Zero Trust Purchasing

Avoiding untrustworthy vendors is sound advice, but it is not always straightforward to evaluate them ahead of making an online purchase for the first time. This article introduces virtual credit cards, the reasons for needing them, and how they work as a viable countermeasure to reduce or avoid fraud.

A virtual credit or debit card works in the following way:

  • New bank account – you first need to open a bank account that supports this feature to use virtual cards. This part of the process is the same as other bank accounts. Your existing account may already include such a feature.
  • Create a virtual card – using your bank’s online portal, create a virtual card. The virtual card will include the 16 digit card number, the expiry date and the Card Verification Value (CVV) number found on the back of physical cards. The difference is that your bank will create the virtual card instantly.
  • Make purchases – use the virtual card details to make online and telephone purchases without disclosing your physical card details
  • Delete your virtual card – deleting your virtual card will immediately block all further transactions. You can keep your card details for multiple transactions or delete your card once a single transaction is complete.

Reasons for implementing these countermeasures include:

  • Online accounts that don’t allow card removal – as customers, you should have the option and the right to delete your card details, but in practice, many vendors have not implemented this and refuse to cooperate if you ask for the removal of your details
  • Avoid subscription scams – some vendors have hidden terms and conditions that state that you are joining a club by making a purchase. Consequently, the vendor takes money from your bank account and adds it to your online vendor account, ready for future purchases. This type of purchase deviates from how people buy goods and services and, combined with the fact that very few people read terms and conditions on websites because they are too long and convoluted, this can catch people out. This kind of behaviour will show up when reading online reviews.
  • Stealth auto-renewal – vendors often keep hold of card details and set payments to renew automatically without informing their customers, either during the initial purchase or ahead of renewals
  • Reduced need to cancel physical bank cards – the option to create and delete virtual credit cards means that if anything untoward takes place involving your bank account, it will not be necessary to request a replacement card. Removal of virtual cards will eliminate the risk.
  • Free trials – many services offer free trials and require the use of a credit or debit card so they can take payment from your account at the end of the free period unless you choose to cancel the service. You must ensure that you are not legally obliged to make payments if you fail to cancel a service explicitly. Use of virtual cards for trial registration followed by immediate deletion will offer protection against vendors that:
    • Make it difficult to cancel services
    • Mislead you into believing you have cancelled a service
    • Don’t respond to customer support requests for cancellation
    • Refuse to let you remove your card details

Banks are unlikely to investigate issues if you have given your card details to a vendor and will likely tell you to speak to the vendor to resolve the problem. The outcome will depend on the overall credibility and trustworthiness of the vendor.

Other countermeasures include:

  • Looking for reviews online – vendors often have reviews and testimonials on their websites, third-party websites, and discussions on social media. Sadly, fake reviews are commonplace, so you can’t always trust what you read.
  • Looking for online complaints – if a vendor misbehaves, refuses to cooperate with their customers in resolving problems, customers lose money, or gets upset for any other reason, complaints will find their way to review websites and social media
  • Only having the money you need for the transaction in the account – works if your bank account doesn’t have any credit facilities attached to it, so you can never have a negative balance. The vendor can never take more than expected during the first transaction. Even with free trials, it is possible to have items added to your shopping basket by default or pre-selected checkboxes, including a surprise purchase.

Remember that when you give your credit or debit card details to a vendor, you have no control over how they store or use them. The countermeasures here assume Zero Trust – you don’t trust the vendor from the outset.

Post-Brexit VAT Due Diligence

As a result of Brexit and the expiry of the transition period, the European Commission Taxation and Customs VAT Information Exchange System (VIES) system (http://ec.europa.eu/taxation_customs/vies/) is no longer available to GB registered businesses.

The new system for UK-registered businesses is here – https://www.tax.service.gov.uk/check-vat-number/enter-vat-details

Although many businesses still ask for a copy of the VAT registration certificate as part of their supplier due diligence process, it is essential to remember that the certificate only shows that a VAT registration existed at a single point in time. Please consider the following alternatives:

  • Verify the VAT registration online as part of your invoice processing
  • Verify the VAT registration at periodic intervals throughout the relationship with the supplier
  • Use the online process while onboarding your supplier

The new HMRC service allows UK VAT-registered businesses to prove they have performed checks. However, this is not guaranteed to absolve companies of financial liability for any VAT paid and subsequently claimed, strengthening the need for increased vigilance. Businesses knowingly or recklessly participating in fraudulent VAT transactions can become jointly liable for the unpaid VAT.

You can report suspected VAT fraud here – https://www.gov.uk/report-vat-fraud

Mixed enthusiasm for cost avoidance

Avoiding the need to spend money in the future isn’t always something to write home about. This software licence audit illustrates how we saved £250,000 in future expenditure, but resulted in an overall lack of enthusiasm.  

  • A software package costs £200 per licence. An audit shows that there are 2000 installations—a total cost of £400,000 in software licences
  • An audit of purchasing records show the purchase of only 500 licences
  • The business has already spent £100,000 on licences and to be fully compliant an additional £300,000 of expenditure is required
  • An audit of software usage shows that only 750 need to use this software package
  • After removing software no longer needed, the business needs an additional 250 licences – reducing the additional licence cost from £300,000 to £50,000
  • Removal of 1250 software installations has reduced future expenditure by £250,000

As auditors, we can be enthusiastic about:

  • Saving the company £250,000
  • Reducing the commercial risks associated with unlicensed software

However, other’s enthusiasm wanes because:

  • An immediate expense of £50,000 is required
  • The £250,000 was never actually spent so is not returning into a budget
  • Nobody knew about the £250,000 risk exposure so easily forgotten
  • No further action is required on the £250,000 saving, whereas the £50,000 expenditure will no doubt require approval and be visible at c-suite and director level
  • When considering the cost benefits associated with the audit, the identified need to spend £50,000 is something memorable, not the £250,000 saving

First Time Bank Transfers

Don’t make bank transfers for purchases if:

  • You don’t know the seller
  • You are making a first-time purchase
  • You have potential trust issues with the vendor

That said, there are cases when you want to pay for goods and services using banks transfers, and this article outlines a countermeasure to reduce loss from accidents or fraud.

Here are the steps:

  • Request bank details – during the purchase, the vendor will provide the bank details, including the Account Name, Sort Code and Account Number. No change here.
  • Set up as a payee – Add the recipient as a payee in the usual way
  • Send a random micropayment – make a tiny payment as a test to ensure you have the correct bank details set up as a payee.
  • Ask the recipient to confirm the amount received – notification of the exact amount received is confirmation that you have set up the payee correctly. The amount is essential, not just “yes, got it”.
  • Pay the outstanding balance

This process:

  • Avoids accidentally sending a large sum of money to the wrong account
  • It prevents a vendor from denying receipt of a large payment

Banks have improved security by confirming the payee to provide greater assurance that you are sending payments to the intended recipient. This extra layer of protection helps avoid misdirecting funds to the wrong account and reduces fraud as you need to know the recipient’s name to make a payment to them. Without the name or the correct name, it will not be possible to confirm the payee, and the transaction will show up as a red flag before payment. You should be suspicious if a vendor volunteers an explanation in advance as to why the confirmation of payee will not sure a match against bank records.

NHS Test & Trace: Genuine or Fake?

The ‘NHS Test and Trace’ system is up and running in England. I didn’t expect to receive a fake telephone call informing me that I needed to self-isolate for 14 days. Luckily, the countermeasures to protect oneself against such calls are straight forward.

During the daily press briefing over the weekend, Dr Jenny Harries, deputy chief medical officer for England, said “it will be very obvious” when asked how people would know if the call was genuine. However, I don’t believe this will be true for all fake telephone calls of this nature. The level of fear surrounding the coronavirus is off the scale, and people respond differently to fear. Fraudulent coronavirus telephone calls will exploit the anxiety people are experiencing.

  • The caller didn’t introduce themself by name, but rather brushed over the introduction quickly into wanting me to confirm my date of birth for identification purposes
  • The caller wanted to know who I had spent time with recently – the caller refused to tell me who I had been in contact with on the grounds of patient confidentiality
  • The caller wanted to know where I had been while outside my home – the caller refused to tell me where or when I had contact with a Covid-19 carrier
  • The caller evaded question from me, by asking more questions; which all required me to provide personal details. It felt like an attempt to drown out my thinking on the matter so that I would respond from panic and fear rather than rational thought.
  • The call came through to my phone as an unknown number – official information states that the incoming call should be from 0300 013 5000. It is worth noting that caller-IDs are easy to spoof, so the correct number could still be a fake call.
  • The tone of voice had more in common with professional sales staff working the streets to sign people up for monthly charity contribution or those that want you to change your Gas, Electricity or Broadband provider. Nothing said gave me the impression that the call was genuine, or that the caller had any health services experience.

These factors collectively supported my quickly formulated opinion that the call was fake. Although initially, thoughts raced through my mind about who I had been in contact with over the last week. Then onto who else I could have passed the virus on to — then compounded by the death rate over 38,000 people in the UK and 350,000+ globally. Then within a few seconds, my thoughts changed from potential consequences to one of scepticism about the call itself. Instead of thinking about family and friends, I found myself wearing my information security hat again, and everything about the telephone call felt wrong.

Very quickly, it became apparent that it was a tactic to get me to provide the information, which they could confirm as the reason for me needing to self-isolate. The caller wanted information from me but failed to demonstrate any credibility that they were genuinely acting on behalf of our National Health Service. I ended the call. The caller has not yet called again. I can speculate as to the direction of the telephone call had I answered questions without thinking, but will reserve that for a follow-up article.

The problem is that too many organisations call their customers, and expect people to identify themselves, so people are used to the idea of answer security questions whenever an organisation calls them. There is no way to know for sure if these types of calls are 100% genuine, and the only real defence is to politely inform the caller that you will call the NHS Track and Trace helpline to discuss the matter in detail. Using the official contact telephone number is something that I always recommend when financial institutions contact their customers. The same applies in this case. The contact telephone number, along with additional information is available at:

Conclusion

Contact tracers should ask people to call the official contact telephone number to discuss the matter; this will allow proper dialogue to take place. As this is unlikely to happen, the security measure is as follows:

  1. Accept the call. The caller will identify themself as calling from the NHS Test & Trace team
  2. Thank the caller for making contact
  3. Inform the caller that you will contact the NHS Test & Trace team directly on the official contact telephone number
  4. End the call and obtain the correct telephone number from an authoritative source.
  5. Contact the NHS Test & Trace team directly

If we are going to self-isolate for 14 days, the least we should expect is to know and understand the conditions in which we potentially became infected with Covid-19.

This article is one that I wish I never needed to write. However, it was inevitable that with something so life-changing as coronavirus, widespread fear and anxiety would be open to exploitation for malicious purposes

Updated – 2nd June 2020

Thirty hours have elapsed since I received this call, and I have not received any further contact on this matter. If this were genuine, someone would have attempted to contact me again by now given the importance of the test and trace programme.