missing money but it then took 3 months for them to investigate and make that permanent.

    Luckily only one direct debit was affected and that typically was to the council.

    One thing that really annoys me is when I order a parcel and the vendor puts my mobile number on the shipping label, its one more piece of information these scam can learn about you and I'm pretty sure the shipping companies don't need it on the label.

    1. Many companies have begun asking for it due to issues and complaints following failed or incorrect deliveries. Most often it's just optional though. Mostly it's for more difficult addresses out in the sticks, Ireland, Scotland etc

  6. Since you hit a nerve I'll offload...

    I banked with Lloyds TSB and around 2010 had an experience I wouldn't like to repeat.

    I initially noticed that my cards were being declined so contacted telephone banking and was told that I was failing the security questions so was not able to discuss the issue or place any stops/notices on the account.

    So into a branch with my passport and bank statements. After an hour of pointless arguing which escalated to refusing to speak very quietly or leave the premises I was eventually informed that in a *single phone call* somebody has successfully requested to update my mobile number (so no notifications), change my address, reissue my cards AND their pins and update the security questions on my account. They were unable to say whether this was against their internal policies and whether they considered the operator at fault. So I had the information corrected and the cards cancelled meaning that it would take another full week for new cards and pins to arrive.

    Regularly checked online banking afterwards and around midnight the following day noticed that my address was showing as the same fraudulent one previously set. Rang online banking... and failed the security checks. Eventually convinced them that I was who I said I was (after they read the notes on my account) and was informed that the very same thing had happened again - different operator. Into the branch to get the data corrected and we agreed to "disable telephone banking" since I rarely used it.

    Expecting things to be resolved it was disappointing that two days later the exact same thing happened again (third time in less than a week). It turns out that "disable telephone banking" merely meant to remove your memorable numbers from the security setting so they authenticate you by what you know instead. So even less secure since at least getting the memorable numbers wrong and falling through to what you know is grounds for suspicion - or so you would think.

    Lloyds were unable to decline to serve a person by telephone and agreed that they were unable to protect my account from the same thing happening so we parted company.

  7. Revk,
    Have u looked at Amex charge cards ?
    I have only great cutomer experience with them, and their only drawback is they are not accepted universally ( however acceptance is growing )

    Their app on ios is doing instant notifications on charges, u can see pendings, and its a charge card, so you settle when you get the statement

    1. I've always had great customer service from Amex - including pending transactions, which they notify me of immediately. (I once had a duplicated transaction: WHSmith POS crashed at just the wrong time, leaving a transaction "pending" instead of backing it out at the time. Apparently, those transactions really can't just be killed in that state: it got backed out automatically the next night, and if it hadn't, then it could have been reversed.)

      Barclaycard (probably a different team to Barclays debit?) did catch a dodgy transaction (I'd been wondering why that waitress asked my postcode after buying lunch the previous day...) and reverse it promptly - as well as wrongly flagging a legitimate transaction ("duplicate" - two same-value purchases from one website) and quickly approving it when contacted.

      Presumably, the backdoor here is that even an expired card number would still work for "recurring" transactions - so perhaps the auction house were paid by someone using an old card number of yours, rather than the current one? (Now you have the date, exact DKK amount and the fact it's a Barclays Visa Debit - probably 4304, 4539 or 4568/9? - they should be able to find it - plus, of course, when the transaction dispute lands, they'll get told the transaction ID.)

      The worst, though? Bank of Scotland - I asked in branch for a statement of interest for that year, and was told it had to be posted to me. So a week later, a thick wad of tractor feed arrived, bearing lots and lots of account details - none of them mine. (This was a while ago; I think I took it to the branch, who quietly disposed of it with an embarrassed "oops".)

  8. A few years ago my bank blocked my card for buying a sandwich in the supermarket. The same supermarket I'd bought a sandwich with the same card in almost every day for two years....

    They said it was flagged as suspicious but weren't able to tell me why because of "security".

    It wasn't the reason I changed banks but it was the last straw that made me actually do it.

  9. Sigh, where do I start...

    Your scenario sounds very similar to mine a few years back. In this case it was HSBC.

    I'd had frequent issues with my card being blocked and the usual anti-fraud game with the bank for places I use all the time - for example Amazon.

    Yet one day, someone attempted a transaction with my details in a "white goods" store in Norway. I've never visited that country. I'd never heard of the store. I'd never purchased any white goods come to think of it either. The transaction was for £10,000. My card limit at the time was £5,000. The transaction was authorised.

    A day later, the same store, a further £2,400. Authorised.

    Did I get the usual anti-fraud call? No. Nothing. I contacted the bank when I noticed.

    It took ages to get it sorted, and the bank seemed entirely satisfied that they'd authorised things well over my credit limit, in a foreign country etc

    A few months later, I was in a Pizza Hut in London - very much a last chance saloon for food. No problem. A week after that same place, bang card stopped.

    Despite 2-3 weeks of me working in London and regularly using the card in London.

    After this I went into my local branch once I was home and after the bank holiday that left me cardless for 3 days, kicked up a considerable fuss that left people leaving the branch. A few phone calls later I got a directors *mobile* number, my card had some sort of magic "never block, authorise and ask questions later" thing that seems to exist, and I've never ever ever had my card stopped since in 10+ years.

  10. Great timing.. First Direct just blocked my card.. because my recurring google play music subscription went out.

    Words fail..