Online and mobile banking are on the rise, but rates of cybercrime are soaring in the UK and beyond. Patrick Kingsland asks Professor Alan Woodward, cybercrime expert at the University of Surrey, and Stuart Skinner, director of fraud at Nationwide, about the scale of the problem and the new generation of technologies looking to outfox the fraudsters.
It was the UK’s biggest ever cyberscam. Using a network of international conmen posing as members of different banks’ fraud departments, Feezan ‘Fizzy’ Hameed, 25, from Glasgow, raked in over £113 million over a period of two and a half years, between January 2013 and October 2015.
Metropolitan Police Deputy Chief Inspector Andrew Gould, who led the investigation, told the Telegraph: “It was a Monday-to-Friday, nine-to-five operation and, when they were busy and active, they were just smashing victims all day, every day, running their criminal business like a proper business.”
He added: “This was the largest covert proactive operation the Met has ever undertaken against cyber-enabled crime.
“It demonstrates our commitment and ability to dismantle organised criminal networks in order to keep businesses safe from this type of crime.”
A so-called ‘super case’, Hameed’s crime was just one of 220 major incidents recorded in KPMG’s recently released ‘Fraud Barometer’. The statistics, widely published in the national media, showed a dramatic rise in cyber-enabled crime in 2016, up 55% on the previous year. The total value of fraud jumped past the £1-billion mark for the first time since 2011.
In the past, burglary and vehicle theft were the main sources of high-volume crime in the UK and beyond. Now, says Professor Alan Woodward, cybercrime expert at the University of Surrey, “certainly in western Europe, we’ve reached a point where cybercrime is predominant. It’s going up by 30% a year.”
Unsurprisingly, he adds, banks are the biggest target. “This is where the money is kept and with cybercriminals, more often than not, their motivation is to make money.”
As growing numbers of bank customers are targeted, many will be tempted to blame the banks. According to Stuart Skinner, director of fraud at Nationwide, the argument has some merit – just not in the way one might assume.
For Skinner, as banks improve their ability to withstand attacks on their own technical infrastructure, fraudsters have inadvertently shifted back to targeting the weakest link in the chain: the customer.
“The banking industry understands the threats and risks associated with online and mobile very well, and has invested heavily over the past six or seven years,” Skinner says. “The fraudsters have come up against quite sophisticated detection systems and software. What that’s done, though, is drive the threat somewhere else, and that somewhere else is simply the customer. They are now being socially engineered on a scale we haven’t seen for many years.”
Two-step authentication – where customers enter a PIN into a calculator-like device that provides a dynamic passcode – is a good example of this process in action, Skinner says.
“It’s been incredibly successful from a security point of view, but what the fraudster worked out around 18–24 months ago was that they can still coerce the dynamic passcode out of the customer,” he says. “So what we’ve seen is them going on a fairly relentless campaign against our customer base.”
Vish out of water
There are a number of ways fraudsters are targeting customers. The most prevalent is what the industry calls vishing. Here, a scammer phones a customer purporting to be from their bank or building society, or law enforcement and convinces them to hand over card-reader codes.
With the rise of social-media platforms, fraudsters have found even more avenues through which to ‘vish’. “We now see many variations; people get messages through Twitter, Facebook and SMS, often in conjunction with each other,” Skinner says. “For example, a customer may get an SMS followed up with a call ten minutes later, just to add another layer of authenticity to the scam.”
While social media creates more challenges for customers, according to Woodward, at its heart, online vishing fraud is simply a variation of a decades-old scam.
“It’s the same tricks they used to use in the physical world; they’re just using them online because it is easier and the chance of getting caught is far less,” he explains. “Take something like putting a key logger in a keyboard, video and mouse (KVM) switch. You connect to somebody’s machine under the auspices of conducting some kind of maintenance work, and then you just sit in a van outside and watch the branch worker type in usernames and passwords. When they are not there, you go in and transfer the money. It’s hardly a sophisticated attack.”
While Tesco has been particularly tight-lipped following a high-profile attack in 2016 that robbed 9,000 customers of £2.5 million, Woodward argues that – as with the Hameed case – a simple confidence trick could be the explanation. “Most of these attacks, when they come to light, turn out not to be very complicated,” he says. “With Tesco, it’ll probably just be some breakdown of process and people.”
The simplicity of the scams being deployed doesn’t make it any easier for banks to deal with them, however. Fixing flaws in their own security apparatus is one thing; changing patterns of human behaviour is another entirely.
“Scammers rely on a number of human traits,” Woodward explains. “One of them is taking people at face value, and that includes somebody turning up and saying they are an engineer coming to help you. Scammers are very good at psychology. It’s about putting people in the loop and then using that combination of the way technology works with the way humans think.”
One concrete way in which banks can respond, however, is by educating the public. “In reality, the banks and building societies can’t solve this problem on their own,” says Skinner. “We’ve done a huge amount ourselves, but the customers need to be part of this; it needs to be a partnership.”
Teaching customers a few “golden rules” would be a start, Skinner adds. “Your bank will never ask you for personal data over the phone, for secret passwords or your codes,” he says. “And the reality is that if you are asked for these things, it probably won’t feel quite right.”
Another step is introducing new technology. Described as ‘the biggest shake-up in the field since the introduction of chip and pin in 2004’, one of the most promising examples is bank cards with changing CVV codes.
“It comes down to the fact that just about every card transaction we do these days is cardholder-not-present,” Woodward explains. “That means our card and CVV numbers are being held by so many people that you only need one of those to be hacked and you have a problem. Having a system of rotating CVV numbers so that when somebody does steal it, it doesn’t matter, is a great idea.”
Another promising breakthrough is the introduction of ‘confirmation of payee’ systems designed to solve fraud and ‘fat-finger’- type cases, where customers send money to the wrong account.
Instead of banks asking customers to confirm that they want to transfer money to a particular account number and sort code, in the future, people will receive instant messages containing actual names: ‘Are you sure you want to send £20 to Mrs Jane Doe’, for example.
“That’s another great idea because it’s human-centric,” says Woodward. “If you give people long strings of numbers, it’s too difficult. I think people might start to do more payments online with that [new] system in place.”
Perhaps most significantly, banks are also responding to scammers using innovative, biometric systems such as facial recognition and fingerprint technology.
“People are recognising that you can’t put the onus totally on the human for not being defrauded,” says Woodward. “What you need is to have technology that makes sure it really is the right person behind a transaction. With biometrics, there is one application, for example, through which banks can tell the way an individual person holds and taps the phone. The idea is for a kind of ongoing authentication. Suppose somebody put you under duress and got you to login. The computer would recognise it was you typing, but when the fraudster takes the phone, it could tell that there was a change.”
As new technology and challenger banks emerge to change the fraud landscape, there is a danger, however. “Making life easier and more convenient is important,” Woodward says. “But it can often be the enemy of security, and I think that is where we have to be very careful.
“Some of the older banks might be using dated equipment, but they will at least have a lot of history and experience in setting them up and attaching them to the web,” he adds. “Perversely, it’s often with the newer technologies that we tend to find the faults simply because the flaws have already been ironed out.”
For Skinner, however, the significance and promise of biometric technology lies precisely in its ability to marry customer experience with first-class security. “When used properly, biometrics can be really secure and also take the friction out of the authentication,” he says. “That’s utopia, and that’s what we are all aiming for.”