Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

UK Banks Dump Credentials in Bin Bags

Posted by CowboyNeal on Sat Oct 28, 2006 11:55 AM
from the airing-the-trash dept.
Privacy Security
Plutonite writes "BBC news is reporting that several UK banks face 'unlimited fines' for careless handling of sensitive client information. This apparently came after investigators found account details while rummaging through the trash outside the banks involved. In this age of online banking and related security problems, and in light of this scandal, where can we expect to find the greatest threat of ID theft?"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

UK Banks Dump Credentials in Bin Bags 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • my identity was stolen! (Score:1, Funny)

    by Anonymous Coward
    I am the real Anonymous Coward. Any other posts by Anonymous Coward in this topic have been made by an ID thief!!

  • Family Guy said it best: (Score:4, Funny)

    by Majik Sheff (930627) on Saturday October 28 2006, @12:00PM (#16623224) Journal
    Frank: Gentlemen, I propose we send a message to tobacco companies by fining the El Dorado Cigarette Company infinity billion dollars!
    Congressman: That's the spirit, Frank! But I think a real number might be more effective.
    • I don't blame the banks for doing this. Paper shredders jam, especially when you try to put angry customers through them.
    • Me: That's the spirit, Congressman! But I think a rational number rounded to two decimal places might be more effective.

      • Re: (Score:1, Funny)

        by Anonymous Coward
        I think a complex number may be more vexing.

  • This is why I keep my cash ... (Score:1)

    by Anonymous Coward
    I don't use banks, I hide all my cash underneath my cat's litter box in my parents basement.
    Nobody steals my identity!
    I wish they would... I'm sooooo lonely down here...
    • Sorry but the conspiracy goes much deeper than that. Your (USD) cash is a fEDERAL rESERVE nOTE; which is what?.. A private bank. USD only has worth because the fED says so. It's a private bank designed to rob you of your real income.

      So you will have to convert that stash under the litter box to gold if you want to be free from the talons of corrupt banking institutions.

      Believe it.

  • Not uncommon in the US (Score:5, Interesting)

    by truthsearch (249536) on Saturday October 28 2006, @12:14PM (#16623360) Homepage Journal
    Many financial institutions' IT departments in the US have no policies for paper shredding. I was always mindful to shred account information, but many of my coworkers were not. No rules were published and I've never heard it brought up as an issue by management.

    You might be wondering why IT staff would have account information on paper. There are a variety of reasons. Periodic statements still go to most customers by paper, and the IT departments are responsible for their automation. A large percentage of people on the business side still like to see reports on paper and often the IT department is responsible for generating them. We are very far from having paperless companies. And in my experience paper disposal policies are largely missing or ignored.

  • it aint ever been safe (Score:5, Informative)

    by eneville (745111) on Saturday October 28 2006, @12:18PM (#16623382) Homepage
    time to store all my money under the mattress now.

    its not really easy to get money out the banks though. they open after i start work, close before i finish, they're difficult during the lunch hour. hell, they only people they're accessible to is bank robbers.
    • You forgot to add that in recent years, they make you enter your own bank transfers into their systems, then happily charge you for the convenience.

      I love banks.
  • Its ok, I saw a whole load of fun data (like copies of client passports, proofs of Name and address) being sent from the US to the UK for processing using that well known data protection technique of a FedEx envelope for a the CDRs. The Information Security people hit the roof when they heard and insisted on proper encryption. The point is that neither the business nor the IT people concerned had the foggiest idea that there was a duty of care involved.
    • I've seen almost as bad stuff.

      One of the largest payment processors in the US routinely sends chargeback info as normal mail in large envelopers prominently stamped with their company name (very obvious it's a credit card processor) and some slogan about their payment processing business.

      Inside the envelope you will not only find the basis for the chargeback and the customer name, but you will also find fun things like copies of their statements with the charged back payments highlighted, etc (instead o

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      Your post hits the nail on the head when it says "The information security people hit the roof...". I am currently working at a UK financial institution dealing with live data provided by various third parties. Their governance rules are clear and the infosec team available and helpful, but dispite this, when I took over the role, customer data was being sent unencrypted on CDR from site to site. The point is that the teams involved had never been told what their responsibilities were. It may seem obvious t
      • I started off as a nice clean IT person but I've spent far too long on regulatory issues. The "duty of care" may be challengeable in a US bank but the parent is EU based. In any case, there is always reputational risk should there be a compromise.
  • As long as we have stupid people who fail to understand that the information stored on the computer is much more valuable than the computer itself, we'll continue to have people throw away stuff like this, store information on unpatched machines, etc.etc.etc.

    Therefore, don't deal with a company that employs, or outsources to companies who employ stupid people.

    Of course....this is much easier said than done......

  • /usr/bin? (Score:3, Funny)

    by dotslashdot (694478) on Saturday October 28 2006, @12:25PM (#16623428)
    They should not have dumped the files in /usr/bin, but in /dev/null.
  • Maybe they got the idea from the airline industry, who in turn might have gotten it from the USA Dept of homerland security.

  • My father's story... (Score:5, Interesting)

    by IcebergSlim (450399) on Saturday October 28 2006, @12:49PM (#16623616)
    5 or 6 years ago my father came down with cancer, and his wife (now ex) took over the regular task of managing the finances of the household, etc. (This was in Wisconsin.) She also took it upon herself to fraudulently clean out his "Federally Protected" IRA, all of his *non-joint* accounts, filed false tax returns, and then ran up tens of thousands of dollars in debt in his name (hiding the statements and records to keep the game going as long as possible). She even bought a $20,000 diamond ring and a Mercedes for herself -- all while my Father was going through radiation treatment and surgery, etc. Finally, the house of cards came tumbling down, the police were notified, and she admitted everything.

    The result, 5 years later: We found out that the bank had known this fraud was taking place on his accounts (we have one of their internal documents explicitly stating this), yet they covered this up during the discovery process and only gave it to us years later. She's never been arrested nor paid any restitution for what she did, the "Federally Protected" IRA was never reinstated, and a judge in Wisconsin had my father put in jail for refusing to give her his car, which the judge had mistakenly awarded to both of them during the divorce trial. My father sued the bank and has recovered nothing to date.

    Your money is not safe, and no one cares.
    • Meanwhile, here in the UK, I've had transactions on my credit card blocked temporarily as the activity was out of the ordinary. I had to 'phone the provider and confirm that it was indeed legitimate. I also had my card skimmed when I used it at an ATM in France, and was notified of the fact by my bank when they discovered that the machine had been tampered with.

      You've been screwed, and need to seek (better!) legal advice. However, while it's generally true that large corporations don't particularly care abo
  • 1. I know this sounds a little extreme, but maybe the banks are borderline crminial organizations. Thirty-five dollars for a bounced check? Thirty Nine percent interest for a credit card? Some banks are just thieves.

    2. I treat my personal data like it's already on billboards. Obviously the banks don't care about our privacy, so I try to use services where my personal information isn't needed. Using prepaid credit cards instead of a credit line at the bank, or money orders instead of a checking acou

    • Interesting someone should mention that, there's a site that explains why bank charges in the UK are most likely illegal penalty charges and classed as unfair contract terms

      http://www.bankcharges.info/ [bankcharges.info]

      I'm sure UK readers will really enjoy reading the site and sending off those letters to their banks.
    • I'm not aware of prepaid "credit" cards being available in the UK yet. I wish they were, because it would allow me to shop online.

      • Re: (Score:3, Informative)

        by Rekolitus (899752) *

        You do know you can get debit cards on the VISA network, right?

        I don't know about prepaid, but that's what my bank gave me, and I've never had a situation where it's been rejected online for being a debit card rather than a credit card.

        • Debit cards have an unfortunately bad reputation for NOT resturning stolen money. As you already 'paid' the bank, they tend to think anything that happens to it is now fine.

          I once had a total MORON tell me that "No, you don't need to know who we sent this $50 from your account, because we have a signed agreement from you that lets us take money from your account and send it one specific person."

          The fool seemed to to think that if I gave authorization for one transfer, it meant I authorized everyone to ta

  • *dons tinfoil hat* (Score:3, Interesting)

    by Stephen Williams (23750) on Saturday October 28 2006, @12:50PM (#16623630) Journal
    Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.

    -Stephen
    • Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.

      Which would imply the govenment shows
      1) Joined up thinking
      2) Competence

      That's some whacko theory you've got there
      • Now now, the UK Government is competent at some things.

        Those things being failure, recklessness and brazen stupidity.
  • People that don't care about or don't know how to secure their personal data, institutions run by people with shoddy security practices or that just don't give a damn and all levels of government run by people that seem to refuse to use readily available, inexpensive and reliable security techniques and technology.
  • Oh, they mean trash bags. Those crazy Brits. They should've used Hefty! Hefty! Hefty! instead of wimpy wimpy wimpy.

  • hard to say how they do it (Score:4, Informative)

    by v1 (525388) on Saturday October 28 2006, @03:29PM (#16624678) Homepage Journal
    A former manager of mine used to be the IT director at a bank. There, when they upgraded computers, they went out to the dump and had a 'hard drive party". They removed the hard drives from the computers before tossing them in, disassembled them, and beat the platters throughly with hammers, then frisbee'd them into the hole and watched them be coverd up by the dozer.

    I was under the impression that banks always were anal about destruction of customer records.

    The US Navy has an interesting method also. They have these three level shredders. First level does strips. Second level does squares. Thrid level can best be described as "paper dust", it's the consistency of fine sawdust. Then they flush that out below decks directly into the water. Good luck getting that back.
  • Sounds like an excellent argument for the Paperless Office. Yeah, that's not a perfect solution, but it could sure put an end to dumpster diving.
  • When I worked at the processing center of a bank, there was one big rule: cash slips (internal documents with no personal info on them that only represent money put into or taken out of vaults) can go in trash, everything else in shred box..... Stupid banks.....

    • Re:Laws (Score:5, Informative)

      by James_Duncan8181 (588316) on Saturday October 28 2006, @12:13PM (#16623350) Homepage
      Actually the Data Protection Act is UK law, and makes these fines possible. We have all the protections that USians on /. frequently wish for. From the relevant Act:

      2.1 Regarding the release of personal data to third parties without specific consent (or publication with the same effect), the assumption is that this is not permitted, except where specific exemptions apply. These exemptions now include:

      - where required by law or statutory instrument;

      - where required to prevent or detect crime;

      - where required to assess or collect tax or duty;

      - release to a third party who is sub-contracted to process the data in a way that meets DPA rules.

      2.2 With regard to subject access rights, the data subject is presumed to be entitled to access all personal data held about her/himself that falls under the scope of the new Act, with the following main exemptions (i.e. cases where the controller of the data may decline to release certain data, but must justify doing so):

      - where disclosure unavoidably identifies a third party;

      - where the data was supplied in confidence e.g. references and similar judgements (but please note that examiners' marks and/or comments cannot be assumed to be exempt from disclosure.)

      What else could you want? The Act allows for both civil and criminal penalties, so the banks may well be in for quite the can of whoopass.
      • What I would love is for people to be able to bring private prosecutions under the Act. Currently the only person who can prosecute is the Information Commissioner IIRC and they seem reluctant to do so. If the average Joe could instigate actions then the banks would have no way of controlling this, save from cleaning their act up and not actually screwing up. Me since I bank with two of the offenders will be making my displeasure with them felt Monday lunchtime, and I won't be taking their offer to discus

        • I suspect you're being a little harsh on Richard Thomas and his team. If you look at the position statements on the ICO's web site, they're generally very reasonable, and the office does take action against organisations that don't respect data protection and freedom of information rules. However, he has stated that to do the job properly, he would need 3x the team he's been given, and unlike most government empire-builders, I'm actually prepared to give him credit for being realistic there.

            • I don't doubt that they are understaffed and overworked but the simple fact is that there are plenty of cases for abuse of personal information where they simply don't care. They essentially said recently that they will just go after the big guys/cases and the little ones will be left by the wayside due to the staffig problems.

              What would you do in their position? Not going after cases affecting a few people because you only have the resources to pursue cases affecting many people is probably the least o

      • So I take it that the garbage company is not certified under DPA rules? If they were, then release to them would be OK, right?
        • In principle, the law is simple: you can only use personal information about people if they are a) dead or b) give you permission to do so. You then have a duty of care to make sure the data is not stolen, etc; and you have to say to the Data Protection Registrar that you are holding personal data.

          Actually the law is not that simple really, because of the definition of "personal data", and a whole load of exceptions. Plus theres some other stuff about direct marketing and stuff.

          Wikipedia:
          http://en.wikipedia [wikipedia.org]
      • >>> ... so the banks may well be in for quite the can of whoopass.

        Or not. Just look at what the water regulators have done to the water companies that allow their pipes to leak so much that they have to impose hosepipe bans and standpipes in some places ... fined them a tiny percentage of their profits.

        A reasonable sum to hurt a bank and make them be careful is going to be about 10% of their profits : 25 million or so for Barclays highstreet banking I gather (http://news.independent.co.uk/business/

      • Actually the Data Protection Act is UK law, and makes these fines possible. We have all the protections that USians on /. frequently wish for. From the relevant Act:

        I don't need to be able to quote law to notice that the only buisinesses in my neighborhood that don't have outdoor trash collection are the banks. Anyone with common sense would avoid a bank that had dumpsters. This isn't a new thing, I'm almst 50, and I've never seen a bank that set its trash outside. Of course, the secure trash truck, I'm

    • The first line of the summary says that they "face 'unlimited fines'" - doesn't that imply to you that there are laws dealing with this in the UK?

    • Not in corporate offices (Score:5, Insightful)

      by truthsearch (249536) on Saturday October 28 2006, @12:19PM (#16623396) Homepage Journal
      Most corporate Windows machines are behind firewalls. They're not perfect, but they're pretty good. Windows servers are almost always set up behind even more strict firewalls. Ideally servers exposed to the internet are on a different network segment than the internal servers containing even more data.

      The greatest threat to ID theft has always been humans. The vast majority of security breaches are from social engineering.

    • Re: (Score:3, Insightful)

      by zlogic (892404)
      Oh these Microsoft bastards!
      If they never existed people would never throw away printed plain-text passwords, never stick access codes on post-it notes to their monitor, and everyone would be immune to social engineering.
      • Okay, why does this get an Interesting-Rating?

        As if it was Microsoft's fault that managers came up with the idea that passwords were the culprit in our security problems. Sure, some users have quite weak passwords. That's sub-optimal. But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down. Especially when they have to change it every month.

        Happened in my company. Why? Because there's data from the itali
        • But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down.

          Requiring special characters, capital letters and such just makes the keyspace smaller and makes it easier to do a brute-force attack on a password. The only somewhat sensible requirement in there is a minimum length.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.