A UK government strategy for tackling internet fraud has been criticised by a senior banking security researcher. The UK's first National Fraud Strategy, launched on Thursday, aims to crack down on fraud that costs Britain £14bn a year, by "strengthening the counter-fraud community’s response to their activities and providing …
Sounds like a resilient strategy... 8-)
I love the idea of a Plastic Crime Unit. Is it staffed by plastic police officers, and do the City of London Police have an Elastic Crime Unit to go with it? I think we should be told.
Chip and PIN system is not good enough at deterring all types of fraud crimes
Banks have option to reduce all fraud crimes to virtually ZERO simply by making signature and PIN systems reliable as proposed on website www.xwave.co.uk
Proposed ID KEY system will enable individuals to obtain their ID stickers at any point of transaction plus provide Card Key Code to activate PIN transaction and hence deter use of stolen or skimmed cards.
Only this system will eliminate the need for us to protect our personal and card details to deter fraud.
I hope that banks will exploit proposed system before it is too late to stop a fraud boom.
The city of London police.....
...are an absolute disgrace, and they seem to operate pretty much independently of the main police force, making up whatever they feel like as they go along. I work in the city and I once saw them physically beat a bloke up with very little provocation, and anecdotally I've heard other people have seen them at this sort of stuff. Their court system is also a bit on the kangaroo side, as an example they once sent me a ticket for speeding over tower bridge - they don't put properly sized signs up to tell people it's a 20 limit and that there's an average speed camera because they have special dispensation not to, because hey, they're the City of London police so fuck you. For a laugh I went into the court, they made me fill in a load of means testing forms and put static noise on while they discussed how much they could get away with stinging me for - 260 quid in the end, as opposed to the usual 60 for such an offence. They're so so dodgy, they should be brought into the main police force who in my experience tend to be ok.
So the idea of that lot policing anything security related where people in financial services have vested interests scares the hell out of me, they're all completely bent.
Thank you Ross!
Thanks once again for flaming some reality into these people.
I'm not sure they don't "get" it - I'm starting to think they get it all too well.
Does Ross have ANYTHING useful to say?
El Reg, please tell me... why do you keep giving this negative - no solutions, anti-banker more coverage??? I'm not the only one who seems to think he's a muppet! http://www.infoseccynic.com/2009/03/19/ross-anderson-does-it-again/
How dare you.
That is a blatant slur on the banking and police systems of Uzbekistan.
Missing the point
The unfortunate point is that by coming up with puerile comments about Uzbekistan Borat, sorry, Ross has effectively buried the bad news in the actual figures released today.
That said, @ Javvad, I agree Ross normally comes up with attacks along the lines of 'utilising a straightforward process replicable in any major Government research lab, one can nick 50 quid from a cashpoint', but recently I'm not so sure that some of these attacks aren't more realistic.
And @ George - thanks for reminding me of xwave. I needed a laugh. Perhaps someone should send it to Ross to see if he can think of a way around!!
The _vast_ majority of card fraud happens in foriegn countries, where they don't have chip and pin or across the internet. If they don't have chip and pin, what do you think the chances of their adopting this sytem are? Across the internet it wouldn't be possible.
C&P isn't about eleminating all fraud, it's about minimising it with fair cost. ie: it's less expensive for the card issuers to make compensation payments and fund the coppers plastic crime unit than they lose.
As for Ross Anderson, isn't that they guy who came up with the laughable 'hack' which transmitted a real card into a fake with a ribon cable coming out of it? Somehow this was a proof of failure of C&P and would allow fraudulant transactions... The merchant wouldn't have noticed a ribbon cable...
There is a government policy called Information Assurance (Information Security and Service Quality), hatched in Cabinet Office's CSIA during those wonder years up to end 2004 when we were all going to move very soon to doing every possible interaction with the public sector on the internet (M Prodi wanted the eService model all across the EU). But IA never came out of the closet, and so is not implemented. It was revised in 2007, and what a muddle those docs are. It is now time to open up the cabinet, take it out, dust it off, make it better - and expand the Information Commissioner's remit so that he polices it.
Sorry, I don't always agree with Ross but you are wrong when you say
"As for Ross Anderson, isn't that they guy who came up with the laughable 'hack' which transmitted a real card into a fake with a ribbon cable coming out of it? Somehow this was a proof of failure of C&P and would allow fraudulant transactions... The merchant wouldn't have noticed a ribbon cable..."
The whole point was that the merchant could well be the one committing the fraud. I seem to recall that there was an issue in some petrol stations where people working there were defrauding the customers.
The reality is that the banks continue to blame their customers for fraudulent transactions. They make sweeping claims on the security of their payment systems and use these claims to place the blame on the customer when things go wrong.
The merchant commiting fraud is never a problem because they will always be caught. All you need to do is to do a little data mining and work out where all the cards that have been fraudulantly used have previously been used (the banks share this information). Ross was pretty specific (in that Watchdog programme) that merchants would be targeted. Again, he failed to suggest how someone would be able to run a fake marchant site and not be caught out when banks realised that fraud victims hadn't been charged for a meal out/a book they purchased etc. all at the same location.
The issues in petrol stations are due to crims coming in and pretending to be workers (or actually being workers) and installing pinhole cameras etc. and scanning magstripes. Not a chip and pin problem because the cards tended to be cloned and used in non chip and pin countries.
I'm not sure that I buy the banks using C&P to blame customers because of the two people that I know who have had cards fraudulantly used, one had his cloned at a petrol station and the bank were fine about it, returning the money pretty quickly. The other had his wallet nicked, admitted to the bank that the pin was written down in it, they didn't give him any money back but he shouts about it all the time like it's the bank in the wrong. (Same bank in both cases).
Re: Sounds like a resilient strategy... 8-)
“I love the idea of a Plastic Crime Unit. Is it staffed by plastic police officers […?]”
If their hands open up, revealing an embedded gun, then yes.