Skip to main content

POST Faster fraud

Some good news arrives from our friend at Financial Fraud Action (FFA), the body tasked with reducing financial fraud in the UK.

Remote banking fraud losses totalled £137.1 million, a 19 per cent decrease from £168.6 million in 2015.

From Financial fraud data for 2016 published : Financial Fraud Action UK

Great news. Except… 

"But the report failed to include any reference to one form of crime that is on the rise and blighting victims’ lives: bank transfer fraud."

'I was robbed of £19k, and Barclays just stood by'

Oh dear. Having made it easier to transfer money between bank accounts, criminals have t

"After it was realised this was a scam, your bank contacted the Italian post office where the funds had gone but the money could not be retrieved."

'I was scammed for £1,300 and Amazon told me to buy again'

xxx

 

xxx

"It was only on closer inspection that they saw underneath the displayed name that the email address was not his own."

'I was robbed of £19k, and Barclays just stood by'

I must sound awfully harsh but I do not see what the bank has done wrong here. They were instructed to transfer money and that instruction was properly authenticated. It is not there fault that they were asked to transfer money to a fraudsters account.

The real problem here is using e-mail to instruct bank transfers. That’s negligence, since we all know that e-mail has no security. I would suggest that for accountancy firms and all others, all messages containing financial information be sent by Signal or for that matter WhatsApp (which has our Home Secretary’s enthusiastic endorsement as a platform for secure communications).

There was (yet another) discussion about these frauds on the BBC’s MoneyBox recently and I made a passing comment about how easy it would be to find out who the fraudsters are an arrest them. My point was that instant payments go to a bank account and since we have famously strict and well-observed Know-Your-Customer (KYC) laws maintained at great expense by the British bank industry, so it should be easy to send the police the details of who to arrest.

"TSB said… In this instance the scammer used valid ID"

'I was robbed of £19k, and Barclays just stood by'

Well if it was a valid ID then bob’s your uncle. Should be easy to round up the perps. But not so...

"In some cases the original account is opened by a student or temporary British resident who is later – perhaps when they are leaving the country – persuaded to ‘sell’ the account to a fraudster for cash."

'I was robbed of £19k, and Barclays just stood by'

Interesting. And it’s not, a first glance, obvious what to do about this other than to make it a criminal offence to let someone else log in to your bank account.

Comments

Popular posts from this blog

There is no excuse for not taking cards

So we went to the pub. For lunch. Seven of us. Say £20 per head. £100+ quid. Say £50 quid gross for the pub. Colleague goes to order food and drinks and pay at the bar. Apologetic barmaid comes over to explain that their “card machine” is down, so she can only accept cash. Under normal circumstances I would have simply walked out, feeling it wholly inappropriate to reward such a poorly managed establishment and, as a functioning actor in a capitalist economy, done my duty to depress their lunchtime takings. Here’s what we wanted to say: This is absurd. This is 2016 not 1916. Your card machine is down? Well, so what! Are you seriously telling me that mein host has no mobile phone number capable of registering for PingIt or PayM? That none of the staff or the pub itself have a PayPal account that I can send the money to? That neither the owners nor managers not contingency planners thought to tuck an iZettle behind the bar to use when the clunky and expensive GPRS terminal fails for o...

Financial Cryptography: Corda Day - a new force

Forum friend Ian Grigg, who I always take very seriously indeed on any such topic, wrote about Corda on his blog and concluded with a powerful statement. Bitcoin told the users it wanted an unstoppable currency - sure, works for a small group but not for the mass market. Ethereum told their users they need an unstoppable machine - which worked how spectacularly with the DAO? Not. What. We. Wanted. Corda is the only game in town because it's the only one that asked the users. It's that simple. From Financial Cryptography: Corda Day - a new force xxx It seems to me, however, what Ian is pointing to as the greatest strength of their approach is also the greatest weakness. A staple feature of unimaginative management consultants presentations about innovation is some variation on the statement by Henry Ford that if you had asked users what they wanted, they would have asked for faster horses coupled with some variation on the statement by Steve jobs that it was pointless ask...

We could fix mobile security, you know. We don't, but we could

Earlier in the week I blogged about mobile banking security , and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating… The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information. From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking. The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan...