A House of Commons Treasury Select Committee report has criticised banks for failing their customers in the fight against online fraud. Members of the influential committee criticised banks as being "unprepared" to deal with internet fraud as part of a wider study into retail banking, whose main conclusions called for greater …
Does not compute
Interesting - this report says cost of cyber-crime to banks (i.e. real dosh lost) is less than £50million.
So how come we regularly see reports like:
which reckons that 'the UK economy is losing £27bn a year' due to cyber-crime, of which "£1.3bn goes thanks to direct online theft."
Someone needs to buy a calculator.
online fraud falling says online banks
Board members of The Association: American Express Services Europe Ltd, Barclays Bank Plc, Capital One Bank (Europe) Plc, Clydesdale Bank Plc, Co-operative Bank Plc, Egg Banking Plc, Elavon Financial Services Ltd, HSBC Bank Plc, Lloyds TSB Bank Plc, MBNA Europe Bank Ltd, Nationwide Building Society , The Royal Bank of Scotland Group Plc, Santander UK plc, Tesco Personal Finance Plc
Do these "fraud losses" only include money lost by the banks?
Because in a lot of cases the bank tells the customer that they authorised it and it's their problem. Of course you can only estimate how much money is lost by the customers to fraud because presumably some of them really are lying or mistaken, but even a rough estimate would be useful.
Don't forget the small merchants!
They lose money to fraudulent use of cards too! The whole system needs revamping to protect "EVERYONE"!!! Not just the banks!
You have to know what the stats are measuring. The £47m figure is just for online banking fraud, so phishing and malware etc. against bank accounts. Actually most money lost online is credit & debit card fraud, which is measured separately and is a much bigger (although also declining) figure of around £400m.
The Select Committee Report's conclusions are actually pretty bizarre when read in context.
I say hit them harder
Due to spending the best part of 2 years being asked by Abbey, when signing in, to stop using Firefox and instead use IE6 which they said was much more secure.
Remember, that the banking industry does not implement a system to reduce fraud, they introduce systems that push the liability onto the customer, Chip & PIN and PCIDSS being the most famous of these.
No they don't
They aren't allowed to put liabillity on to customers, it's in both the banking code and law.
What gets me is why the banks don't just issue two factor authentication devices ?
Relatively (given the volume) cheap, and (OK given RSA's current problems not perfect) reasonably secure; this would heavily improve the online banking security.
They get one free when first wanting to use OL banking and after that get a new 2FAD every three years, or free if they can show the current one is dead (taking it into their bank).
If all the UK banks co-operate then even purely virtual banks can offer the exchange method.
Bots DEFEAT 2-Factor
@The Nameless Mist: "What gets me is why the banks don't just issue two factor authentication devices ?"
Even 1-time 2-factor auth does not stop the main online banking threat -- bots. Sure, the bot does not have access to the external factor normally, but as soon as you type it in, it does, and then it can cut you off and do what it wants faster than you ever could.
2-factor just does not provide the security everybody assumes it does.
There's a point, and a non-point to it.
Banks are big on this "due diligence" thing. That's understandable, but at the same time a vivid illustration of both how poorly they understand technology and how ineffective the resulting use of "IT security" services is. The latter itself is the art and science of filling holes in swiss cheese with easy cheez and declare the result "better". Yeah, well, no. It's not very scientific nor is it very systematic, so overall use is low and ROI is necessarily low.
So why are banks doing it? Because they don't know better and because there's little else on the market. Shame on them, but moreso shame on us the IT crowd. We're not doing our homework. Can't really blame the banks for that. We can't say we didn't know as it's been pointed out repeatedly, like by the late Edsger W. Dijkstra when he was still alive and he's been dead for a while. Should've paid attention before he died, we should have.
The other thing that banks are big on is to back their guarantees with money. That's how CCs work: The _only_ security feature that means anything at all in the entire system is that the customer gets money back guaranteed, at the cost of the merchant. No skin off the card company's nose. I think that's rather skewed. But banks understand money and they can calculate the tradeoff to the nearest cent, so they can build a business on it. Too bad that's all they can, as they're leaving a lot of efficiency on the table.
I don't think banks will really mind two-factor auth. They wouldn't mind three factor auth. It's just another calculation for them. For everyone else, however, it gets more and more troublesome. So this is actually quite the short-sighted thing to propose. And it doesn't do much to prevent other holes in banking websites. I think there are better ways to improve security than mandating more money go to the likes of RSA. Have they figured out whether their two-factor dongles did or did not get compromised yet, by the by?
So I'm not very inclined to think that these MPs managed to think through their criticism very well, actually. Personally I'm much more inclined to approach the whole thing a different way. You can't really blame banks for the software running on the client's computer, or even on the shoddy OS it runs that might be infected to boot. Of course, the demarc being inside the browser makes this an... interesting excercise. So instead we might try and come up with a demarc like imap or smtp offer. You know, an open protocol, allowing anyone to write banking apps, putting the responsibility with the writer. There are numerous avenues to do this and you don't have to restrict yourself to just one. And yes, I'd be interested to work on that. The bottom line, however, is that just bleating "all y'all hafta do better now y'hear?!?" to a bunch you already know don't really know better as their money couldn't buy it, isn't going to help much. So someone else will have to supply the clue. Who you gonna call?
"...That's understandable, but at the same time a vivid illustration of both how poorly they understand technology and how ineffective the resulting use of "IT security" services is..."
That says more about your knowledge of banking IT than it does about bank's actual skills.
Banks are some of the largest users of IT in the world, with some of the brightest technical people in the world. In a bank you are often dealing with some of the most up to date technology available, while at the same time interfacing it to systems that were designed in the 60s, this is not easy.
"Banks are some of the largest users of IT in the world"
While at the same time doing some of the most impressively stupid things with them. So I argue that while they might get the best security their money can buy --they do have a lot of money-- that is not necessarily the best security available, which might indeed be because fundamental problems in older systems and no room to fix that until... ghod knows when. Take for example the super fun happy pushing of "pay by rfid". Why would anyone in his right mind do that? Because it's easy? It's so easy it's easily abused. Same with credit cards, though through different failure and abuse modes. Beyond that, I also would, have, and will argue that most of the IT security industry's output is of rather poor quality and value for money. That handily explains how the banks can have so much of it yet still end up with poor IT security.
Also note that Bruce Schneier argues that security isn't something you can buy, but you have to go out and get. That meshes well with noting that banks mostly have a lot of money but not so much good IT security. They're trying to buy it, but their brass doesn't really understand it. And then having really bright minds in the IT trenches doesn't really help.
And then there's the problem that even IT has poor IT security, simply because the models used by the IT security industry are not conductive to fundamental improvements in the industry as a whole. It's always patching and plugging holes instead of wholesale preventing holes to exist in the first place. This is a long-standing problem that we've known about for years. That's why I mentioned Dijkstra, who famously remarked something or other to the same tune. Would you argue that if even IT manages to do no better than making lots of money with a "IT security industry" that doesn't manage to achieve fundamental improvements, banks magically could have their money buy better?
Why blame the banks?
Okay there are many reasons to, but when it's the customers idiocy that causes fraud in the first place I don't see what else they can do. We arn't talking about account details being left on a train (this time) but about genuine fraud, as in someone is duped into giving up their money by a criminal. I don't see how barclays et al can stop Edna and Mavis in worthing from paying £10,000 to the nice Mr Mugumbo who needs help to release a large amount of money from his deceased uncles bank account.
What does this have to do with online banking? Or secure transactions for that matter?
What has that example got to do with "banking fraud"?
I don't know how they've defined it, but I would imagine it's a bit narrower than "anything involving some kind of payment".