Hacked off – the evolution of digital security systems

7 July 2016

As our dependence on digital security systems increases, customers’ ability to rely on their banks to protect them from fraud becomes even more imperative. Sophie Peacock speaks to Katy Worobec, director of Financial Fraud Action UK, about how banks and law enforcement are working to keep continually evolving methods of financial crime easily combatable. But are banks managing to beat the criminals at their own game, or merely fighting fire with fire?

In April this year, Chris Sims' iPhone abruptly stopped functioning with no indication as to why. In just over an hour from that moment, fraudsters had hijacked Sims' phone and used his online banking app to apply for a £8,000 loan in his name, and taken £1,200 out of his account.

Sims had fallen prey to a new and vicious method of financial exploitation known as 'SIM swap fraud'; a scam where criminals cancel the SIM card linked to a victim's number, and activate a new one on a phone in their control. All contact made to the original owner's number is redirected to the criminal's phone, allowing them to access codes or authorisations required for online bank transfers. The fraudster only needs a few of their victim's personal details to do this, which can often be easily retrieved via social media.

With the multitude of ways customers can access and transfer their finances, 'robbing a bank' no longer means what it used to. These days, a criminal wanting to get away with considerable sums of money needs only a smartphone and an internet connection to clean out a savings account. As criminals continue to grow wise to potential security loopholes, the financial sector is advancing in leaps and bounds to stay up to date with the latest technology and try to beat fraudsters to the punch.

According to the Financial Fraud Action (FFA) UK's official 2015 statistics, there has been a steady rise in fraud losses on UK-issued bank cards since 2011. The FFA encourages online retailers to use verification services such as American Express 'SafeKey', 'Verified by Visa' and MasterCard's 'SecureCode'- but how long is it before banks fall behind in the security arms race and these measures also become insufficient? Increasingly focused on easy access payments such as mobile banking and contactless payments, the customer experience is instantaneous and, seemingly, entirely in the user's control. However, this freedom of access ultimately presents new security vulnerabilities for cybercriminals to exploit.

"It is vital that everyone is vigilant and safeguards their personal and financial information," says Katie Worobec, director of FFA UK. "Everyone should be extremely wary of any calls, texts or emails out of the blue asking for their details." With overall managerial responsibility for the company's fraud reduction strategy, Worobec has a wealth of experience in what to expect from new and increasingly sophisticated financial scams.

When choosing a bank, customers are inclined to look at features that cater closely to their own needs such as interest rates and loan plans, but the promise of security against fraud is perhaps taken for granted; banks must offer financial protection that is as relevant and future-proof as possible in order to stand out to prospective customers. Keeping banking technology as advanced as possible without pushing existing methods unnecessarily into obsolescence is a delicate balance to strike; the website for cybercrime awareness, ActionFraud, is never short of updates on new financial scams taking place.

These days, a criminal wanting to get away with considerable sums of money needs only a smartphone and an internet connection to clean out a savings account.

"Banks continue to educate their customers about the potential dangers they face but fraudsters can appear to be very convincing," says Worobec. "It is important everyone knows the types of scams to look out for and how they can protect themselves, as people are not always who they say they are.

Self rescue

An element of financial protection also falls to the customers themselves, of course; using sensible and substantial security methods, particularly with online and mobile banking, is something that banks work hard to promote. Using weak, easy to guess or already-in-use passwords is a major threat to personal security. Combatting the inevitability of cybercrime is vital, but so is implementing enough measures to ensure it doesn't have a lasting impact. The FFA's online guidelines suggest "Never log in to your bank website through a link in an email, even if the email appears to have come from your bank. Type the web address into your browser yourself."

According to the FFA, remote banking fraud has recently become even more prevalent; fraudsters posing as bank staff scam customers into sending them money via online banking. A newspaper article in March 2016 reported that "Victims of [remote banking] fraud have told the Guardian that the police have not been interested in investigating such cases even though the losses have been as much as £25,000."

But according to Worobec, banks work extremely hard to protect their customers and use highly sophisticated security systems that stopped £7 in £10 of attempted fraud from occurring last year.

"Anyone who is a victim of fraud will receive a refund," she says. "Last summer, a review of fraud refunds published by the FCA found customers who suffer fraud are being treated fairly by their card issuers. The FCA also found that firms err on the side of customers when they are reviewing a claim and recognised the industry works hard to proactively identify incidents of fraud."

Case in point

Obviously, customer fraud cases are not always cut and dried. A BBC Watchdog investigation into UK bank fraud presents a worrying dilemma in the case of Ray Saddington, a man targeted by criminals who used his details to buy tax discs for cars that weren't his. Despite being able to prove he didn't own the vehicles, the bank didn't believe him due to the fact that he had used the retailer before. Unfortunately for Saddington, motorists in need of tax discs can only use the one supplier: the DVLA.

Providing a bridge between the legal and financial sectors, the recently launched Joint Fraud Taskforce plans to "strengthen the collective response on fraud". The taskforce aims to form a united dedication to sharing information between the two industries.

"We are working with government and law enforcement in the new Joint Fraud Taskforce to use our collective powers, systems and resources to crack down on financial fraud," explains Worobec. "Individually, all banks have sophisticated security systems in place to protect their customers' accounts, and are constantly working to improve them. Many banks even offer free security software."

However, recent unsettling conversations between GCHQ, The Bank of England and the UK Government have proposed that bank customers be made to fund the fallout of any fraudulent activity on their accounts. As it stands, banks routinely foot the bill for mounting fraud losses, no matter who is deemed to be at fault. But when banks are continually working hard to stay as bulletproof as possible, determining who can be held accountable for fraud becomes a game of nervous finger-pointing.

Collectively, the banking industry shares intelligence and information on all types of fraud, and liaises with law enforcement, the telecommunications industry and other key stakeholders. Doing so helps to improve understanding about emerging threats, and to identify and prosecute the perpetrators. "To tackle fraud, the industry continually invests in new, innovative security tools," says Worobec. "This includes more sophisticated ways of authenticating customers, such as using biometrics and customer behaviour analysis."

Put your finger on it

Earlier this year, HSBC launched fingerprint authentication services to all mobile banking customers with an iPhone that uses a fingerprint reader. HSBC is also using 'nuance communications', a type of voice recognition software.

To tackle fraud, the industry continually invests in new, innovative security tools. This includes more sophisticated ways of authenticating customers, such as using biometrics and customer behaviour analysis.

With both of these means of access, customers will potentially no longer need to memorise and repeat long passwords or answers security questions. After all, memories are fallible, but biological uniqueness, such as the way a name is said or a signature is written, is a constant - though not infallible. Eliminating typed passwords is expected to improve security for customers as they often use the same password across different online accounts.

A more time-consuming solution - but possibly a more accessible option until biometrics reaches the mainstream - can be found in two-step validation. More and more banks are offering this as a feature that can be activated by users who wish to verify their account use online and through a unique generated smartphone code. The idea is that criminals are less likely to have possession of a customer's mobile phone as well as access to their online banking.

But while Sims was fortunate enough to recover all of his lost funds, it seems financial fraud prevention is a constant game of catch up with increasingly astute cybercriminals.