back to article Met police commissioner: Fraud victims should not be refunded by banks

A senior police commissioner has complained that it would be wrong to interpret his comments about preventing online fraud victims from claiming compensation as a proposal for online fraud victims being unable to claim compensation. Sir Bernard Hogan-Howe asserted that the problem was systemic, telling The Times: “The system …

  1. MrWibble

    "propriety"

    You keep using that word, I do not think it means what you think it means.

    1. Alister Silver badge
      Headmaster

      "disincentivised "

      What a horrible word that is.

      What's wrong with discouraged?

      1. Kristian Walsh

        Doesn't have the same meaning. "Encouragement" is a broader term, where "incentive" normally implies a financial encouragement.

        "Disincentive" is also an acceptable word for discouragement that's achieved financially.

        I don't particularly like the verbs formed from "incentive" or "disincentive", mainly because there are older, shorter back-formations of those nouns into verbs in the shape of "incent" and "disincent".

        1. John Brown (no body) Silver badge

          "shorter back-formations of those nouns into verbs in the shape of "incent" and "disincent".

          Yes, incentivise does sound rather like a Dubya Bushism along with burglerized instead of burgled.

          1. Goopy

            Using word-like phrases such as "back-formation" doesn't encourage me to give your cause.

        2. Oh Homer
          Headmaster

          Re: '"incentive" normally implies a financial encouragement'

          It's "normal" in the sort of meetings where people play buzzword bingo, and have to reinvent the language to frame everything in financial terms.

      2. Goopy

        Shirley, you aren't complaining to the editors or author, right?

    2. Anonymous Coward
      Anonymous Coward

      OMG, really, the world is broken and I need to get off

      Perhaps he doesn't consider online fraud to be a "propriety" crime. What is it then? Were they just asking for it?

    3. Oh Homer
      Childcatcher

      Dear "motivated",

      We miss you.

      Love,

      The Anti-Buzzword Bingo Society

    4. Goopy

      And you are talking to who?

  2. kmac499

    Good Idea Commish.....

    I look forward to the day when any officer likely to undergo a disciplinary process is denied the option of taking 'early' retirement. We don't want to encourage lax behaviour do we?

    Might as well payback all those PPI compensations as well. After all it was our own fault for not reading the small print in the 5 minutes when we were sold stuff.

    1. Richard Jones 1
      WTF?

      Re: Good Idea Commish.....

      Of course Mr Hog&Cow if I see one of your dodgy (increasingly useless) cops in trouble I should look the other way as they should not have put themselves in harm's way? I should certainly not risk becoming a witness?

      1. PNGuinn
        Headmaster

        Re: Good Idea Commish...Of course Mr Hog&Cow..

        Shouldn't that be Mr Hog&Wash?

    2. Anonymous Coward
      Anonymous Coward

      Re: Good Idea Commish.....

      I look forward to the day when the police actually treat it as a crime and pursue the criminals, rather than just telling you to run along to "Action Fraud" for tea and sympathy.

  3. Dr Paul Taylor

    Refunds hide fundamentally insecure system

    The reason why banks refund fraudulent payments is that it draws attention away from the fact that the system is fundamentally moronic in its design and cannot possibly be secure.

    In a secure system, customers would initiate payments (cash or BACS) instead of giving payees the authority to take money off them (16-digit numbers, Direct Debit or, craziest of all, "contactless").

    1. Anonymous Coward
      Anonymous Coward

      Re: Refunds hide fundamentally insecure system

      Don't know where you are but the market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds.

      1. Known Hero

        Re: Refunds hide fundamentally insecure system

        in other news, Contactless fraud up by two thirds

        1. JimmyPage Silver badge
          Stop

          Re: Contactless fraud up by two thirds

          Cite ?

          my hunch is contactless fraud is very low-level, if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV.

          Bear in mind in the UK the maximum loss possible from contactless payments is £90.

          And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small.

          1. yoganmahew

            Re: Contactless fraud up by two thirds

            @JimmyPage

            "And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small."

            Do you really think online criminals are looking at your card?

            1. JimmyPage Silver badge
              FAIL

              Re: Do you really think online criminals are looking at your card?

              @yoganmahew

              What I meant (as I suspect you knew) was that destroying the CV2 number on my card(s) reduces he risk of someone who has physical access to the card making a note of it and then using it online.

              I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine.

              Normally I don't worry about being misunderstood. But I think destroying the CV2 is such a neat trick - and certainly within the skillset of an El Regger - that it needs promoting.

              1. David Nash Silver badge

                Re: Do you really think online criminals are looking at your card?

                Amazon don't ask for the CV2. I am not sure whether there are others like that.

                I read somewhere (here?) that it's because the CV2 is not allowed to be stored, it can only be used immediately. And Amazon prefer to have your card details stored for later purchases, so they don't worry about the CV2.

                Not sure whether that affects fraudulent buying from Amazon.

                1. Pascal

                  Re: Do you really think online criminals are looking at your card?

                  > Not sure whether that affects fraudulent buying from Amazon.

                  Amazon have their own fraud detection systems that seem to be really efficient. Twice now they've reversed the transaction within minutes on e-books I bought from "strange locations" (once while travelling, once because I was still connected to a "screw you, Netflix" VPN).

                  1. julian.smith

                    Re: Do you really think online criminals are looking at your card?

                    Hi,

                    Never had a fraud via Amazon (mostly US but occasionally UK) and I've been a customer for more than 10 years.

                    I always use VPNs, from a large variety of exit locations

                    Amazon seems to have excellent fraud prevention

                2. Goopy

                  Re: Do you really think online criminals are looking at your card?

                  Amazon most certain requires the CV.

                  Music.

                  Prime.

                  AWS services recurring.

                  You don't know what you talk about.

              2. PNGuinn
                Happy

                Re: Do you really think online criminals are looking at your card?

                "I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine."

                Oh no they don't. If they want to get paid by me that is. And not face a polite but increasingly loud conversation, overheard by a lengthening .....

            2. Gordon 10 Silver badge

              Re: Contactless fraud up by two thirds

              @yoganmahew

              Are these online criminals the AI's everyone's been warning us about?

              Or maybe - just maybe @JimmyPage realises that the chance of having your CCV number compromised is more like to happen via physical access to your card, rather than a leaky online database.

              1. Goopy

                Re: Contactless fraud up by two thirds

                Sort of. While cvv are Always needed for legitimate online transactions, they are not stored. What IS stored: a verification flag that only changes when the cc exp date is near or reached or the main Number changes. If you get a replacement card due to physical card damage, some banks will send you a replacement sight the same main number, same exp date, different ccv. The ccv changing does not invalidate a good-flagged card number, so there is no reason to change it on record, for recurring transactions.

            3. 2+2=5 Silver badge
              Joke

              Re: Contactless fraud up by two thirds

              > > "And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small."

              > Do you really think online criminals are looking at your card?

              No, they're looking at the postit note on the monitor where he wrote down the CV2 as a reminder.

          2. Anonymous Coward
            Anonymous Coward

            Re: Contactless fraud up by two thirds

            "if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV."

            i'd love to see were you get this worthless idea of a fact from,

            as i'd think its to total opposite in the real world

            1. Goopy

              Re: Contactless fraud up by two thirds

              Replacing "overlooked" with "overseen", yes, then I see your point. Overlooked means ignored.

          3. Anonymous Coward
            Anonymous Coward

            Re: Contactless fraud up by two thirds

            "Cite ?"

            Sorry. AC for a reason.

            Take my word for it?

            1. MrZoolook

              Re: Contactless fraud up by two thirds

              In that case, I believe you.

              Unfortunately it's the other people who can't see the sarcasm that won't!

        2. Anonymous Coward
          Anonymous Coward

          Re: 2016 reported fraud via micro-thefts

          A charity and helpline in the UK called “Action for Elderly Abuse” http://elderabuse.org.uk/ has noticed a large increase of theft from the bank accounts of elderly european citizens, the presumed method of this loss is family members (or sometimes care staff) who have access to the elderly person’s wallet/purse have been making repeated micro-thefts (below the €20 threshold) by using the tap-and-pay method, without the agreement of the card owner.

          This has led to comments in the Daily Telegraph and elsewhere of practical methods to disable the RFID, (as allegedly requests to some UK banks for non-RFID credit/debit cards were met wth a negative response)

          The method from DT comments seemed to involve shining as many lumens as a 3.7V Li can blast out of a Cree LED holding a torch like http://www.amazon.co.uk/dp/B014H1UDA4/ against the RFID credit-card and use a marker to trace the antenna loop - then being careful not to drill any 0.5mm holes in the wrong place to invalidate it as a non-RFID credit card.

          1. PNGuinn
            Happy

            Disabling an RFID card.

            I had to insist with Natwest a year or so ago, but they did send me a new card. With retrospect I wish I'd microwaved it and returned it saying it was broken, and blaming the RFID antenna as a fire hazard.

            It'll be interesting to see what happens when the replacement card comes up for renewal.

            On the other hand when LLoyds sent my wife an shiny new fraud enabled card and she took it back they immediately sent her a replacement. The very helpful lady commented that a lot of their customers are rejecting them. Promised the account would be marked for non RFID replacements in future.

            Banks learning to serve their customers? Anyone know the best treatment for frostbite on a flying pig?

            1. Goopy

              Re: Disabling an RFID card.

              Of course, saying that, that the Chip in "Chip and PIN" is NOT an RFID chip, right. Credit and Debit Cards don't have RFID chips in them. Security cards do, that is about it for RFID cards my friend.

              1. SImon Hobson Silver badge

                Re: Disabling an RFID card.

                > Credit and Debit Cards don't have RFID chips in them.

                What planet have you been hiding on for the last few years ?

                In the UK at least, I think most (all ?) the banks have now taken to issuing RFID (aka contactless) cards - some of them several years ago. I know because I've had "discussions" with every bank I do business with regarding having a non-contactless card.

                Some have been quite OK - just told them I wanted non-contactless and they obliged.

                One was willing but it needed a bit of a workaround. The lass at the other end had to issue a new card (they've cancelled the old one as they'd detected fraud), then cancel that, and only then send a new non-contactless replacement !

                And one point blank refused - so I told them "in that case your card won't be in my wallet".

                And as to the outright lies they tell. The good old one is "you'd get your money back if it's fraud". Yeah right. I know someone who's been on the receiving end of that "guarantee". Like heck did he get his money back. He was unlucky enough to have his account emptied (well run up to it's overdraft) just after pay day. They sent a long list of transactions and he had to identify the ones that weren't his - but they wouldn't take his word for it, he had to "prove" that it wasn't him as the money was spent locally. Some he could prove from work timesheets - commercial driver so he could prove he was elsewhere. But for some he couldn't. The police were useless - well actively obstructive. He observed that significant amount had been spend on food and drink, so he asked the copper if he'd contacted the establishments to ask them to retain any CCTV that might show the criminal at work. The copper responded along the lines of "when I get round to it", but when my mate said he was going to go round and ask them, the copper threatened to arrest his for interfering with a police investigation !

                And given that security researchers have proved (not suggested, but actually proved) that bank (and in particular, card) security has holes - yet the banks still persist in their 100% secure lie ...

                Pop over to https://www.lightbluetouchpaper.org/ and you'll find some interesting and quite frankly frightening news.

      2. P. Lee Silver badge

        Re: Refunds hide fundamentally insecure system

        Card fraud is a possible cost.

        Dealing with cash is a definite, rather high, cost.

        Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that.

        Also, doesn't the government love the fact that all electronic transactions are traceable?

        We have financial interest and we have political interest. That will over-ride the fraud costs, which in the end, everyone pays through higher fees or higher transaction fees charged by the bank to the merchant and passed on to the customer in higher prices.

        1. Chris Evans

          Re: Refunds hide fundamentally insecure system

          Certainties in life: Death, Taxes and Theft inc. card fraud

          "Dealing with cash is a definite, rather high, cost."

          Probably less than fraud or can you cite otherwise?

          "Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."

          Credit/debit card Merchant service companies charge me between 2.5 and 4% so not such a small cut!

          For cash, businesses do get charged a handling fee by the banks. My bank charges 0.5% to pay in bank notes, coins are a lot more. Not sure about withdrawals.

        2. John Brown (no body) Silver badge

          Re: Refunds hide fundamentally insecure system

          "Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."

          Business banking isn't free. The banks get their cut of the transaction when the business deposits the takings and/or "buys" the bags of coins. But that cut probably isn't big enough for them, especially since so many shops offer "cash back" as a way of "getting rid" of cash to reduce the banking fees.

      3. Roland6 Silver badge

        Re: Refunds hide fundamentally insecure system

        he market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds.

        Hardly surprising, one of the big things chip-and-pin and contactless did was require merchants to invest in new card readers, which were designed to be taken to the customer and hence the card didn't leave the sight of it's user/owner...

        1. Tom -1

          @Roland6 Re: Refunds hide fundamentally insecure system

          I think that was more an effect or C&P than of contctless. Certinly everywhere I've been has either brought the customer to the card reader or brought the reader to the customer since chip and pin was introduced.

      4. Anonymous Coward
        Anonymous Coward

        Re: Refunds hide fundamentally insecure system

        Magstripes suck. Moving to chips can only improve the situation. Contactless as it is still a bit young. Thing is, it's rather limited (a handful of payments without entering a PIN, up to a low ceiling - yes, there were initial bugs with those, they've been ironed out a while ago).

        So all in all, right now, it seems that even if fraud *could* work easily on contactless, it's unlikely it *would*, as it couldn't provide much ROI to the fraudster before being noticed.

        They seem to be turning now to direct attacks on online bank accounts, accessed via phishing, dataleaks, and others.

        The reason why banks are okay with paying? Because it's cheaper. Devising an unbreakable scheme would cost a lot, first in development and deployment, then in lost business. "Unbreakable" rarely goes together with "easy to use", and customers would just start using shiny beads and seashells rather than be subject to a DNA test before buying a beer.

      5. John Brown (no body) Silver badge

        Re: Refunds hide fundamentally insecure system

        "Don't know where you are but the market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds."

        Most of the civilised world has only used mag stripe as a next to last resort fall back since chip'n'pin was introduced (which admittedly has it's own issues)

      6. Goopy

        Re: Refunds hide fundamentally insecure system

        That would make sense IF this article had Anything at all to do with Card Based Fraud. Which it does not. At all.

    2. BitDr

      Re: Refunds hide fundamentally insecure system

      When you use direct debit be it via a proximity RFID chip in the card or physically inserting the card and using chip & PIN, you are not handing the merchant the credentials needed to draw against your accounts. What you are doing is giving the bank permission to send an identified merchant a specified amount of dosh for a specific purchase at a specific place and time. Yes your purchases and buying habits are being analysed and tracked, which (aside from being more than a little scary) is also used to help detect fraud against the bank, and to a lesser degree, you.

      As pointed out by others, the bank refunds fraud victims when it is their system that has been compromised; "chip and PIN" was introduced to lessen the bank's liability and increase the onus on you. There are many people (especially millenials) who don't seem to understand this concept. They hand their bank card to a mate and give out their PIN without much thought to the fact that they are responsible. If the bank discovers that you compromised security the likely hood of getting compensated for a fraudulent transaction is reduced.

      1. Goopy

        Re: Refunds hide fundamentally insecure system

        Good point. Yet, Nothing to do with this article.

    3. Anonymous Coward
      Anonymous Coward

      Re: Refunds hide fundamentally insecure system

      Alas they don't

      Quote from BBC:

      In October, banking giant RBS revealed that 70% of its customers who fell victim to a scam did not get a single penny back.

      Which does not surprise me in the slightest.

    4. Anonymous Coward
      Anonymous Coward

      Re: Refunds hide fundamentally insecure system

      That is why I prefer to use paypal if it is avaliable.

      I send them money but don't give them my credit card details.

      1. Anonymous Coward
        Anonymous Coward

        Re: Refunds hide fundamentally insecure system

        > I send them money but don't give them my credit card details.

        But are you aware of the amount and nature of personal information (about you) that PayPal transmits to the merchant? I implemented a merchant solution some years ago and we were basically getting the entire contents of the user's profile: name, address, phone number, email, the lot. Our API would throw all that away as we had no need for it and didn't want any data protection headaches plus we took pride in respecting our customers' privacy. However, I am not sure every other business is the same, so I stopped using PayPal after that.

      2. Goopy

        Re: Refunds hide fundamentally insecure system

        IPay, Google Wallet, Samsung Pay, Venmo, etc all offer the same cushion

    5. Anonymous Coward
      Anonymous Coward

      Re: Refunds hide fundamentally insecure system

      > In a secure system, customers would initiate payments (cash or BACS) instead of giving payees the authority to take money off them (16-digit numbers, Direct Debit

      Not sure what you mean. With my usual bank, for direct debit, I need to authorise a specific receiving account and set a maximum limit. Only the account that I configure is then allowed to debit from mine, and only up to the specified amount per month. I have no need for direct debits so I have never actually tried it though.

      > or, craziest of all, "contactless").

      I do not understand how does contactless fail to meet your "initiated by the user" requirement. Could you please clarify?

    6. Tom -1

      Re: Refunds hide fundamentally insecure system

      Too true. Rather interestingly, in the case of getting money converted to foreign curency and trasferred to an account (where the cash to cash rip-off rates and commissions generally don't apply) there are changers of two sorts; those who operate the usual internet model of provide them with a card number etcetera, and those who require you to transfer funds to them using a transfer initiated by you (which is pretty easy and very quick using fast transfer). I use only companys which (a) have a good reputation and (b) receive the money by interbank transfer; that way I don't have to trust them to keep any of my keys/passwords/credit card numbers/etcetera safe.

  4. Caff

    prove it

    Can you imagine the cost of the process for banks and customers to prove you had used an up to date system to manage the payments? Probably cheaper to pay the compensation.

    1. Headley_Grange Silver badge

      Re: prove it

      They wouldn't have to if they take the approach they do with credit card PIN fraud, "our system is secure and, therefore yours must not be, so the fault must be yours."

      1. John G Imrie

        Re: prove it

        our system is secure and, therefore yours must not be, so the fault must be yours.

        You can prove that in a court of law can't you?

    2. Voland's right hand Silver badge

      Re: prove it

      They tried that - by bundling near-obligatory "fraud prevention" windows only software.

      HSBC tried that, a few others as well. Forgot what it was called, named after some dog breed.

      I tried to point them that they are offering an insecure redirect to an insecure download out of a hijackable non-https page to do that. Not just that, the whole set-up was asking to be abused for phishing or cross-site-scripting attacks. All of these rather simple thoughts could not be parsed by whoever is in charge of that part for them. I also tried to point to them that there is no way in hell you can run that crapware on a Mac or Linux, that did not parse either. Same result - it was like trying to teach a macaque quantum mechanics.

      All in all - I did not get very far and after a litany of failures from HSBC security dept I fired them. With great pleasure. Moved my business elsewhere which is marginally better.

      The truth is, nearly all management in charge of retail electronic commerce security in a most UK banks is as incompetent as you can find and then some.

      1. Doctor Syntax Silver badge

        HSBC

        @Voland's right hand

        I doubt they've improved since I also fired them about 10 years ago.

        At that time the process for settling an HSBC credit card via an HSBC bank account was clunky - I'm sure it was trying to hand over from one system to another and trying to make it look seamless. Whatever, one night it clunked a little too much and failed. I tried to give them a friendly heads up and their sole response subsequently confirmed in writing was that "we don't support Firefox and Linux"; no attempt to even listen to the information they were being given or recognise that I wasn't looking for support for my software. Neither Lloyds, Barclays or the Coop had any such restrictions. Together with the fact that they'd closed my preferred branch they got the push.

        About a year ago I took a look at their First Direct arm. Their internet banking page stated that "PCs and Macs connected to Local Area Networks are not supported". I pointed out that any broadband connection uses a LAN to connect to user's machines. They promised to look into that and get back to me. I'm still waiting and that nonsense is still on their site today.

        1. David Nash Silver badge

          Re: HSBC

          I've never had any problem with FD. I haven't noticed that comment about LANs on their site, it does seem a bit silly and presumably was put there by someone who doesn't understand what home WiFi is, or before home WiFi was widespread.

          1. Pookietoo

            Re: HSBC

            It doesn't have to be Wi-Fi - for a start anyone connecting through a device that has an address in one of the IPV4 private ranges (10.n.n.n 172.16-31.n.n 192.168.n.n) is clearly using a LAN. It would be interesting to know what First Direct thinks a LAN is. A journalist should ask them why they're excluding the majority of their users from support.

            1. frank ly

              Re: HSBC

              "... connecting through a device that has an address in one of the IPV4 private ranges (10.n.n.n 172.16-31.n.n 192.168.n.n) is clearly using a LAN."

              Whatever the complexity/simplicity of your home LAN wiring and Wi-Fi, when you connect to some site outside your home then you appear to be coming from an IP address assigned by your ISP. Have a look at www.whatsmyip.org to see a clear demonstration of this. (Also useful for checking that your VPN is working.)

              1. Pookietoo

                Re: HSBC

                I'm not talking about how a device looks to someone on the internet - most home users are behind NAT routers that make them appear to have a single public IP address. But we know that, they're on a LAN based on that router so they're technically "not supported" for internet banking purposes.

  5. Anonymous Coward
    FAIL

    I do hope the hacking crews make Sir Bernard "twaddle" Hogan-Howe their number one target and then let's see what tune he spouts. Perhaps then he may realise just how many security holes there are in e-commerce systems and that merchants and banks have a duty to ensure that their systems are up to date and have the latest security measures as well as making them scam/fraud proof as possible. If there were no financial incentive for institutions to make good losses you can bet your house that their security would be non existent and tough shit Mr/Ms A customer.

    A stupid comment by an idiot who hasn't a clue or has friends on the boards of Banks, the cynic in me thinks it's the latter.

    1. Paul Crawford Silver badge

      Indeed, can you imagine the first court case when a suitably clued-up litigant gets the judge's approval for a full and public audit of the banks systems. You know, including those banks still on XP and IE6 because they have internal stuff that demands it?

      And the same for Government offices who request you pay on-line to them, will they want to be held to the same standard of public auditing?

      You can be damn sure the banks have considered the cost of liability and the cost of mitigating it (and loss of business if folk just stop using on-line payments, etc) and have come to the conclusion the current arrangement is the least-worst option.

    2. Anonymous Coward
      Anonymous Coward

      Hmmmmm

      Unless said hacking crews are whiter than white, they will leave him alone. Sir Bernard and his ilk are the hacker's best friend.

      Hopefully he will soon be put down, before being let loose in front of the press again.

  6. gerdesj Silver badge
    Childcatcher

    Tar everyone with the same brush

    "Personally, on my system I’ve got a propriety security software and I got an update a few months ago and it sat there for months, I didn’t quite get round to it."

    So he's a knob end who can't be arsed to update his (Apple/MS?) software, and has an anecdote to prove his thesis.

    Me: I run Linux/BSD end to end at home with multiple VLANs and a firewall policy that is way stricter than most "enterprise" systems I look after. It's also monitored. Properly. I'm an IT consultant by trade. I patch my home systems as often as is wife acceptable, and I clothe myself in tin foil. I'm under no illusions that despite the fact that my home IT security is pretty much as good as is reasonably possible, mistakes can and will inevitably happen. Yes, I have done a risk assessment. Yes, I am a bit obsessed. Yes, I probably should get out more.

    So given *my* anecdote, do I get to be upset when I do something stupid and click on a link in an email and lose money? Where does my responsibility stop and his start? At what point does my bank take responsibility for stupidity? Should I really take up their offer of free AV software to provide complete protection online.

    I don't know and I want to know: Who is responsible for what in a world where nearly anyone in that world can virtually knock on my metaphorical front door with a massive cyber door-twatter?

    1. adnim Silver badge
      Thumb Up

      Re: Tar everyone with the same brush

      Yes, you should get out more.

      Seriously, similar here, reviewing system logs everyday is a pain that many can't be bothered with. I am paranoid too because there are many people out there way smarter than I am.

      I was hammered by a Chinese IP address a couple of days ago for an hour and a half using the Jsky scanner. Loud as fuck... script kiddie. They managed to get a directory listing for one folder. Thanks to that attack I fixed the leak.

      And did I say you should get out more :-)

      1. gerdesj Silver badge

        Re: Tar everyone with the same brush

        "And did I say you should get out more :-)"

        You might have mentioned it at one point. Still, it's the day job and I generally test stuff out at home before letting it loose at work. Wife Acceptance Factor >= corporate change control if you see what I mean.

        I was hammered by a Chinese IP address a couple of days ago for an hour and a half using the Jsky scanner.

        I had a similar experience which prompted me to fix up log rotation, log dropping and monitoring in general *sigh*

        1. adnim Silver badge
          Joke

          Re: Tar everyone with the same brush

          Yup, it's never ending. I am thinking of becoming a labourer of some sorts. My mind might be getting useful cues. But my gut is getting larger sitting on my ass all the time. Less stress too. Anyone want a hole digging, or some shelves stacking?

  7. Vimes

    Has he ever tried reporting fraud?

    https://nodpi.org/forum/index.php/topic,4446.0.html

    Perhaps if the police took a more proactive role rather than merely collecting evidence for the purposes of statistics then more could be done about this without the banks ever having to get involved?

    1. Anonymous Coward
      Anonymous Coward

      "Perhaps if the police took a more proactive role...."

      In beating newspaper sellers to death? Or pumping Brazilian electricians full of soft nosed bullets? Or taking backhanders? Or harassing their own whistle blowers? Or ignoring anarchist demonstrators to try and stop government budget cuts? Or shutting down half of central London just so the BBC can do doughnuts round the Cenotaph? Or leaking information to the Murdoch press? Or besmirching public figures on hearsay, and then not even having the grace to admit they're wrong?

      Let's face it, the only place for the Hogan Howe brand is on the side of one of those blue bags carried by dog walkers.

    2. Roo
      Windows

      "Has he ever tried reporting fraud?"

      Yes, it was a total waste of time for myself and the Police as they so kindly pointed out when explaining what action would be taken (ie: none).

    3. Black Road Dude

      ha ha ha yes!! just yes!!

      although not just yes there is more....

      I had the exact same experience trying to report a scam phone call from "Microsoft" who needed access to my computer apparently.

      (Which is interesting as I have two devices at home one a chromebook, and one a laptop running linux.)

      Anyway the action fraud website form didnt even ask for the telephone number they called from. It was a series of about 6 dropdown boxes on the type of fraud attempted.

      I pressed submit and was shown a thankyou.

      Wow. So as you said its simply a statistics gathering website.

      1. Roland6 Silver badge

        Re: Action Fraud website

        I like the fact that the old(?) website www.actionfraud.org.uk is still up and running.

        Looking at the Whois report: (http://www.nominet.uk/whois/?query=actionfraud.org.uk#whois-results )

        and an ownership report (http://who.pho.to/gemma_burke/ )

        It would seem the old actionfraud site itself is destined to become a scam site...

        For those interested the new website and the place where you can report fraud is now www.actionfraud.police.uk

        1. Vimes

          Re: Action Fraud website @Roland6

          From the new website:

          Action Fraud refers all fraud crime cases and information on fraud to the National Fraud Intelligence Bureau. This is run by the City of London Police - the lead force for fraud in the UK.

          City of London Police? This is better? Seriously?

          If you recall what happened with Phorm, that was something 'investigated' by CoL police as well. The quotes were added there quite deliberately too: it was a farce that ended up with the case being closed with no action being taken. This was after the officers concerned had been wined and dined by the company but before any formal interview ever took place.

          I think the phrase 'lead force for fraud in the UK' was a rather unwise choice in the circumstances ('nobody commits more fraud than us!').

          Besides which, how can we be certain that this is little better than the previous attempt to gather statistics - detailed or otherwise - and little more?

          1. Vimes

            Re: Action Fraud website @Roland6

            Another thought: is it really a good choice to make CoL police responsible for this when they're partly funded by the corporations that have their offices in the City of London?

            Surely their focus is going to be on protecting the commercial interests of those corporations and not so much the interests of the general public?

            Why should we expect them to care about fraud generally, especially if it highlights problems that their corporate friends can't easily fix, such as chip and PIN, or contactless payment for example?

            Incidentally perhaps this helps explain the attitude shown in the interview? If they're not doing their job then they shift the blame for the underlying problem onto the victim?

            http://www.standard.co.uk/business/funding-cuts-blamed-for-drop-in-city-of-london-police-forces-fraud-investigations-a3115126.html

      2. Pookietoo

        Re: didnt even ask for the telephone number they called from

        What would be the point of asking for a spoofed caller ID?

    4. Adam 52 Silver badge

      At the moment the official line is the the *bank* is the victim and should do the reporting. Which it is, as Mitchell and Webb so ably demonstrate.

      Sir Commish appears to have fallen for the banks' PR spin, as have many ministers (all presumably planning on a nice non-exec role when they retire).

    5. werdsmith Silver badge

      His comment:

      "I don’t suppose I’m much different to anyone else but I guarantee if someone said to me if your card is done or something happens online I’ll give you nothing back, you’d change your behaviour."

      Yes, I would stop using the card completely and immediately close the account.

      The reason that banks refund fraud losses is to prevent loss of confidence in the system, it's cheaper to pay for a few losses than to lose business and possibly cheaper than finding a stronger security process that doesn't inconvenience every customer.

  8. localzuk

    Not very good at his job then...

    My email account was compromised a while back during one of the many bulk hacks/releases of logins that've happened. OK, I spotted it within an hour and updated all the security credentials but if I hadn't? Would I be to blame for that? It wasn't my security that was lax. Email accounts are a big risk, as so many other services will reset their passwords by a simple email.

    If they'd used that to reset some of my other accounts, with real money involved in them, would that be my fault?

  9. PatientOne

    Well, according to the BBC article on this, RBS have reported that 70% of fraud victims do NOT get their money back.

    If this is true, it goes against what he's saying. Then you also have the delay in getting the refund inconveniencing the victim, the hassle of reporting it, and the fear and uncertainty they'd feel while going through the process.

    Basically, people don't patch because they don't think they'll be victims. Once they are, they'll patch like crazy. AKA people are generally lazy.

    1. Anonymous Coward
      Meh

      If a working patch is available in time to those who need it, and they are appraised of the need and the patches existance

      None of which is always close to being true.

      1. Doctor Syntax Silver badge

        "If a working patch is available in time to those who need it"

        They're probably too busy fighting off patches trying to downgrade them to W10.

    2. tfewster Silver badge
      Facepalm

      >Basically, people don't patch or install AV software because they don't think they'll be victims. Once they are, they'll still do nothing to prevent future losses.

      FTFY

  10. bigtimehustler

    How would this be enforced? Fraud happens, they ask if your software is up to date, you say it is, then update it.

  11. John Smith 19 Gold badge
    WTF?

    "90 percent of all online fraud..." statistic

    Made up statistic alert...

    But to be fair, it's an observations, not a recommendation.

  12. JamieL

    Its the tradeoff between convenience and risk

    I'm less bothered about the temporary disappearance of the few quid that went before the bank spotted an unexpected sequence of transactions (the fraudster testing my card first) than having to do without my card for up to a week and having to re-enter my account details to all the websites that stored them.

    ...wait a mo... perhaps it's all the websites storing my card details that were part of the problem...

  13. PaulAb

    Might I suggest...

    'Fraud victims should not be refunded by banks'

    And overpaid, useless public servants should shut thier stupid faces.

    He really is quality, another spurt of diahorrea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Might I suggest...

      He really is quality

      Indeed. £300k a year and a chauffeured Range Rover to carry his lardy bottom around in. You have to pay for quality, you know.

      1. Anonymous Coward
        Anonymous Coward

        Re: Might I suggest...

        "You have to pay for quality, you know."

        Rubbish. I can talk the same quality of rubbish as he does, and I'd do it for a substantially lower price, thereby saving valuable public money.

        I may not have the right connections yet though.

        1. Anonymous Coward
          Anonymous Coward

          Re: Might I suggest...

          > and I'd do it for a substantially lower price,

          Therein lies your fatal mistake. You need to ask for *more*, not less, than the incumbent if you want to appear credible.

  14. Panicnow

    Fit for purpose

    The the banking system totally fails to offer a reliable and secure payment system is a scandal.

    To blame the users deserves retribution!

    E.g. Barclays has just changed its on-line system. so that it now prompts the user to re-input the account number from what you typed in, not from the original document. Thus you confirm an error, rather than discover it.

  15. Palpy

    Perhaps a plod who blames the victims --

    -- instead of the criminals should be made to walk around Islington after midnight wearing a pink tulle skirt and carrying a bag marked "Lots of Cash!!".

  16. Tikimon Silver badge
    Devil

    "You want to find a Dunkin Donuts, call a cop"

    From "Raising Arizona", brilliant film.

    https://s3.amazonaws.com/hark-audio/92d04f4d-86b3-4f29-90ac-533fd57abf4d.mp3

  17. Anonymous Coward
    Anonymous Coward

    To quote the unsurpassed Sir H. Appleby

    Very droll, Bernard.

  18. ZanzibarRastapopulous

    Policing...

    This is all fine and dandy, but it does mean that the police will also have to do some policing, or the compensation will come from the criminal injuries compensation authority.

    Of course to properly incentivise the police their pay should cover any losses from that.

  19. Bloakey1
    Devil

    Sorted Innit.

    I agree.

    90 percent of Rapes could be avoided if women were not allowed out.

    90 Percent of armed robberies could be stopped if we were all armed to the teeth.

    90 Percent of theft could be avoided if we went back to the old days or adopted the Argos way of doing things and kept everything behind the counter.

    90 percent or lawyers and journalists could be avoided if anal sex was made a hanging offence.

    The problem is that you are all "disincentivised " we should take a proactive step as stake holders and we should walk it back in these intellectually bankrupt times we live in.

    /Crappy use of English.

  20. MR J

    The problem with card theft is that we still have the Mag Stripe. Once that gets removed then a lot of fraud will stop.

    My local Halfords STILL to this day require Chip&Pin PLUS a swipe so they can get the magstrip data. I now take cash with me when/if I need to buy something from them.

    Online Transactions are also getting much more secure, not great, but much better.

    I think the biggest amount of theft comes from foreign banks letting the cards run though their ATM's and really empty the system.

    I would LOVE to see "Foreign" withdrawal/purchases blocked by default, and like to see the ability for you to add a limit on them or even perhaps specify only a group of countries that you will allow your card to be used at.

    Many years ago I made a online order via Dabs (When it was worth using) and my CC company though that a £1,200 order seemed a bit excessive.. So my bank locked ALL of my cards.. I pulled up to the Shell Station, filled my tank, and found 3 of my cards all not working, it took about an hour to sort things out. Sometimes they reach too far, other times they don't reach for enough.

    The ATM should start face scanning the people using the cards. Have 6 people used the same card this week - yea?, somethings wrong flag it. There is a lot they can do, but until losses exceed the cost of implementation then don't expect any changes.

  21. jonha

    I'll wager a bet...

    that more of my personal data floats around the interwebs through the security incompetence (or often sheer we-cant-be-botheredness) of banks, telecoms companies, online retailers... you name it, than through my own incompetence. I've had a few talks to security people in banks and the results have consistently been disappointing. I never had the feeling that security enjoys the priority it should have.

    So before BHH lambast the general public he should perhaps look into the way supposed "professionals" go about their IT security.

  22. WailingBanshee
    Coat

    Guys,

    When someone gets money off a bank that they are not entitled to, it is the bank that has been defrauded - not the person that was impersonated.

    The banks have successfully created an imaginary crime of identity theft - to shift responsibility back to their customers. You could argue that it isn't such a bad thing to do as the weakness in the bank's security is mainly their customers and the trillion and one idiot things they do. But fundamentally it is the bank that is the victim of the crime.

    As for this story, the police commish is wrong by trying to imply a Moral Hazard effect of the customer's being immediately reimbursed when the bank suffers a fraud whereas the reality is that the customer's are not being defrauded and the banks are trying to improve their securities by making their customers suffer when they do.

  23. DJO Silver badge

    Backwards thinking from plod, so what's new

    Make the banks punitively liable for any and all fraud.

    The banks currently rather lax security would get strengthened as fast as it could be done and it would be kept up to date unlike the current mess.

  24. Slx

    The whole concept of payment cards is flawed. We should have moved away from this decades ago at this stage.

    How does an industry expect not to have massive fraud when they've a broken system that largely relies on a 16-digit number and an exp date and ccv that is handed to retailers on the basis of trust. I know there are optional extra security measures but the card can still be potentially cleared out.

    The security on my gmail is far harder than my credit card! That's absolutely insane and a massive indictment of the whole financial sector.

    They're not addressing fraud because they've a bit insurance slush fund and they're wasting law enforcement time and inadvertently allowing terrorists, criminals and who knows else to get money out of weakly secured systems.

  25. Anonymous Coward
    Anonymous Coward

    I wonder which Bank's board he's going to sit on after that?

    The banks set up the security.

    The banks don't let you set the password length or complexity you'd like. (try a long password such as

    "i.read.the.register.every.day.and.i.like.it.")

    Therefore it's the banks issue.

    When they let people do what they want, then it's the people's issue.

    Perhaps it's also a crime seems to have slipped past him....

  26. David Nash Silver badge

    One can try to apportion blame and say things like "If you go out and leave your front door open it's your own fault if you get robbed," but at the end of the day the blame is with the fraudster/thief not the person being robbed. Without them the crime wouldn't happen. One can also say that the customer has a certain amount of responsibility to lock his door or not give his PIN out, or click dodgy links, etc. But even if one accepts this, the "disincentive", ie. punishment, is completely disproportionate to the "offence" of being somewhat lax with your security.

    "Been phished? Had your savings cleaned out? Ha, that'll teach you!" I don't think so.

    On the other hand, the banks can afford to take the hit. Hopefully they will then in turn try to do their bit to educate their customers, and with a bit of luck to improve the systems too.

  27. Mark 85 Silver badge

    The guy is a cockwomble. I've had my CC used for online fraud at least twice. They didn't get that number from me or my computer. So he want's us to be responsible for any merchant's (online or not) CC system? Think all the break-ins to places like Home Depot, Target, etc. The guy is daft.

  28. Adam 52 Silver badge

    More to this

    Worth remembering that this was published in The Times. The Murdoch press have got it in for Sir B. because of the investigation and prosecution of their journalists and Rebekah Brooks. News Corp. Is out for revenge. You only have to look at The Sun's front page from Tuesday.

    He's a career politician of course, so he and his minders should have been aware of the risk, but I bet he was set up.

    1. Anonymous Coward
      Anonymous Coward

      Re: More to this

      "[BHH] and his minders should have been aware of the risk, but I bet he was set up."

      Andy Hayman, former anti-terrorism expert at both ACPO Ltd (ACPO = Association of Chief Police Officers) and the Metropolitan Police, and also the man in charge of the first "phone hacking" inquiry and the man who made this pantomime submission [1] to Parliament's Home Affairs Committee, was/is a Murdoch employee subsequently. You'd have thought the two of them could have had a quiet word down the Lodge.

      [1] https://www.youtube.com/watch?v=F-Rv3u9Zrlo (a minute or so from Channel 4 News, the full show is around somewhere but I couldn't quickly find it)

  29. Tafferel

    I have an iPad2

    Perhaps Sir Bernie could buy me a new one, or force Apple to fix the upgrade issue. Or is that all my own fault?

    1. John Brown (no body) Silver badge

      Re: I have an iPad2

      And the 680 million Android phone owners who are unlikely to ever see an upgrade.

      (Not that I'd ever use my phone for online banking or even online purchase requiring card details to be entered, but many, many people do)

  30. gumbril

    Pretty disappointing that someone who is clearly incompetent on a subject should wax lyrical on said subject. It's bad enough he is incompetent, but worse when he does have self awareness .

    The system as is, is that if you shown to be negligent you don't get recompensed. This would be things like writing down you password or PIN, or sharing it. Of course the banks, with there usual bias to self interest manage to pin that on anything they can, or just by default apply it and wait for the complaint to whatever ombudsman looks at it, reading before it's report as 70% at RBS is not refunded?

    Apart from that wrinkle, that's a reasonably fair system, if you leave a wad of cash out, and someone nicks it, that's your lookout. But what where you do take reasonable precautions, it should not. Now a question is, what's reasonable to the average folk. Make everyone sign up for two factor authentication for email, stop them using windows, training in how not to get phished? Maybe a safe banking certificate awarded after some CBT training?

    But anyway doesn't matter, right now, because that 30% is the main motivation for the banks to systemically improve their security. The people who can, if they choose, employ analysts, designers and developers and the rest required to provide reasonably friendly, secure service. They are going on-line because it's cheaper for them, they make it secure, because its cheaper for them.

    But no, this idiot want to make the security of THEIR SERVICE irrelevant to THEIR BOTTOM LINE. How not to motivate a bank. 101. Would HSBC cough for free pin pass cards, or sign up to VISA secure question if they didn't think it would save them money?

    1. Anonymous Coward
      Anonymous Coward

      Maybe a safe banking certificate awarded after some CBT training?

      What does Cock and Ball Torture have to do with bank security?

  31. Anonymous IV

    Nobody seems to have mentioned Trust**r Rapp*rt

    I haven't seen quite so many howls of abuse about slow running, inexplicable problems, unmitigated horror, and so on, over the last couple of years.

    Is this because UK banks have stopped recommending/requiring it, or (gasp!) perhaps TR has fixed all its problems? (Compare Microsoft...)

  32. MonkeyCee Silver badge

    The Met

    Hmm, aren't these the same lot who are wasting ~20% of their IT budget each year, refusing to admit how much they've they've pissed away on failed projects and avoided any accountability?

    Maybe if for every pound wasted on such projects a pound got deducted from wages of those who signed off on those projects it might result in better accountability.

    As for bitching about fraud victims getting their money back (in 30% of cases...) my experiences of trying to report fraud, ID theft or suspicious withdrawals have been met with a flat refusal to take a crime report unless I can name a specific person.

    I could show clear dodgy transactions with identifying features that presumably could be followed up on, such as car insurance being paid for (we don't own a car), payment for an ISP connection 300 miles away, or pizza delivery half way across the globe. Oh, and an ATM withdrawl (failed 9 times, passed on 10th) in Thailand, when the "same" card had been used 90 minutes before in the Netherlands. Cops bent over backwards to avoid taking a report, but the bank refunded us within 24 hours.*

    So Sir Bernie, if you want the banks to stop refunding fraud victims, that's going to require you lot doing a huuuge amount more work, when you currently aren't able to process all the "normal" crime, how the fuck are you going to handle ID theft and low end (sub $2000) fraud? That work is currently "outsourced" to the banks because the cops simply do not have the resources for it.

    * they did send us a letter where we had to sign off that we had never performed those transactions,

  33. Sirius Lee

    He's right...

    ..if we are told that we'd be responsible for all loses we would change our behaviour: we'd stop using banks and credit cards.

    I'm sure Hogan-Howe is a nice chap but he lives in a world where we are perceived to be the problem and his words reflect that. Having people be better computers is not a solution to anything. History shows we are incapable of being more secure. Even those who are conscientious will fail some time.

    Clearly the banks don't want us to walk away. Perhaps the other side of the story was not covered by Hogan-Howe or not so newsworthy. The other side is that banks also have options. One is to make it impossible for our accounts to be hacked or used fraudulently. However this is, at the moment, prohibitively expensive. It's much cheaper to have the actuaries work out the cost of fraud and set the cost against profits like any other business expense such as marketing or accounting. So that's the status quo. It exists not because we are all evil (stupid maybe) but because its the least expensive option that is also reliable and managable.

  34. Tom -1
    Happy

    @MrWibble

    "propriety"

    You keep using that word, I do not think it means what you think it means.

    Well, he (the Met Commissioner) does come from South Yorkshire, so you can expect some non-tonic vowels to be suppressed and some "r"-s to disappear, but getting from "proprietary" to "propriety" without noticing that it's a different word with a completely different meaning does seem rather extreme; but it's rather likely in context that "proprietary" is what he meant.

    But I really like the footnote on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019