I was wondering if anyone has had this scenario before? I have my own log in for one of my client's bank accounts and when I used it first, the page that came up listed both of his accounts, but also my personal account with the same bank! Thought this was a bit strange as I have a completely different log in for my personal account. (Also it's a personal and not a business account). I complained to the bank at the time and they said I could remove it from the start up screen and talked me through how to do it. Anyway, that was that.
I suggested a couple of weeks ago to another client that I also had my own log in for her bank accounts, which incidentally was the same bank (which shall remain nameless....for now!) so we duly filled in the forms and I was waiting for log in details to arrive in the post....as they do! When I logged in at the first client's today, lo and behold there were all the other client's bank accounts listed!!! I hadn't heard from the bank with any new log in details, or indeed at all.
I have removed these accounts from the list again, but thought it was a bit worrying. What would have happened if my first client had lost his log in details and had to use mine (which has happened before) and there would have been all my other client's accounts for him to see!!
Do you think this is worth a query/complaint to the bank in question?
With HSBC's log in for business banking, I believe* you can have multiple businesses/bank accounts associated with any given user - so that when you log in with your specific user name, you can see (say) your business accounts with them, this client's business accounts with them, that client's accounts, and so on - provided you've been set up with online access with the same user name in each case.
The advantage with doing this would be that you then have just a single log in and a single 2FA security device.
What it doesn't mean is that the clients have access to your accounts or any other client's accounts - they'd only have access to the ones their user name has been set up for.
However, that's all just in theory (with my most logical of hats on). I stress that I don't know this for certain, but just believe - even strongly suspect - it to be so. This is because I don't think it's explained anywhere obvious, such as on the bank's website, for example. Tsk.
I suspect that whichever the bank in question, it works in a similar way - so my guess is that you were almost certainly concerned over nothing.
However, I think the banks may be partially blamed for this, because - as I said above - with HSBC, at least, it's not made clear anywhere obvious. Other banks may be similarly hiding an important feature (and one that, as you've discovered, is alarming if it catches you unaware). I would have expected that explanation to be forthcoming when you contacted the bank, which is particularly odd (for values of odd that may include silly).
(Interesting that your personal account appeared though - I'd have thought business and personal log ins would be handled differently; they are on HSBC.)
* It didn't occur to me until after a client set me up with access to their HSBC account. Not being at my own desk at the time, and not looking at the HSBC log-in process, I didn't give it a moment's thought - but when they were setting me up and I suggested the same user name that I already used with HSBC, it told them the user already exists, so a slightly different name was used... now I have two user names, two passwords, two security devices - and each time I log in to either, I am given a menu of businesses to select, each with just one business! It's a ruddy nuisance this way because even though I take good care not to, it's still easy to get the security devices mixed up. I tried marking one, but the mark wore off. :/
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.
The thing is I don't log in with a specific user name, just a string of numbers, which I would have thought would relate only to the bank accounts that I had applied for log ins for. Obviously they have my name as the person who applied though.
I'm not concerned about the fact that I personally can see all the accounts when I log in to view one client's accounts, I'm more concerned over the fact that if one client loses their log in and needs to use mine in the meantime, they would be able to see the other client's accounts. I suppose the obvious answer is not to let him use my log in!
It doesn't matter whether the log in is with a meaninful name and a password, or a string of numbers and another string of characters - one of those two in either case is used to identify the person logging in, the other as part of the authentication of that person. But in order for the password (or pin or whatever) to be checked against the database, it needs to know which record in the database to check - that's the user identifier, be that a name, a number, or whatever.
That's arguably oversimplifying things, but at a basic level that's what any log-in system is doing.
Once authentication has succeeded, the record can then in theory be used to establish that this user can access this set of accounts with these privileges, this set of accounts with those privileges, this set of accounts with... and so on - which is what I think may have been happening in the situations you described.
However, as I said above, this isn't a hard fact, just something I believe they might be doing, because they should certainly be capable of it - though if it is, my flabber is gasted as to why they didn't bother explaining that to you when you raised the issue with them.
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
"I suppose the obvious answer is not to let him use my log in!"
Woah! I didn't spot that you'd mentioned something to that effect in your original post.
You're absolutely right. Not only is that the obvious answer, but doing otherwise - letting someone use your log in - should be a cardinal sin, punishable by repeatedly hit with a cluebat until the fact that it's a silly thing to do sinks in.
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
"I suppose the obvious answer is not to let him use my log in!"
Woah! I didn't spot that you'd mentioned something to that effect in your original post.
You're absolutely right. Not only is that the obvious answer, but doing otherwise - letting someone use your log in - should be a cardinal sin, punishable by repeatedly hit with a cluebat until the fact that it's a silly thing to do sinks in.
Yes, ok, point taken I won't let him use my log in. He's only had to do it once before and he doesn't now know my new details, but it still seems a bit strange to me that different clients' accounts appear when I log in using details that have been given to me to access only one client's accounts.
Hubby said that he had the same problem at his work. He was given a log in to access their account with Barclays and when he did he was confronted with the Partners' personal accounts as well.
When you say your hubby was given a log in... was he given his own log in, or did the partner in question give your hubby his log in details?
If the former, either Barclays need to be hit repeatedly with that cluebat, or (possibly) the business' online banking was set up incorrectly/linked with that partners personal accounts.
The cluebat is a bat for hitting people with with until they get a clue.
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
