Egg Money warning

[Rik]

The Telegraph reports that:

Bank customers who use popular online budgeting tools may be left high and dry if their accounts are emptied by fraudsters.

The tools, such as Egg Money, lovemoney.com and First Direct's Internet Plus service, require users to input their bank passwords to keep track of balances on all their accounts and make sure that they are not overdrawn.

These sites, known as aggregator services, have become increasingly popular with savers who are trying to make the most of their money in a low-interest rate environment by moving it around. Similar services are also being developed as 'apps' on customers' mobile phones.

However, several banks have now made it clear in their terms and conditions that customers would not be compensated if they are victims of fraud while using these sites.

A spokesman for Barclays said that customers would not be covered by the bank's online fraud guarantee, which ordinarily means that if the customer falls victim to online fraud on their account the loss will be covered.

"It's not for us to answer the question on whether these types of sites are safe, as we don't run any aggregator services," the spokesman said. "Some customers who may wish to use an account aggregation service need to be satisfied that they are receiving the same level of protection for their money as Barclays offers. Since Barclays has no control of these sites we are unable to provide our online fraud guarantee to customers who use these services."

NatWest has a similar clause in its terms and conditions. It states that "if you pass on your security details to an account aggregation service provider, you will be in breach of your terms and conditions and may be liable for any unauthorised transactions".

I can't say I'm surprised, I certainly wouldn't use one of these services.

[Simon]

Me neither.  I don't even access banking without a wired connection. 

[Rik]

Same here, or at least my own dongle.

[Simon]

I certainly wouldn't trust a phone to access secure sites.

[Bill]

Me neither.  I don't even access banking without a wired connection. 

I don't mind using a wireless connection... but for no longer than necessary, and mine is pretty well screwed down!

[Rik]

I think Simon was thinking more of phones and free wi fi, Bill.

[Bill]

I think Simon was thinking more of phones and free wi fi, Bill.

So no calling the bank on a DECT phone... I don't know what Simon has got, but that would be tricky here

[Rik]

 

What's a phone call?

[Simon]

I was thinking of phones, and free wifi, but I do usually do my banking on the main wired PC at home too. 

[Simon]

I've also often wondered how secure it is, tapping your credit card or bank account number into a phone, when you need to call them?

[kinmel]

We discussed this very problem 2 years ago

[Simon]

What did we decide?

[Rik]

Alan was sceptical, Seb was happy, the rest of us were more concerned with financial programs.

[Rik]

We discussed this very problem 2 years ago

Good memory, Alan. 

[Bill]

Good memory, Alan. 

I hate posters with a good memory 

[kinmel]

I hate posters with a good memory 

I never forget anything unimportant and never remember the important bits, Pat claims it's deliberate 

[Simon]

I'm just surprised the outcome wasn't who made the best sausages. 

[Rik]

It was pre-DR, Simon.

[Simon]

It wasn't pre-food discussions though, was it? 

[Rik]

Almost.

[pctech]

Most of these services use Microsoft's ActiveX technology so the credentials are stored on your PC so if its compromised and the encryption is broken, you've had it.

I did ask about the FD one when I joined hoping they'd say it was all done server side but alas no.

Best avoided.

[Rik]

I'm with you, Mitch.

[Technical Ben]

Sorry Rik. The news story is far to ambiguous to make a decision. What are they talking about or complaining about? Online banking? Terms and conditions? Fraud?
Lets get a few facts straight.
All banks will cover you for fraud as long as you keep your details safe and do the best to avoid fraud. This would include using security and virus scanner software if using online banking.
All banks will have secure online banking. Including their own mobile banking.
Terms and conditions will not cover you if you give out your password and login details.

However, if you enter your account details and numbers and passwords in another website, then no, the bank will not be happy.
Why not just enter the amounts your saving etc, no need for account numbers.

[Rik]

Aren't you agreeing with the story, Ben? Essentially, if you register your login details with a third party, you won't be covered in the event of fraud.

[pctech]

There is an American service called Mint (nothing to do with the RBS credit card) that aggregates these details but it is all done on heavily encrypted servers on a firewalled network which sounds like a better idea if you really want to use a service such as this.

Not sure if its available over here yet.

I would prob use the FD one if it was server side and had proper guarantees, there is no real reason why it cant be done, I just think the banks want to offer the service but want a get out of 'oh your AV or firewall wasn't up to date'

Bit like chip and PIN really, our banks are so tight that at least initially they wouldn't pay the extra for credit and debit cards that supported encryption on the data path between the chip and the reader so the PIN was sent in the clear.