Banking Fraud - we need the will to stop it

Posted by Peter Cochrane on March 14, 2007

Peter Cochrane, Financial Times Digital Business, Wednesday 14 March 2007, page 2

No matter what business you are in, there is always a magic number that triggers attempts to stem losses through illegal activities. The percentage of turnover, profits, or the absolute number varies by industry and country. In the UK banking sector it seems that 30m is deemed serious.

With recent figures highlighting a drastic rise in online retail banking fraud, there has been a sudden rise in attention levels. In the first half of 2005, online fraud was 14.5m, and this rose to 22.5m in the first six months of 2006. Everyone is holding their breath during this first half of 2007, but my guess is the figure will probably have grown to about 40m.

Like everything else on or associated with the internet, online banking fraud has been growing rapidly, and if unchecked, will undoubtedly continue to do so. Why have these losses suddenly taken off? There are several mechanisms at work:

In the beginning, clients would dial into a server on a known fixed telephone line and use an identifiable PC located in the privacy of a home or office. This, coupled with a dedicated password and Pin, provided a pretty secure connection and identification system that was difficult to crack.

In addition, access times, use and habits also tended to be reasonably predictable. So, there were at least five variables in the security equation that a fraudster had to defeat simultaneously.

None of the above is now true. People increasingly access bank accounts on the hoof, gaining access over the internet by local area networks, Wi-Fi, or 2.5/3G mobile connections from multiple locations and multiple terminals. PCs, laptops, PDAs and other mobile devices equipped with browsers access bank accounts from anywhere, including the home, office, internet caf, airport lounge, hotel bedroom and public kiosks.

This reduces security to only two variables - a password and Pin. At the same time, users are physically exposed, more easily observed, and use weakly secured internet connections.

The ease with which software attacks can be carried out has increased their frequency, while more direct methods, such as spying on hole-in-the-wall ATMs, have also proliferated.

Banks and the banking system are failing to do everything they could to help protect their customers. Wiring an unusually large amount of money across the planet from one bank to another involves at least three or four phone calls and several intermediate security checks.

But to set up a bogus transfer from a victim's credit card or bank account either as a one-off, on a sporadic, or regular basis, is simple and almost unguarded. It means customers have to be alert; they have to spot it, and they have to call the bank.

The victims of online fraud also have a role to play. They should install firewalls and have adequate virus protection - but they often do not. And an inability to use technology safely and poor appreciation of the risks involved, makes consumers doubly vulnerable.

There is an argument here for greater education, urging everyone to take responsibility for their online transactions. However, I fear this issue is still not at the forefront of the public's mind.

No one knows the size of banking fraud, and specifically, the online portion, but worldwide it runs into billions.

The spread of the PC, broadband and mobile networks, coupled with changing working and travelling habits are developments that attract the attention of organised crime.

This market is accessible anywhere by anyone, so crime syndicates anywhere have equal access to the same potential pot of gold. Moreover, they have access to the same technologies as legitimate companies and banks, and they can afford to employ tech-savvy people as well as currency mules to help launder the profits.

Does all this spell the end of online banking?

I think not. The legitimate world of banking, business, and the honest citizen, can defeat the criminals. But they have to stop being complacent and reactive. They must become proactive, more diligent and more security-conscious.

For starters, a reliance on the basic two-parameter password and Pin access systems provided by most banks needs an upgrade. Clients need the added protection of at least four or five parameters unique to them. At the same time, the customer must not be slowed down or inconvenienced.

The high tech solution might involve: USB or BlueTooth security dongles; unique software supplied by the banks; mobile phone calls initiated by a bank; biometrics such as typing, voice and facial features. On the low-tech side: the use of pictures uniquely identifiable by the customer; additional code words, dual website log-ons and so forth.

But a lot of the advantage afforded by these changes could be lost if the basic customer behaviours and equipment security subvert them.

How difficult is it to advise customers about what form bank communications will take and inform them they will never be asked to divulge passwords and Pins online, or to load any software remotely?

Just as in the physical world, it is never enough simply to install an alarm system or an extra lock; there must also be a police force pursuing criminals. And many fraud attempts provide useful information for law enforcement agencies.

In the case of virus attacks, for example, it is relatively simple to construct an "immune system" for the internet. Software that recognises viruses works back into the net and destroys them all the way back to the source - just as white cells do for the human body.

If I park my car on a yellow line I get a ticket, may get towed away, and always get a fine. But I could go out and commit any amount of internet-based fraud and there is zero chance of getting caught. I think we have to make a few decisions on the relative degree and importance of crimes and deal with them accordingly.

The banks, companies, network providers, internet service providers, and equipment and software producers have resources enough to overwhelm and disable all the criminal organisations on the net, but they have got to want to do it. Sooner or later, the magic number will become so big that everyone will become motivated to cure this problem.

Of course there is another scenario, which would see retail banks continue to abdicate their responsibility for the security of consumers' hard-earned cash.

This may become manifest in legislation that could result in the online consumer picking up the tab for any online fraud suffered.

If that were to happen, I think it would most likely kill online banking and have other serious, and negative, repercussions for banking and commerce.

Peter Cochrane holds a number of prominent posts as a technologist, entrepreneur and writer, and is a co-founder of ConceptLabs.