Thoroughly deserves, but still, it's still nothing that's secret... and, of course, if he didn't sign the DD form he'll get the money back.

Mind you, why did his bank not send him the standard "A new DD has been set up, if this is wrong tell us now" letter that you're supposed to get?

It's refreshing to see that Mr Opinion himself has been stung by his latest stunt - but I respect him more for coming up with an admission he was actually wrong, and has now reversed his intital opnion.

So why can't MP's and PM's do that too??

Clarkson for Prime Minister!

I'd trust this man to design the network infrastructure for DreamLiner!

I'm guessing he may well have done...

Its been many years since I worked for a bank, but back then the bank was responsible for verifying the signiature on a direct debit mandate was correct. A second check, that the DD looked believable, would probably not have flagged up this one, but under what rational system can the bank accept a DD without corroborated authorisation from the account holder?

And as for the DP act being blamed...rubbish. If its between the bank and its customer, its confidential between those two. If its anyone sles, its fraud, and since when did the DP act protect criminals?

I suggest Clarkson should start poking his bank with a big stick until they explain how it hapenned.

He may be a little hasty, but he would still get my vote.

I have some respect for the man. He was wrong, admits it and, having learned from his mistake, is quite happy to change his opinion.

Strange mistake to make though. He seems a fairly clever chap, is it not obvious that anyone can use anyone else's bank details to buy stuff? I suppose it's less obvious than using a credit card. I wonder how long it will take for the first credit card application in his name to become active? Or do credit card companies insist on sending cards to the account address?

Also, I wonder if he broke the conditions of his bank account by publishing his details?

/Nelson

All very amusing, but it is just a prank as direct debit payments are protected in 2 important ways:

1) Direct debits can only be set up for payments to beneficiaries that are approved ‘originators’ of direct debits. In order to be approved, these beneficiaries are subjected to careful vetting procedures – and, once approved, they are required to give indemnity guarantees through their banks.

2) The direct debit guarantee provides for the customer’s bank to refund disputed payments without question, pending further investigation.

So, it's a bit tricky to exploit the direct debit system to actually steal people's money.

Would have been much funnier if they had set up a DD to Friends Of The Earth.

Turns out Clarkson is wrong twice about the same thing - ought to stick to writing about cars and not stuff he doesn't know anything about.

Well it's his own fault for being so foolish but at least he's seen the error of his ways. To be honest, I've always thought the whole "identity theft" thing was scaremongering by the government and media. The child benefit CD balls up really made me concerned though (mainly because I know my details are on it :( )

Couldn't have happened to a nicer bloke. Other than that it's just brilliant.

Maybe the "nothing to hide, nothing to fear" brigade might wake up to a few realities now.

Very unwise of Mr Clarkson. In the UK, direct debits can be set up with minimal information over the phone or online and the bank then think it's your job to sort out any problems.

Still, couldn't happen to a nicer chap....

This is exactly why I dont trust banks. Knowing an account number, sort code and address should NOT be enough information to do anything other than pay money into an account. Clarkson may have been wrong, but he SHOULD have been right.

I like Clarkson, but whoever did this missed a golden opportunity to make him donate to Greenpeace. Or Friends of the Earth.

Yet again, I have to respect Clarkson. Unlike _any_ politician, he was prepared to stand up, admit his mistake, and adjust his viewpoint accordingly. Show me a politician who can do that!

HAAAHAHAAHAHAHAHAHAHAHHAHAHAHahahahahah ahahahahhahahahahaAHAHAHHAHAHAHAhahh ahahahhahahahahahahahhaa a haahhahahahahahahahahahhahaaaaaa

I seem to remember people saying on the comments that the loss was nothing but twaddle, HAHAHAHAHHAHahahahah ahahhahahahahaahhahaaa hahahahahhahahaha but I think he learnt his lesson, this should stand as a shinning example to us all as to just how dangrous data losses can be.

A fool and his money

thank you!

...Jezza pulled a stunt and it backfired. Tough luck matey-boy. And I would hope that, even though he might be quietly seething about it, he'll take it on the chin like a good 'un and at least recognise some of the humour in his own misfortune.

However, on the other hand (and in a perfect world), he should have been right. Even if I know your address and bank account details, I _shouldn't_ be able to draw money out of your account. On a normal direct debit form (i.e. a bit of paper), you would normally need a signature and that should be checked before any debit is allowed to be drawn. Having looked at the Diabetes UK website, it does appear to have an online DD donation page, so it raises the question of what checks should (or can) be carried out to prevent someone signing someone else up for direct debit payments.

After all, if I've ever received a cheque from you, I'll probably know your sort code and account number (for most UK banks anyway). Alternatively, if you have paid me electronically by BACS (for example), I can probably get the info somehow (might have to dig a bit and step over legal lines to get it, but hey, if I'm planning on emptying someone else's bank account for fun and profit, I'm not going to be too worried about that am I?) As for your address, there's a gazillion legal ways to find that out. And all of that is before we get to dumpster diving, mail interception and any of half a dozen illegal ways to find things out.

So, while the whole thing is worth a chuckle or two at Jezza's expense, it does seem to highlight an interesting issue in the handling of certain types of bank transaction in the online world (even if not in real life).

> The bank cannot find out who did this because of the Data Protection Act

Would anyone like to hypothesize what he might mean by that?

It looks as if an offence has been committed. If the bank has (e.g.) a log of the IP address from which an online-banking request came, they can surely pass it on to the police.

WHEEEEEE Well done Jeremey!

If I was stupid enough to read the Sun I would have emptied his account and given the money to some really annoying charity, like the PDSA, still, good show Anon. Fraudster.

At least J.C. can admit he's a complete tit, he's not a bad man, just dumb.

Cocktail sticks are pointless (is that a pun?), these people are blind through idiocy anyway.

Paris icon because even she isn't that dumb.

Except that Diabetes UK and the bank are at fault here and not Clarkson, as it should be impossible to set up a direct debit without (a) his signature, which matches a copy on file and (b) a letter of confirmation from the originator before the first withdrawal is made.

My bank account details are on every invoice I send out, to allow payment into my account, and--as Clarkson says--it shouldn't matter.

If I were Clarkson here I'd be taking Diabetes UK and the bank to task, if not court, for allowing this to happen.

I think

"ah! there is a god after all..."

Whatever you wanna say about jeremy, he has the balls to put his hands up and admit when he's wrong, he can say stupid things sometimes, mostly off the cuff and no doubt wrote what he did ad-libbing as he went, without checking it out before publishing, but thats just the man in action.

what characterises him the most, is how when things go wrong, he doesnt try to cover it up, or play stupid word games, he simply puts his hands up and admits it.

how many people would like that kind of brashness from our own politicians who caused the mess? But instead all we seem to have is face saving double speak, which gets them out of trouble, but not out of the shit they are in and that we are all in now. I don't even know if my details are included, but I would like to know, anyone know how I could find out.

I was having a conversation with a polictical science student I live with a couple of weeks ago about politicians and lying, I will share a little with you. Even though it is slightly off topic, we spoke about why politicians lie and why not just do a clarkson, as I shall forever call it.

The reasoning from him was that politicians are practically forced to spin favourably everything they do/say because if they do not, the opposition will, but negatively. They don't necessarily spin because they like it, but if labour did a clarkson, the conservatives would pull their legs off. So don't expect this level of honesty from anyone who wants to keep their career. Anyone stupid enough to do this, would find themselves dumped by their bosses (the pm in this case) because they damaged the party. It is not enough to be honest, you have to support the party, if being honest damages that, you are not permitted to be honest and keep your position, so even though 99% of you would pat the guy on the back, he'd be out of the door in no time and therefore not be in a position to tell the truth about anything interesting in the near future. It is a crap situation to be in, but it is our own fault, because we practically reward political spin, just look at how people vote to figure that one out.

So, clarkson maybe gobby, but he's honest in a way that no politician could be. So don't go expecting any of them to put their hands up and admit to all these data protection breaches anytime soon.

chris

The man put his money where his mouth is, quite literally in this case. How many MPs would do the same?

He stands by and backs up what he believes in. Nice one. Even if it was rather a tosser thing to do.

Oh, and "can't trace the source due to data protection act".. what utter bollocks.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,"

Tell the bank they can fuck right off. How can the DPA possibly be used to conceal information about bank account use FROM THE AUTHORISED ACCOUNT HOLDER?

My first reaction here would be to freeze ALL transactions on the account (presumably this was an account with minimal funds in... just in case he was wrong) and demand an immediate explanation from the bank as to why the hell they allowed this to happen. If they're unwilling or unable to do that, a series of articles published in the papers about why he's leaving them should embarrass them enough that they'll do something about it.

I like Clarkson, the fact he's willing to admit mistakes straight away like this merely reinforces that. It certainly raises him above any politician.

"he was prepared to stand up, admit his mistake, and adjust his viewpoint accordingly"

Yeah, but he went from raving about the insignificance of the problem to raving about the significance of the problem.

Can we for once get a public figure who isn't raving?

Could this be the first time he has done something useful? There will be people out there who believed him the first time round, people who were unaware of what could be done with what they thought of as innocuous data. These people will be feeling slightly differently now.

I also think he has hit upon a proper punishment for the management level culprits.

You have to respect him for being ridiculously stupid and then being forced to admit he was? lol what choice did he have? 'Yeah I lost £500 but I still stand by my statement that this story is being blown out of all proportion'

The guy is a moron and got what he deserved.

Just to balance the argument.

I hate Clarkson. Even though he makes me laugh, he's a reactionary, arrogant, shouty tit.

Also, beacause he's a rich car-owning, male WASP with a small mansion in the home counties he *genuinely* believes that he gets it tough.

He doesn't realise that he's top of the pile...

"Also, I wonder if he broke the conditions of his bank account by publishing his details?"

That would seem unlikely, given that they're on every cheque you hand out.

For all those feeling smug about how he shouldnt have done what he did...

The only details he gave were those available from the telephone directory and one of his cheques.

Still feeling so safe?

And nice of the person to do it to a charity and not themselves.

I couldn't contain my glee when I read that. I read it to the entire office and we all had a good giggle about it. Clarkson shoots self in foot... an absolute classic. Serves the gobby motormouth right.

Of course, this is proof that confirms my lack of trust in Direct Debits. I don't have any; I don't trust them as far as I can throw them (and since they can't be thrown, they can't be trusted). And sadly organisations are more and more starting to charge you extra for not using a DD. How I feel about that is another thing altogether.

This is all the more reason to take the government (or indeed any information gatherer) to task over data loss.

Direct Debit is dangerous.

My bank allowed a large amount of money to be taken from my account by the Student Loans Company a week after I'd given them (in person) a written request to cancel the agreement. When I complained, the bank said they hadn't had my request (I had handed it over in person to avoid incompetence, but I hadn't factored in malice) and that they wouldn't do anything about it - I should talk to the company.

I talked to the company, they refused to refund me (according to their rules, they shouldn't have taken the payment anyway), the bank then charged me lots of money for being overdrawn and kept me in the red for several months afterwards by continuing to charge me for being overdrawn.

Don't believe what it says in the rules - banks will do what they like and there's nothing you can do about it unless you can afford expensive legal representation.

... is that it highlights why morons (politicians) and power hungry gits (politicians) shouldn't talk about matters of security from a position of ignorance - and then put legislation and laws in place based upon their ignorance.

As has been pointed out, atleast Clarky had the good sence to see the error of his ways and has subsequently changed his position - alas, none of the scummy politians in government would ever admit to be wrong about anything, ever!

"That would seem unlikely, given that they're on every cheque you hand out."

And companies typically give out their bank details to their customers - have the look at the back of a utility bill for example, and then wonder why BT etc aren't scared of having their accounts cleared out by fraudsters.

That should at least minimise some of the risks... And add being off the public electoral register to that too.

Exactly so... Every company you've ever bought something from mail order has all those details, and so do their rogue employees...

Oh so true +++

I think that the culprit may have been less direct thatn everyone is thinking. I reckon that it was one of these high street charity workers that have been deployed around the world recently.

The bank knows that the Charity is the recipient of the illegal funds, and has said so, thats the bank done its job. The charity that employs the worker has itself been defrauded, and is a victim also, despite it being the benificiary of the crime. Hence the charity would not be obliged to hand over the details of the worker that accepted the application form, as this would breach the DPA rights of the original victim (worker).

The details on the application itself may or may not be in the handwriting of the original culprit, and would only contain clarksons details anyway.

SNAFU

It took me 5 minutes of googling to find Clarkson's signature on an autographed photo. It may not match what his bank has on file, but I bet it's close enough.

Did anyone else notice that the 'Data insecurity/ID theft is nonsence' piece was in the Sun, but the retraction was in the Sunday Tims? Am I being a conspiracy theorist?

Also, good choice of chraity, if I ever get on the show I will have to get a t-shirt saying "Thanks for the donation!".

What's wrong with the UK banking system? Here on the mainland you have to publish your bank details on every invoice.

Never had any trouble.

Suggest you try a new government.........

He reckons he's worth several journos salaries, I'm sure he can miss a few quid.

A sort code and account number is not enough. Add the name and address and Robert's your mothers brother!

He should have been right and the bank screwed up.

With that said, the "fraudsters" weren't much cop either. He's got his date of birth on his website and his mother's maiden name's on wikepedia. Frankly, just setting up a DD shows a marked lack of ambition....

Whilst Andrew Warwick is quite right, how hard is it to get ahold of the signature of a famous person? How different will it be from his Autograph? If it's suitably similar you'd just need the preface of his latest book, or a public letter or anything carrying his autograph. Then you need a scanner and an inkjet printer..... When he set up the account it probably wasn't possible to do this, since the scanner/printer would be hard to come by - so would he see the danger in not making them different. As for the letter from the originator - you might need this. But how hard is it to forge and send from a different address?

The first rule of security is that you don't give access to anything that you don't NEED to give access to. Simply because you can't see how something can be used fraudulently, doesn't mean to say nobody else is clever enough to work it out. Paranoia is the best option, but complacency and bravado.

Someone fraudulently phoned T-Mobile and ordered expensive new phones on my account (shockingly easy to do with just name + phone number). T-Mobile say the DP Act prevents them from telling me what address the thief (supposed to be me) had had the phones delivered to.

"For all those feeling smug about how he shouldnt have done what he did...

The only details he gave were those available from the telephone directory and one of his cheques.

Still feeling so safe?"

Don't forget your cheque also has a sample of your signature....!!

Well, it's easily photoshopped and enhanced to look authentic. Anyone with a bit of time could.

It is rather disconcerting. One reason why anything financial here gets shredded once it has exceeded its use (like statements once their statutory keep dates expire).

i love it when fools make comments like that and it immediately blows right up in their face.

tit.

You can see for yourself at diabetes.org.uk. Clarkson is still *largely* correct - there's no way to *permanently* deprive him of his money, as you can only set up DDs to carefully vetted organisations who promise to return the money immediately in case of a dispute.

It's still gob-smacking, though, that it is possible to do this to someone else's account.

Sadly most of the reporting that I can see is terribly inaccurate and will only continue to make people think that there's something terribly dangerous about revealing your account number.

large user Direct Debits are set up without requirement for a signature - under a system called Auddis the beneficiaries just send details of new DD's they have received to the banks electronically.

If anything goes wrong the beneficiary companies refund the banks and the banks meet the obligations of the Direct Debit indmenity guarantee - they refund the customer.

Still annoyingly easy to fall victim too though - the inconvenience factor.

I expect Clarkson's bank were fending off requests for the culprits to be caught by quoting DPA - meaning that they can't look into Diabetes UK's records - IP data etc. Police could I suppose - if they didn't have a million better things to be doing.

While I agree a signature /should/ be required (or at least you should be told about the new DD), that's just not the case.

I recently moved house and set up a direct debit for my gas, electricity, phone, etc without a single signature and I've had nothing through the post saying that they've been set-up.

Luckily, I have internet banking and often check my account activity.

You have 10 days to cancel a DD payment once it has been requested (again, without you being told it was) - so if you wait for your monthly statement, it will already be too late to cancel.

With regards to Jezza - hats off to him. He played the consumer card and found that people just don't understand how important all this information is. Now he's been stung, hopefully others will start to take more interest in their own information (unlikely).

I'm a little shocked that there was something worth reading in The Sun.

> the charity would not be obliged to hand over the details of the worker that

> accepted the application form, as this would breach the DPA rights of the

> original victim (worker).

They may argue that they can't hand over that information to Clarkson. Not sure about that.

But they could most certainly hand it over to the police, and the police could require them to do so.

Until he finds out how many caravans he is having delivered.....

seriously he could have got away with it if only someone who could read hadn't bought a copy of the Sun that day,

I wonder how many rounds he would have paid for if he had published the information on the register.

Businesses can publish this information because they pay for their accounts and so get a more rigorous service from the bank.

You'd think that with all that money and flash car Clarkson would have upgraded from a basic "Hoy Poloy" current account??

The personal information *is* publically available and it is impossible to use a UK bank account without publicising the account number and its sort code. It was not irresponsible of him to pull this stunt. It *ought* to have been a high-profile demonstration of the security of UK banking practices, for which the banks should be grateful.

Sadly, a crime was committed and Barclays are hiding their negligence behind the DPA. With luck, Jeremy has a sufficiently high profile and his stunt was well enough publicised that it is Barclays who will end up with pointy sticks in their eyes. I suspect if this happened to you or me then we'd have more trouble sorting it out.

Funny it might be but this is a criminal act. Should the bank wish to investigate further by involving the police then the DPA is irrelevant.

Clarkson is right, it should not be possible to remove money from his account without his permission. But from personal experience I could have told him that's simply not true. The bank may well refund a DD (eventually) but they'll still send the money to anyone with a DD setup whether they are supposed to collect that money or not and regardless of whether you have already told the bank that this is the case.

At least Clarkson checked his bank statements, I can think of numerous people I know that likely wouldn't have even noticed this had happened until the hole in the wall refused to give them money they thought they had.

It seems to me that many systems operated by banks (direct debits, ATMs, cheques, credit cards, etc.) rely solely on the fact that most people aren't criminally minded. So many of their systems seem to be wide open to attack and abuse but they just accept such incidents as a business cost.

If somebody did some work at my house and I wrote a cheque for payment, that person would have all my bank details and a copy of my signature. Would this be enough to start a malicious attack, signing me up for all sorts of direct debits?

Ok, so any anonymous person can set up a DD for an online donation if they have someones bank details, name and address. None of which are hard to come by.

Not everyone has £500 (or any amount for that matter) going spare in their bank account, so you end up going massively overdrawn with excessive bank charges, caused by this malicious person. Ok, you'll get these refunded at some point. That doesn't help at the time when this causes your mortgage, credit cards and utility bills to fail payment. All of those add charges if your payment is late, plus the extorionate charges for letters from the bank kindly informing you about each failed direct debit.

It is unforgivable that these transactions can happen, possibly causing massive financial crisis for an innocent victim.

Same old story: ID Cards, suspension of habeas corpus, greater police powers, etc all fine and dandy until the day that it affects *you*.

Then all hell breaks loose.

Why not think about what will happen based on historical precedent and then comment, Jeremy?

You cannot trust them. And if you have to ask who they are, you shouldn't comment about the system they set up to keep you in the dark.

I wonder how susceptible Mr Clarkson would now be to a spear phishing attack? Given that those account details have been compromised, it would be straightforward for a real attacker to send in a carefully created email purporting to be from the bank. Perhaps along the lines of "your account was recently the subject of fraudulent activity, please reset your details by following this link".

Personally, I think Clarkson did the right thing by standing up and shouting that it's all media hype. To a certain extent it is, but everyone who has been affected by this data leak (and others) should be keeping a close eye on any communications between themselves and their bank for a long time.

As it says, the bank can't give that information to Clarkson -- the only people they can give it to is the police. In order to do that, Clarkson needs to report it as a crime.

I surmise that Clarkson doesn't want to report it, seeing it instead as relatively harmless mischief, and/or his own fault.

He challenged, someone responded. Wouldn't look good if someone ended up in jail; would it?

This is the kind of fool that thinks everything is a "scare" or "hype" until it happens to him. The same kind of consecrated idiot always discounts everyone else's problems and implies that anyone who complains is either a whiner, a fraud, or a malingerer.

When it happens to him, though, it's a major disaster! Call out the police! Call out the Army! Mobilise the planet! The Great I Am has been harmed!

Maybe the next time he could actually believe the people who have experienced previously, and not go screaming about how something is BS because he doesn't want it to be so?

I lived in The Netherlands for donkey's years.

Over there, if you want to pay someone, they give you their bank details and you pay them quickly and easily without farting about with Victorian cheques.

I do not understand how someone else can set up a direct debit on your account.

Where's the icon for baffled & confused?

And well done honest sun reader, for donating to a good cause on Mr. Clarkson's behalf.

It isn't Clarkson who has it wrong. Every time you give someone a cheque, they have your bank account details. If they are local, or request your address, e.g. Curry's, then they have that as well. The bank are very much at fault for letting this happen. The data the prankster had access to is so minimal that the bank is dreadfully negligent in allowing the DD to be set up.

"...bank account number and sort code, along with ---- his address..."

Isn't it?

Those would be the same cheques that you would hand-out to clerks in shops.

Anyone disagree?

As others have said, he should have been right.

What he has done is to publicly show up a major flaw with the banking system.

Well done JC

"He challenged, someone responded. Wouldn't look good if someone ended up in jail; would it?"

Personally I think it would look great. It would both prove his point and act as a deterrent to all those a-holes who think emptying people's bank accounts is a laugh "because they can".

I know that that is a difficult concept for anyone in the media spotlight (especially politicians) but he says what he genuinely thinks, and he's not the only one who thought the data loss was much ado about nothing.

As for the bank authorising the DD, using the DPA to avoid giving details is pure BS. HE is the authorised account holder, so anything purporting to have his authority should be visible to him or the bank is assisting a crime. Well, they are, actually, because the mandated account holder did not give his permission.

I wonder what account he has that he is not in control over his own funds. A DD needs authorisation AFAIK so I'd really like to know why Barclays can't control that in absence of his authorised signature. Or has someone found a Clarkson signature? In that case is not just unauthorised, it's forgery as well and the bank is expected to assist the police with their enquiries.

That Clarkson was playing the fool is no argument for the bank to go soft on process, because that means they're signalling to the finders of those 2 CDs that the time is right to do some serious deducting from 25 million accounts. Spread it randomly over all banks and it'll take weeks before anyone spots it.

I may be wrong on authorisation, so anyone a clearer idea?

That is, he trusted his bank.

I can't speak to the law in the UK, but in the USA, *anyone* can set up a DD to a bank account without a single piece of paper changing hands. My wife is a retired banker, and tells me she had to correct such "errors" several times weekly. Teh professional fraudsters set up recurring DDs for only a few dollars, and most people never notice. If you set up, say, a thousand DDs at $5/month, you're making a very respectable income with little to no risk; the banks won't call in the legal authorities for such small amounts, because it would make the news.

At least Jeremy has shown the basic flaws in the Banking system since everything was centralised and the banks cut and zeroed nearly all security corners and nixed the paper handling trail in order for them to generate the regular increases in profits demanded by both the Ponzi LSE and the ever demanding Pension investment funds wanting higher returns for them to face 2012 when out goings will exceed incomings !

Yeah the bank is truly at fault and now he can sue them as well for their complete and utter stupidity of lack of security too !

What would Paris say about that !

"Idiocracy" here we come !

it seems to stop anybody telling anybody anything useful even if it does seem like a cop out. I don't even think checking your own credit report would help - can be done for free online at Experianand possibly also Equifax at the moment - because the money came out of an existing account. I wasn't aware of the original article so I thought this was typical Clarkson - brilliant.

I've no time for the guy, but the whole episode is show-time for The Bank.

Reluctantly tip my hat to JC on this occasion -- ugh -- hope he's learned something from it.

My estimation of Clarkson has gone up.

At least he has the honesty to admit his mistake publically and change his viewpoints.

Was he wrong? Yes. SHOULD he have been wrong? NO!

If any bank I used did the same to me based on /that/ level of "personal" information (and really, how "personal" are details that are published in your phone book and on the cheques you write?) I would close my accounts and start talking to the local reporters about what a pack of cretins the bank was.

If I ever go to England, I'd never open any account with Barclays.

As Anon Coward ("Not only Clarkson" 7th January 2008 17:49 GMT) said, the potential for devastation is horrific.

My previous bank (before I ditched them for being a pack of thieving, money-grubbing shits) would happily charge $30 for every dishonoured transaction (putting the account further in OD than actually /honouring/ some of the transactions would have) and then charge an additional "Unarranged Overdraft" fee AND charge interest on the OD at punitive rates. On top of that, the rent, car, power, phone etc have not been paid that week and they start getting shitty. Afterwards, the bank account is in OD to the tune of 6x $30 dishonour fees plus $12.50 Unarranged OD fee plus punitive interest (so >$200) when your next pay cycle rolls around (what, you expect the bank to get it sorted and get your money returned within one pay cycle?) and you're down over $200 in your household expenses budget.

And that's assuming the thieving mongrels actually reverse all the fees and interest they've taken from your account as well as getting your money back. My old bank, you'd have a higher likelihood of Bill Gates dropping by your place and tossing you a wad of high denomination banknotes. You expect honesty and fair dealing from an organisation that will dishonour a $10 autopayment that would put you $5 OD then charge a $30 fee that puts you $25 OD so they can charge more interest on the amount you're overdrawn?

Some families live so "close to the wind" that starting the pay week more than $200 short would totally clean out their food budget and still leave them short for paying the bills (meaning more dishonoured payments and more fees) - could take months to get back on their feet.

Any bank that allows money to be removed from an account based on such a paucity of information - regardless of whether "it can be returned later" or not - does not deserve to be trading. Seriously.

Barclays, and any other bank that would allow the money to be removed without proper verification, has no respect for its customers and therefore does not deserve any.

As to DDs - I refuse to have them. Even my power supplier, who claims to only accept payment by DD (which they can control) gets paid by Automatic Payment (which / control) - having been stung in the past when the bank dishonoured a Direct Debit (and charged me $30) and the creditor retried debitting my account twice during the subsequent couple of days (incurring additional $30 dishonour fees each time). The only attempted withdrawals from my account that I have not *personally* performed or authorised should be the bank fees themselves (if I am remiss enough to use another bank's ATM or perform too many EFT-POS transactions in a month).

About five years ago I had 5 DD's set up on my account for mobile phones all from the same internet based company.

No sig is required - its called an ldas or ldis or something similar DD. Only found out 4 months later after £1k was taken from my account in a month (I learned to always check my statements from then on).

Got all the cash back from the bank on the day I realised, but guess what..... the cops didn't want to know.......

I went into Nottingham's main police station to report the crime and their answer was "oh it's probably just a clerical error". They gave me a crime reference number after much moaning from myself - and they didn't even want to give me that.

I wonder what would happen if I reported a DD fraud now?

Clarkson is primarily an entertainer. Do you really think Top Gear etc is completely factual? I doubt it. These guys don't let fact get in a way of fun and controversey and entertainment value.

Therefore the whole report should be taken with a handful of salt. The whole DPA thing could be part of the scam to give an excuse for not proceeding.

No furter comment required.

Financial institutions and the like have been misusing the DPA for years now to bury stuff they'd rather not talk about. I've no idea whether or not what they're doing is in accordance with the letter of the law, but this surely isn't what the DPA was intended for.

As for the normal level of banking security, if I showed such lax standards as a sysadmin I'd be out on my ear. I suppose there is a difference, though, since my users' accounts will contain all manner of important tat like their porn bookmarks whereas a bank only handles the trivial stuff like their salaries.

The fact he published his bank numbers is besides the point. He was challenging the bank system to proove that there are security measures that stop the leaked data from being useful. Unfortunately UK banks being about 50 years behind acceptable levels of security, and he was prooven wrong.

It's the banks fault NOT his. Numbers that anyone can read from a cheque obviously cannot be verrification, this story just highlights the need for banking reform.

(and again shows how stupid the government were for loosing the disks in the first place)

Never, and I mean never, set up a DD. They are dangerous. Trying to vary or stop a DD can be a nightmare.

:: Always check every line in your Bank/CC statements, every line.

:: Keep all banking reciepts until you have done your checks.

:: Shred obsolete banking and CC papers.

Bottom line: Banks and the banking process cannot be trusted.

If its that easy to setup a DD its a wonder that no crims have setup a bank DDOS scheme. Pay up or thousands of your account holders will be shafted. Oh hang on.... All these fees on my last bank statement, we already are.

"My bank allowed a large amount of money to be taken from my account .. a week after I'd given them (in person) a written request to cancel... the bank said they hadn't had my request ... and that they wouldn't do anything about it ... the company, they refused to refund me ... the bank then charged me lots of money for being overdrawn and kept me in the red for several months afterwards by continuing to charge me for being overdrawn."

Etc etc etc. Sounds like this advice is too late for you, but here it is: GET A LAWYER. Don't get given the runaround - threaten to drag the bastards into court. It's the only thing they understand.

He doesn't have the plane in his garden anymore and hasn't for a long while, the council made him put it away, something to do with planning i think... He does however, have donkies in his garden

I was at the local nick a few months ago (by choice I might add) and the guy ahead of me was reporting a phony standing order on his account. £3000 a month, ran for 3 months before he spotted it. No DD guarantee there and the paperwork requirements are similar.

I also had a mate who had money stolen from his account through telephone banking. His bank required 2 random digits from a 4 digit pin code - yes, he chose a date, and was horrified when I guessed one was 0, 1 or 2 and three was a 0. Oi! Banks! Five digit pins stop people choosing dates.

Nice work Clarkson, always have time for people can admit when they're wrong.

You get your fingers burnt if you put them in a fire!?

The man is funny and gobby and opionated and .. and ..... all those other things. Perhaps, now, having seen how it works for one of their own the elite of our land will start to take notice of the "little people's" concerns. Is Mr. Clarkson a member of the NO2ID campaign?

Everybody you ever sent a check to, sent a bill which you paid, transferred money to, and anyone who transferred money to you

automaticly know your bank account number, plus your name and address.

Anyone who worked with these companies people can easily get your bank account number, and, you dont have to be a black hat hacker you just need to get a job in the mail room!

The bank was clearly at fault here and should take full resposibility.

As with most of this "Identity Theft" hype, it really has nothing to do with the person impersonated. Its fraud commited against the bank by someone using a false identity and the bank should either take appropriate precautions against this or go the way of Northern Sock.

I hope the diabietes people get to keep the 500 smakers.

Well, I don't get a notification in writing from my bank when a new DD is set up, as the very first poster suggested he should, so perhaps that depends on who you bank with?

As for signature verification, considering Jezza is quite well known I'm sure it'd be quite possible to find out what his signature looks like, as after all he signs enough stuff. Someone with a half decent talent could easily replicate his signature, as after all they wouldn't have to write it quickly. Of course, it is also entirely possible that the bank didn't check properly.

Kudos for the perpetrator for setting up the DD to go to a charity.

Oh and bank bosses ought to be able to be held criminally liable if their bank does not meet acceptable security levels - for example to allow DD's to be set up without proper verification. Sorry but they've been screwing us over for years so it's time they got theirs.

When I looked at the terms and conditions for these, and especially the "its up to you to prove it was fraud, not that we'll give you access to our logs or anything else you need to do so" parts, I came to the conclusion that using either is about as dumb as what Mr Clarkson did...

I worked in finance for 8 years, Jeremy Clarkson's bank may not be given the details of the person who signed him up for the dd, however as this was a fraudulent transaction, and the person’s details can be used by the police if he wished to prosecute.

I was amused by a couple of the comments assuming that banks actually bother to check signatures. They don't. Not on direct debit forms, cheques or any other documentation.

The only time signatures are looked at is after the event if an account holder questions a cheque, DD or anything else. I have had cheques accepted on an account where the signature (very legible made up name) did not match any of the authorised signatories.

So paranoia about keeping financial details private is justified.

Somebody wrote:

"And as for the DP act being blamed...rubbish. If its between the bank and its customer, its confidential between those two. If its anyone sles, its fraud, and since when did the DP act protect criminals?"

Well my wife knows a DI through her work and apparently the DP Act frequently protects/help criminals...

I have always thought that as a general rule, any retained data, by any agency, especially government, should be analogue. If some daft or dishonest clerk loses, or gives away a document that he is entrusted with, the potential for damage is far more limited than if the same document had been stored digitally.

I remember an organisation called the "Economic League" years ago, who understood this distinction. Their business was to collect and share information (for a fee) about senior executives amongst prospective employers. For good or ill, under the original data protection act, they were exempt from declaring this information, because they kept their records on a rolodex, not a computer.

So, if one agrees with such a thing as the NHS in its current form (I do not), we should resist the digitalisation of our medical information.

Likewise we should resist the introduction of digitalised ID cards, passports and voting systems.

On the other hand, if the banks were playing an honest game, and they wanted to continue to deal with money electronically, for their and their customers benefit, they should also continue to offer guarantees against fraud, (after all we pay for it anyway). The introduction of chip and pin, if anyone remembers, was accompanied by a modification of the rules in the banks’ favour, they would no longer honour their guarantee to the retailer or the customer if there was no digital signature, we all know that this is not secure, but it is genuinely convenient for us and profitable for the banks and retailers.

I do not know whether this was the case with Jeremy Clarkson, (no digital OR analogue signature) but by highlighting this, he has done us all a favour, albeit unwittingly, hasn’t he?

The problem is that government by nature, is always dogmatic, just because there might be an advantage for citizen and government in storing some information digitally, it does not mean that it is ok to store ALL information in this way. Essentially, we should resist “modern” “joined-up” electronic government at every turn, until we know what the ramifications are for digitalised storage of a particular form of personal information.

Hurray. Someone has now realized a flaw in the banking Direct Debit system I found.

Several years ago I found that someone had setup a Direct Debit on my account for a TV licence. After long conversations with TV licensing and my bank I found out that there is nothing to stop anyone setting up a direct debit on my account. All anyone has to do is fill in a direct debit with someone my account details. The company managing your direct debit can only accept at face value that the direct debit they get has the account details filled in correctly and pass it to your bank. The Bank does no checking that the direct debit is correct because they have delegated all responsibility to the Company dealing with the Direct Debit and they just automatically process the direct debit mandate WITHOUT ANY CHECKS.

No signature checks, no account checks, not even checking that the person originating the direct debit owns the account. NOTHING.

So basically the Company raising the Direct Debit cannot check any details are correct, and the Bank does no checking because they have passed on responsibility.

So the only person in the whole chain who checks that the direct debit has been applied to the correct account is you. This is a huge hole that the Banks have buried their head into. The only reason I did not take it further was because of the Direct Debit guarantee that I would get my money back. (and even then in this instance I had to be passed up the chain to a senior manager at the bank and had to quote some of the Banks own direct debit leaflets before they would honor the guarantee and credit my account straight away.) I tried to raise it as a potential fraud, but the Bank was just not interested. As they said, the Company raising the Direct Debit indemnifies them, so what was the problem. They could just not get it into their heads that someone had taken money from my account without my permission AND COULD DO IT AGAIN. They just kept repeating ’but you got your money back’

I can also understand the comment about the Data Protection Act. I tried to find out who had raised the Direct Debit and was quoted the Data Protection Act.

>> The bank cannot find out who did this because of the Data Protection Act

> Would anyone like to hypothesize what he might mean by that?

The phrase "because of the Data Protection Act" is call centre speak for "I can't be arsed".

...will be when he tries to cancel the DD and gets told he can't because he wasn't the one who set it up in the first palce

Why can't the banks and the credit card companies send SMS and/or email notification of every significant action that takes place on your account as it happens?

BEEP An electronic direct debit mandate has been placed on your account xxxxxx91 from the originator Nigerian Prince Ogoaeruyter. Please call the bank now if this is incorrect.

BEEP Your MasterCard xxxxxxxxxxxxxxxx3079 has been used to purchase a Bugati Veyron. Call us to dispute this transaction.

Since signature checking seems to be increasingly lax these days a bit of dilligence from the banks wouldn't go amiss...

At least that's my opinion after sleeping on it. It all just seems a little too nice, clean and clinical for my liking...

He publishes his bank details in the paper, and of all the potential dodgy dealings, there is one single solitary payment to a harmless charity...? With all the cash he has, you'd have thought something more inspired would have been done, and certainly by more people. Bare in mind, this is someone who buys supercars, so there should be the potential to make a handsome amount

The bank claims the DPA is preventing them "assisting with enquiries". Surely, the only way this could be true would be if the transaction was NOT fraudulent and WAS actually the account holder making the transaction, in which case it would apply...

I'd be interested to know if he has reported it to police... which doesn't seem to have been mentioned. If it hasn't, then I think it must be a stunt.

ok, its true the banks don't check signatures on Direct Debits - for many DD's they only have an electronic instruction come through.

let's say they could check these, what do you think it would cost and who do you think they would pass this charge onto? Are you prepared to pay as part of account charge or slightly worse interest rates?

To all those who think they are safe, because someone who might setup a direct debit on their account does not have their personnel details (address, Mothers maiden name, DOB, or even your name).

THINK AGAIN. You do not need any of these details to open a direct debit. You only need an account number (a sort code helps as well). You can put in any name, any address and make other piece of information you like.

Why? Simple. The company who sets up your direct debit have no way of knowing you own the account you are setting the direct debit against and check it against your name, address etc. The banks will not tell them (Data Protection working for you - again). The Company raise a request to the bank and the bank ONLY checks that the account number is valid before raising a Direct Debit against that account. The Bank does not check that the name, address or anything lines up with the account – let alone any other basic security checks.

The Bank’s excuse is that they security vetted the Company raising the direct debit really really carefully, and so when the get a valid direct debit, the HAVE to honour it. (‘valid’ means only that the account number is correct). They do not seem to understand that the Company raising the direct debit has no way of knowing that the account details they are given is actually owned by the person raising the Direct Debit.

So the Company raising the direct debit has no way of security checking any direct debit request and the Bank performs no security checks on your behalf.

So all you need is someone’s account details and you can set up a direct debit against their account.

The question is not ‘how could the bank have allowed Clarkson’s account be debited’ but rather ‘How could the banks have allowed such a huge security hole to have existed for so many years’. It is a simple answer. They don’t care because they are indemnified by the Company raising the Direct Debit.

A sun reader could operate any form of electronic device in order to set up any form of fraud, I bet that's the angle Clarkson was aiming for.....

The banks don't check signatures on anything...

A good twenty years ago, when I worked in the bike trade, we had a lad come in and say "My Dad wants to buy me a new bike, but he's too busy to come to the shop. Is it OK if I bring in a cheque?". So we said sure, but you'll have to wait for the cheque to clear and all that. So we get the cheque put through on a special clearance, being careful and all that, all is OK, and the lad gets his bike.

Three months later angry father comes into the shop waving cleared cheque... It turns out that the family had split up, and son had grabbed two or three cheques out of Dad's cheque book as Dad was walking out the door. The signature Son had filled in on cheque bore not the slightest resemblance to Dad's signature in any shape or form, and it was the equavalent of 3k or so in current money...

About 10 years ago I got utterly bored with my signature (too long to write each time) and so decided to completely change it overnight. The very next day I began using my new ultra-condensed and totally different looking signature and my bank did not ask any questions over any new cheques or direct debits at all?

Of course, things might be different now but, in my experience, that generally means they are now a lot worse.

Just a thought, but you _may_ be able to get past the Data Protection brick wall by calling the bank "to check the contact details used for the transaction" as you believe they may have been taken down wrongly, since you can't recall receiving any writtem confirmation.

At that moment you're not saying it's someone else, just asking to check their record of what you assume is your own data.

Maybe.

Maybe you could charge 30% interest for unauthorised credit as well.

RE: Public Info

"Mind you, why did his bank not send him the standard "A new DD has been set up, if this is wrong tell us now" letter that you're supposed to get?"

Maybe it was sent the same way those 2 cds where sent ;)

RE: Just wait

"I wonder how many rounds he would have paid for if he had published the information on the register."

Non as the BOFH and PFY would have emptied on rounds before anyone else had a chance to do so :)

All he's done is PROVE, in the most public way possible, that the banks are not only only incompetent, but COMPLICIT in data theft. There's no way someone should be able to steal your money just because they know your account number.

Clarkson's may have been motivated by his usual careless buffoonery, but he's done us all a favour. As with jamie Oliver's school dinners', it's nice to see an irritating celeb using their fame for something other tha grabbing more and more cash.

---------

About 10 years ago I got utterly bored with my signature (too long to write each time) and so decided to completely change it overnight. The very next day I began using my new ultra-condensed and totally different looking signature and my bank did not ask any questions over any new cheques or direct debits at all?

Of course, things might be different now but, in my experience, that generally means they are now a lot worse.

---------

If a cheque we receive doesn't have a signature, it gets bounced everytime, but if it has a scrawl, no matter how different to the account signature, it goes through everytime as long as there are funds. I think that answers your question.

Clarkson is normally good for news. I like him but this was a fantastic move on whoever did it's part.

I'm glad to see he learnt his lesson, rather than just thinking it was an outrage. What I really want to know is how much he got back, considering its a charity it would be quite interesting.

You make it sound as if our banking sytem was actually secure!?

I have worked for the IT-security sector of the finance industry, and can tell you that just about nothing is secure in the financial industry! they don't care!!!

It would have been about 10-20min works for me to transfer 100s of millions of pounds into off-shore accounts without the possibility of law enforcement getting their hands on the funds immediately!

by the time it would have been noticed, it would have been way too late, I would have been gone and on the way to the next plastic surgeon as well as getting a new identity.

the only thing that could possibly been seen as some sort of security is "security by obscurity" and I think we all know what to think of that!!

RE: Public Info - "Mind you, why did his bank not send him the standard "A new DD has been set up, if this is wrong tell us now" letter that you're supposed to get?"

No... the letter never comes from the bank, it comes from the payee... that's because one of the Direct Debit conditions is that you are so informed of the amount(s) to be debited from the account, and of the relevant dates, in advance.

And for a number of years, there has been a national agreement that in these cases, the report is always to the bank in the first instance, NOT the police: if the bank then wishes either to report the offence(s) and/or relevant intelligence for further action, then THEY contact the police. In practice, for most cases, it doesn't happen - it's just not financially worthwhile for the bank to take it further. After all, they just take it out of the huge profits that they have been making from US! ;-)

Johnny bankteller gets a cheque form a customer, do they then have a digital network that shows all the signatures on record just like that (kind of like the fingerprint system on CSI)? How long would that take to manually check all sigs? Even by computer would take ages with the thousands of cheques/DDs going through the system each day.

For a while I started changing the signature on all my cheques I sent out. Not one got challenged. They all got paid in.

As for finding out the details of who submitted the DD, wouldnt that be 'J Clarkson'?

wouldnt that be 'J Clarkson'?

Nope. Could be anyone. No-one checks that the name on the direct debit is the same as the name on the account. You could fill in a direct debit with Clarksons account number and put Imagit Clarkson in the name. It would probably have got through (probably will not now as - I would hope - Clarkson has closed the account or the bank has put a stop on any further activity on it).

Never liked DD anyway. Seems an act of madness to allow folk to dip into your savings as and when they like, based on promises of telling you in advance. Especially when you end up having to spot and sort any problems yourself. It's bad enough a bank (!) has to be trusted with your savings in the first place. I blame you lot for accepting it as a legit service when it first came out, ensuring that the rest of us now find it difficult to avoid.

What's been said is true. For a while, just for laughs, I went through a phase of signing my name as "T. Burglar". Nary a peep....

"No... the letter never comes from the bank, it comes from the payee... that's because one of the Direct Debit conditions is that you are so informed of the amount(s) to be debited from the account, and of the relevant dates, in advance."

So all you need do is write some random fake address (or even a random real address, it doesn't matter) to go with the fake name (since neither the company nor the bank check that the name supplied matches the name on the actual bank account) and the "stolen" account number (if reading a cheque and learning the account number can be classed as "stealing" anything).

The letter from the company advising that 1000 quid's going to be debitted from your account each month on the 21st as of this February is going to be sent to the bogus address. If it is a real address, the likelihood is that the householder will glance at the name, say "no one in this house" and drop it in the bin. Even if they do scrawl "Not known at this address, return to sender" on it and drop it back in the mail on their way to work, the person who checks the mail back at the company is most likely to shrug and bin it as it's not his/her job to locate the right address for the payer.

So the person whose account has been targetted will have no warning of said direct debit until they go to buy their groceries and find their account is already in the red and is going to get worse once the bank starts reversing the autopayments and smacking dishonour fees in place.

From peter: "The Bank’s excuse is that they security vetted the Company raising the direct debit really really carefully, and so when the get a valid direct debit, the HAVE to honour it. (‘valid’ means only that the account number is correct)."

Yeah, because the company is deemed to be safe and would not *commit* fraud - yet the company is not equipped to detect if they themselves are being defrauded (as the bank cites DPA as a reason to prevent the [trusted and non-fraudulent] company from confirming that the account details provided are kosher.)

In short, the banks know that the data is unverified and therefore cannot be trusted, despite knowing that the company itself would not deliberately supply fraudulent information - and yet they still proceed as though the data were totally trustworthy.

Wankers. And then if enough fraud is committed throughout the year and they've had to restore a lot of money into accounts that should not have been removed in the first place (would not have been, had they used proper security checks) - to the point that their stakeholders are at risk of having their enjoyment of banana daiquiris, underage prostitutes and 5-Star Bahaman resorts curtailled due to falling profits - they can use the slump in profits to justify increasing fees and interest on loans (while decreasing interest on savings accounts).

Re: It was a setup:

Pete Burgess, what exactly did you smoke BEFORE you slept on it? Were there strange eldrich creatures roaming around the room at the time you came to your conclusion?

Suuuuuuuuuure, a loud opinionated public figure just decides to loudly change his opinion and so fakes being targetted. Riiiiiiiiiiiiiiiiiiiight.

And he's popping by my place later to drop off one of his super cars for my wife...

There are enough things in life that are cause for worry, and it is generally accepted that worry will shorten your life more than most things (other than being run over by bus, or drinking 4 litres of vodka, or getting a new hairdo by covering ones hair with gel and doing the double digit in the nearest light socket...). You shouldn't have to worry about your bank accounts being siphoned off by duff DDs and your bank couldn't care less....

Jeremy Clarkson appears to be one of the few public commentators in the UK who wield a pin with remarkable authority, regularly popping allegedly safe balloons to show the underbelly of life in the UK... (note: 500quid is a small price to pay for '000s quid worth of PR). . The 80's boomtime showed how brash the banking fratenity was... this DD fiasco JC has shown us highlights the latent arrogance of the banking fraternity... nothing new to some/most, but allowing DDs to be processed without appropriate security diligence could be considered in the same way someone pickpocketing you.

Without a banking-led overhaul of this setup, maybe the only way to nail this down is to commit your bank to only authorise DDs when you front up to your local branch and verify a received DD: do the math - an hour lining up at your branch versus empty/overdrawn account and the fallout from that...

Most DD's are now set up electronically without any signature from the customer.

As I understand the direct debit rules, a collecting organisation wishing to electronically set up direct debit mandates without a signature has to sign an unlimited indemity clause.

So in general case, you would dispute a fradulent direct debit with your bank and the collecting organisation has seven days in which to produce evidence or refund the monies. Therefore any fraud is against the collecting organisation who has agreed to take the risk by signing the indemnity.

That said, Clarkson openly disclosed his details so this would probably not apply to him.

Also, my experience is that banks only check signatures on cheques for very large sums as was the case when my father tried to pay his mortgage off via a cheque from his current account and they compared his signature against his original specimen supplied about twenty-five years previously. Obviously, your signature would never change over time!

It's all very well applauding JC for admitting that he was blatantly and publicly wrong but PM material? Come off it!

Jezzer is a gobby and opinionated TV personality with no responsibility other than to keep as many paunchy petrol-heads glued to their TVs as possible.

Any politico who admits to a mistake is instantly and unceremoniously drummed out of office to eak out a meagre seven-figure living as an after dinner speaker.

Me jealous? Never!

Barclays Barclays Barclays Barclays Barclays Barclays

"Jezzer is a gobby and opinionated TV personality with no responsibility... "

Sounds perfect PM material to me, no bugger would be able to tell the difference between him and any prior/current PMs anywhere in the Commonwealth.

If a senile geriatric actor and an illiterate in-bred cowboy can become Presidents of the USA, despite any semblance of intellect (or ability to string together a coherent sentence) surely someone who is at least articulate enough to fuck off people with his opinions on a regular basis can be PM of England.

It's not like the job requires any real qualifications.

roughly thirty seconds of searching found me an e-bay auction for some signed clarkson tat, complete with appropriately large (copyable) pictures.

Classic Top Gear style shenanigans - it's entertaining but we know what we're seeing was staged and didn't really happen as described.

As Pete says, one transaction, and to charity at that, in time for the deadline for the "i was wrong" story does seems a little too neat and tidy.

As for his original rant, it certainly should be true...if you post someone a cheque for a mail order item they'd have your account details, signature and your address.

Or if you pay by CC they have the details too, and your CC number.

Clearly if this is enough for identity theft, the banking system is fatally flawed. This idea about keeping your details secret is bollocks - you cannot do it - you have to give these "secret" details away all the time...and so do the people that have them.

Here in India, they do that. At least my bank does. I get text messages and email alerts for every transaction like CC , debit cards etc. It is a feature you opt for though.