It seems that Australians are not protected from potential scams from change. org either.
What is that QR code doing there to entice happy snappers? What is in it?
From Wikipedia,
But why use a US-based website for a petition to the Australian government when there’s an Australian government website for such petitions? Any petition, regardless of where and how it’s created, would have to go through the relevant process (diagrams from the website included below) for acceptance of e-petitions and paper petitions. E-petitions can be created, signatures gathered, and petition submitted via that site.
which also collects and shares user data.
1 Like
It contains https://chng.it/FNj8HNkSk9
which then redirects to https://www.change.org/p/australian-banks-should-do-more-protecting-customers-reimbursing-scams-and-fraud-victims?utm_source=share_petition&utm_medium=qr_code&utm_campaign=petition_details&recruited_by_id=a112dcb0-e0e3-11ee-9a88-957d2820643e (which you will note contains a bunch of tracking - ignore the fact that the Discourse forum software has butchered the formatting of the URL that is too long).
2 Likes
I’ve gone off change.org because after you sign up, it wants you to donate money and sign up for various other petitions. If you post a petition, and pay for it, I wonder if there’s the option of it limiting its interaction with people who sign up to just that petition and nothing more?
I appreciate that banks may not take scams as seriously as they should, and there have been the issues over how they charge and market to people. Definitely issues. But, there has been a situation where, strange to say, banks have been “the good guys”.
This is apparent if you read the inquiries into the casinos. Banks were trying to flag dodgy accounts with the casinos, and the casinos were trying to “fob them off” rather than engage with the possibility that the banks’ concerns were legitimate. The banks were going with the spirit, not just the letter of the law.
Mind you, it is possible the banks had an “emotional corporate memory” of the connection between gambling and fraud, prompting them to take the issue more seriously than they otherwise would.
Still, it is intriguing, in a “man bites dog” sorta way … banks “the good guys”. Who woulda thought?
1 Like
Coming to a bank near you.
Confirmation of Payee - Australian Payments Plus.
We’ve already received advice, assuming more will follow.
To hope by full legal account name it includes the registered ABN and where applicable ACN of the business the receiving bank has accepted as correct when opening the account. To be implemented as an extension to the NPP.
4 Likes
Well that sucks! So it means … privacy fail without consent?
(In other words, for example, if you sell something privately and the purchaser pays you via BSB and account number, you are potentially automatically exposing all those unspecified account details to someone that you don’t know from a bar of soap, have negligible details for yourself, and may never deal with again.)
PayID is a better answer because it allows you to manage the privacy fail.
Anybody’s guess since account names for non-person entities are complicated.
It is possible that the distinction being made here is trading name v. company name. In many cases the trading name will make sense and the company name will not but the company name more directly relates to a corporate identity and a legal entity. (As ASIC has taken over managing trading names, the situation is a lot more sane than it used to be.)
I doubt that the full legal account name includes either ABN or ACN.
I see no evidence that the ABN or ACN will be shown but that doesn’t mean that it won’t be and I would be surprised if the bank did not collect that as part of account opening. Could get complex I suppose for business accounts opened before 1 July 2000.
For what it’s worth, given an ABN, it is possible to derive exactly one of
- the corresponding ACN
- the fact that the ABN does not correspond to an ACN.
ABNs are in the registered business name (sole trader, partnerships, indigenous corporations, cooperatives, company, trusts or joint ventures.
Bank accounts are most commonly in the trading names. Trading names are commonly not the same as business names.
Some larger businesses the trading and business names might include the same or similar words. Example being Commsec (viz. Commonwealth Securities Limited) and Commonwealth Bank of Australia.
Many businesses also have more than one trading name.
Our own business, the registered business name is different to the trading name. There is no similarity and one can’t look at one and deduce it has some relationship with the other. Example being business name of J and J Blogs (partnership name) or Jane Doe (sole trader) with a trading name of Acme Retail. Absolutely no correlation. This applies for most businesses in Australia.
Further to this, Acme Retail might also be the bank account name, with the trading name being Acme Discount Wholesale and Retail Supplies. Simplification possibly due to character limits in banking computer systems.
Trying to link business ABNs to trading names which might be used for bank accounts will cause mass confusion. Trying to link trading names to simplified bank account name will cause mismatches, and confusion as well.
We try and reduce confusion by stating our business name is XYZ with an ABN of 123, and we trade under the name of ABC. While not perfect, it is the only practical solution.
As I have indicated elsewhere, EFTs incoming or outgoing is not common payment method with our business. It is limited to business to business transactions, not customer to business transactions. The later is done by card payments. It is worth noting most business to business is card transactions or BPay.
Anyone we don’t know asking for EFTs as only payment method automatically raises a red flags. This is because we don’t know of many business which only accepts EFTs. Most have two or more options.
I can see EFTs would be used for investments, but, we find that many Australian ones also accept BPay or accept direct debit (through filled in forms and bank approval).
Not to judge whether one is better off or worse, to note:
Whether an exception or the norm we have regular dealings with a number of local businesses where neither BPay nor CC payments are provided for.
Services are invoiced and a BSB plus Acct number provided. Perhaps they are too small or choose not to pay for the alternative. They include a plumber, land rehabilitation service, electrician and communications service provider. The alternative is to pay cash. For those who provide goods vs services CC or cash seems to be the norm, although trade will mostly pay on account.
For everyday needs from a loaf of bread or coffee to …. Card payments are the norm, cash happily also accepted.
For those concerned about one’s account ownership being provided to a party about to make a deposit/payment go your account. Can we assume they already know the personal details of the account holder? Name, home address and dob plus DL number.
We may be talking at cross purposes but I am basically talking about how ASIC uses the terms.
Let’s suppose we are talking about a company (not sole trader, partnership, coop, trust, …). And for simplicity let’s suppose that the company has an ABN.
There is a thing “business name”. A business name is not a legal entity. You register the business name and associate it with a company. You do that if you want the name to be exclusively for your use and probably because you don’t advertise the actual company name and instead advertise the business name. The business name may well be optional.
The company identifiers are: company name or ACN or ABN. Any one of those by itself will identify the company. So the “company name” is a thing. The company is a legal entity and it has a formal, registered legal name. A company is defined in law in the Corporations Act.
The company holds the business name.
I don’t think ASIC uses the term trading name but I was using it as a synonym for business name.
I think you are using the term business name as a superset of company name (because not all businesses are companies) but that is confusing, taking ASIC as the arbiter.
Example straight off ASIC’s web site:
Business name: ALPHA HOTEL EASTERN CREEK
Holder:
EASTERN CREEK HOLDINGS PTY LIMITED
115 963 463
96 115 963 463
In worse cases I have seen companies where the company name, taking the above as an example, would be: 115 963 463 PTY LTD
So the thought experiment here is … you have booked accom with the above and you are paying in advance via internet banking, direct deposit to their BSB+account number that you have obtained ‘somehow’ … and you want assurance that the BSB+account number are correct.
I think that is common practice i.e.
{company name} (ACN {acn} and/or ABN {abn}) trading as {business name/trading name}
with “trading as” sometimes shortened to “t/as” or “t/a”.
So my only question, as far as this change and paying businesses, is clarity over what exactly will be displayed, which in turn relates to the name on the bank account - and to be honest I don’t know what, averaged over all Australian businesses, is common practice for the bank account name.
Perhaps what the cited bank means is: This new functionality will often be useless so we are undertaking a data collection exercise before going live so that we can display both the business name and the company name.
There should be no need to ask the business customer for this information as the information can be obtained from the ASIC web site (and perhaps, given that this is being mandated by the government, directly from ASIC). How well it gets kept up to date remains to be seen and depends on the implementation …
Typically, as far as the business itself goes, there aren’t privacy considerations. The business does not want to keep itself a secret, and wants to advertise itself.
1 Like
ASIC described trading names:
Before 28 May 2012, the Australian Business Register (ABR) collected names used by entities to carry out their business activities. The ABR display these names as trading names, but trading name records have not been updated since the national business names register commenced on 28 May 2012.
Trading names do not meet the requirements of a registered business name.
Trading names is still colloquially known as the name which a customer sees when dealing with the business. This can be different to the registered business name or business name.
No, subsidiaries are different to trading names. A business can have a subsidiary which has a registered business name which also has a trading name and business name.
Using the example I provided in the earlier post, the registered business name could be Acme Discount Wholesale and Retail Supplies Pty Ltd, while the trading name (name which it uses publicly with customers) is Acme Retail or Acme Supplies…or even ACME if ACME is a well known brand.
An example is this one, which has a registered business name, business name and trading name. All three are different. A bank account may be in the registered business name, which is very different to the business name and the registered business name. What does the bank use, it current uses the registered business name?
In the ASIC example in the previous paragraph, if I was given the registered business name to a EFT to I would immediately think it was a scam even though it wasn’t the case. Likewise if the trading name was used. A question should be asked if a bank should then list every possible name used by a business for comparison purposes…and if this was done it would substantially weaken the value of any checks and suspect that it may be exploited by scammers.
The advice we were given by our bank is that payment details should reflect the business bank account details. This means that in our case, the bank account details are different to the trading name and the business name. Hence the notation which is included on every tax invoice we issue.
Incidentally, for our own use and ease of managing multiple accounts, we have however renamed our business account to our trading name in the online account, something that we do for our our purposes. This isn’t seen in EFTs are used by the bank in any way nor will be used for comparison purposes (if it were, another easy way scammers can defeat the system).
Another anomaly is that our PoS equipment uses the trading name of our business. This is printed on credit card receipts and appears as the name for a transaction in a bank statement. We had the choice to chose this name through the setting up of the PoS with our provider. We chose to use our trading name (and business logo) for such purposes to reduce confusion. This was also suggested by the PoS provider.
The current system is a bit of a dog breakfast and unlikely to be changed. I have never asked why it is the case, but think it stems from registered business names used for legal/tax reasons, business names used for a name a customer may recognise or a trading name that the business choses to present itself to its customers. Each of these three can be very different and the banking system only uses one, that being the registered business name. Likewise for personal EFTs, the account in the name of the individuals (legal names) holding the account.
Agree that there are no privacy concerns for a business. Business details are public information and can easily be found online. Some business even ‘advertise’ their banking details online.
Many individuals personal information is also public information. Phone numbers and addresses are two examples. Phone numbers can be ‘silenced’ so that they don’t appear in public number searches, but, addresses can’t be hidden. These are available publicly through a number of sources. Generally though, if one is doing a EFT to a personal account, the account name will be the same as the individuals name (maybe either as an individual or joint). One will most likely know who they are dealing with as far as their names go (exceptions may be foreigners which have native language and different English names they go by).
One of my repeated grumbles the businesses which do not follow that advice. One of the nearby towns News Agents reports payments on the card statement as to a Trustee Company name. One needs a paper/printed receipt to see that detail from the point of sale. Otherwise for tap and go it becomes somewhat a guessing game unless one checks statements daily or frequently against recollections of purchases.
Governments or the banking industry could regulate or apply a code of practice to eliminate the disconnect.
2 Likes
While I agree, I suspect that not all providers have the same capability. To change may be expensive if all PoS equipment needs replacing or existing hardware needs recoding if capacity exists.
Indeed. That is the type of question that I am asking but at the same time we don’t want to overwhelm the user with information.
Legislating stupid is difficult.
Note though that the advice from Suncorp uses the nightmare words “including” and “may” - so you actually don’t know what details will be disclosed, or to whom exactly.
This appears to be being implemented in the least privacy-friendly way possible. Perhaps no surprises there though.
1 Like
What it took for the NAB to refund $1338 fraudulently taken from a pensioner customer’s account.
Mr Williams initially turned down an offer of a full refund providing he accept the banks non-disclosure agreement of the claim/settlement. At one point in time the NAB was after him for the banks legal costs which would have bankrupted him. This was despite the bank choosing to not contest the original application to the courts for compensation. It only occurred following on from the uncontested hearing and a default finding by the court in his favour.
For consumers concerned about how the fraud was enabled - the ABC article only describes what occurred. What else was required technically or failures in security verification of the transactions has not been revealed in any detail.
1 Like
The scammers had got hold of Mr Williams’ credit card number and had been able to add the card to their own Google Pay apps, then use Google Pay to make purchases with the card.
That they could do this at all means they must have exploited one or more security flaws in Google Pay and/or the issuing bank’s Google Pay card authorisation procedures.
In 2024, serious doubts were expressed by security experts about the security of three major digital wallet apps – Apple Pay, Google Pay, and PayPal – and their interactions with the banks over authorising card additions and payments. [PayPal no longer offers a digital wallet app, BTW.]
The incidents in question happened in 2022, so could’ve been exploiting those vulnerabilities.
The security of those digital wallets has been tightened since then, so – maybe – whatever the scammers used in 2022 would no longer work. 
2 Likes
I noted the increasing use of digital wallets by other visitors to Japan on our recent holiday. The use of digital wallets to also hold other content such as QR codes or other boarding cards for train (including passes) and other travel needs? Is this another potential concern for fraudulent use. Not just a bank issue?
Obviously, the overall risk depends on the app’s security as well as on that of the handshaking procedure the app has with the card issuer, whether that’s a financial institution (credit card), transport authority (travel passes), or whatever.
And, of course, the security of the device the apps are running on matters. Most digital wallets refuse to run unless the phone passes what they consider essential security tests – eg, locked bootloader and not ‘rooted’. However, passing that test doesn’t make the phone safe, by any means. Most scams use flaws that are exploitable regardless of bootloader / root status.
1 Like
