Yesterday the Financial Conduct Authority (the UK bank regulator) issued a report on Fair treatment for consumers who suffer unauthorised transactions. This is an issue in which we have an interest, as fraud victims regularly come to us after being turned away by their bank and by the financial ombudsman service. Yet the FCA have found that everything is hunky dory, and conclude “we do not believe that further thematic work is required at this stage”.
One of the things the FCA asked their consultants is whether there’s any evidence that claims are rejected on the sole basis that a pin was used. The consultants didn’t want to reply on existing work but instead surveyed a nationally representative sample of 948 people and found that 16% had a transaction dispute in the last year. These were 37% MOTO, 22% cancelled future dated payment, 15% ATM cash, 13% shop, 13% lump sum from bank account. Of customers who complained, 43% were offered their money back spontaneously; a further 41% asked; in the end a total of 68% got refunds after varying periods of time. In total 7% (15 victims) had claim declined, most because the bank said the transaction was “authorised” or following a”contract with merchant” and 2 for chip and pin (one of them an ATM transaction; the other admitted sharing their PIN). 12 of these 15 considered the result
unfair. These figures are entirely consistent with what we learn from the British Crime Survey and elsewhere; two million UK victims a year, and while most get their money back, many don’t; and a hard core of perhaps a few tens of thousands who end up feeling that their bank has screwed them.
The case studies profiled in the consultants’ paper were of glowing happy people who got their money back; the 12 sad losers were not profiled, and the consultants concluded that “Customers might be being denied refunds on the sole basis that Chip and PIN were used … we found little evidence of this” (p 49) and went on to remark helpfully that some customers admitted sharing their PINs and felt OK lying about this. The FCA happily paraphrases this as “We also did not find any evidence of firms holding customers liable for unauthorised transactions solely on the basis that the PIN was used to make the transaction” (main report, p 13, 3.25).
According to recent news reports, the former head of the FCA, Martin Wheatley, was sacked by George Osborne for being too harsh on the banks.
And the surprise is ?
My banks refunded fraudulent transactions, but in the case of an unwanted internal transfer (which had persisted despite me trying to cancel it) causing cascade of failed transaction & unauthorised overdraft fees at £30 each for failed transfers within the same bank (with the original flaw caused by a design flaw in their online banking system, which made some future-dated transactions totally invisible); though I tried to frame my complaint as assistance in getting their systems right, Nationwide refused to acknowledge the problem: they just kept sending me politely worded form letters telling me they had received my letter, before closing my enquiry without resolution (after about seven complaints, no exaggeration, their local bank manager eventually, reluctantly, refunded half of my money under threat of me closing my account! I closed my account anyway of course, after such a terrible experience; and I’ve never looked back.)
My personal experience indicates that some banks are much better than others at preventing fraudulent transactions from going through in the first place: I’ve been banking with Halifax for decades, and done ten thousand of transactions, but never suffered fraud there; whereas on the other hand, I banked for a few years with Nationwide, completed a few dozen transactions, yet had a fraudulent direct debit fee applied for “O2” when I had my telephone service with someone else!)
Why are we still using trivial-to-copy-and-distribute-en-masse “CVV2” codes?
Why does Santander show the same GIF image to me each time I log on, allegedly to assure me that I’m not being subjected to a man-in-the-middle attack via a phishing site? The bank’s security gurus thus demonstrate that they have no idea what a man-in-the-middle attack is!
Why does Santander demand a username, a password and a separate “registration number” (password) — thus demonstrating that they fail to understand the equivalence between two separate password boxes, and one long password box?
Why do HSBC, Nationwide and others insist on me installing “Trusteer Rapport” (worthless trash that slows my computer down radically especially during system shut-down, and which cannot in any case reliably do the job it’s ostensibly intended for: preventing persistent advanced rootkits with keyloggers from snaffling my security credentials), unless they simply wish to transfer liability to me by suggesting that I failed to follow (unreasonable) advice, rather than to actually control real-world risks?
Unfortunately, half of our banks simply aren’t interested in real security unless it’s their money, and their bonuses; on the line. Of the half that care about security, half of the remainder seem to think that significant amounts of fraud are tolerable as “the cost of doing business”. All this, despite good and economical solutions being within reach!
— Which cynically answers my more general question: Why aren’t we using systems that support full mutual authentication of transaction details, such as PassWindow, ZTIC, or some cheap ZTIC-analogue based on a mobile application running on locked-down mobile operating systems that only run signed code? Why are mobile phone companies and banks developing payment systems which merely implement standard contactless payment protocols in a mobile format; instead of taking advantage of the new platform (which includes a SCREEN and USER INTERFACE), and implementing mutual authentication?
If the banks don’t want to pay for an LCD-based PassWindow or develop a mobile-app-based clone of ZTIC; then still: why do so few of them implement the recommendations from your book, “Security Engineering”, in which you rightly suggest that mobile-SMS-transaction-authentication-numbers give the most “bang for your buck” out of the traditional solutions? Surely, the fraud is costing them more than a few pennies per transaction more than it would with this simple fix in place for any new transaction recipient, or for any high-value transaction?
It seems to me like the banks don’t know what’s good for them. Ten thousand customers offended per year means ten thousand customers looking for a new bank (a competitor), who will probably never return to the offending party…
I wonder if you have looked into the security of the contactless cards which seem to be rolling out en-masse now (ie. my bank mailed me one without asking)? Personally, I do not like the idea of contactless paying but are there some genuine concerns with them?