This week brought an announcement from a banking association that “identity fraud” is soaring to new levels, with 89,000 cases reported in the first six months of 2017 and 56% of all fraud reported by its members now classed as “identity fraud”.
So what is “identity fraud”? The announcement helpfully clarifies the concept:
“The vast majority of identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or they experience problems with their credit rating. To carry out this kind of fraud successfully, fraudsters need access to their victim’s personal information such as name, date of birth, address, their bank and who they hold accounts with. Fraudsters get hold of this in a variety of ways, from stealing mail through to hacking; obtaining data on the ‘dark web’; exploiting personal information on social media, or though ‘social engineering’ where innocent parties are persuaded to give up personal information to someone pretending to be from their bank, the police or a trusted retailer.”
Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was “impersonation”, and it was the bank’s money that had been stolen, not my identity. How did things change?
The members of this association are banks and credit card issuers. In their narrative, those impersonated are treated as targets, when the targets are actually those banks on whom the impersonation is practised. This is a precursor to refusing bank customers a “remedy” for “their loss” because “they failed to protect themselves.”
Now “dishonestly making a false representation” is an offence under s2 Fraud Act 2006. Yet what is the police response?
The Head of the City of London Police’s Economic Crime Directorate does not see the banks’ narrative as dishonest. Instead he goes along with it: “It has become normal for people to publish personal details about themselves on social media and on other online platforms which makes it easier than ever for a fraudster to steal someone’s identity.” He continues: “Be careful who you give your information to, always consider whether it is necessary to part with those details.” This is reinforced with a link to a police website with supposedly scary statistics: 55% of people use open public wifi and 40% of people don’t have antivirus software (like many security researchers, I’m guilty on both counts). This police website has a quote from the Head’s own boss, a Commander who is the National Police Coordinator for Economic Crime.
How are we to rate their conduct? Given that the costs of the City force’s Dedicated Card and Payment Crime Unit are borne by the banks, perhaps they feel obliged to sing from the banks’ hymn sheet. Just as the MacPherson report criticised the Met for being institutionally racist, we might perhaps describe the City force as institutionally corrupt. There is a wide literature on regulatory capture, and many other examples of regulators keen to do the banks’ bidding. And it’s not just the City force. There are disgraceful examples of the Metropolitan Police Commissioner and GCHQ endorsing the banks’ false narrative. However people are starting to notice, including the National Audit Office.
Or perhaps the police are just clueless?
Curiously, I learn that the Commander to whom I referred above has left the City force. Now that he works for an anti-fraud charity, his advice to fraud victims is refreshingly different: they should take the bank to court. This further strengthens the case that the issue is an institutonal one, rather than necessarily being the fault of individual officers below the rank of Commissioner
And not only are Cifas victims blaming, but their security advice is terrible; even worse than their last fraud figure announcement.
Here is a wonderful piece on this question by Mitchell and Webb.
Mitchell and Webb can be hit and miss, but that is absolutely brilliant.
Who says it can’t be both?
So, you think that banks should foot the bill entirely, regardless of how stupid the behaviour of their customers. You think customers that take no responsibility for their banking security should not be blamed when things go wrong. That’s not very clever: it will simply increase the cost of retail banking, and we will all pay.
My friend lost £20K in identity fraud last month. He’s a nice guy, but he was stupid. He performed operations on the hardware dongle as requested by the fraudster that had called him pretending to be the bank, and read out the result of the operations to the fraudster. If people are going to do that, how can the banks make it secure?
Customers want the convenience of internet banking. When you worked in banking, probably the customer had to attend in person and show their passport to take out a £10K loan. Are you suggesting we go back to those days?
Not all cases are the same – I think most of us would agree where the customer has given instructions to the bank which lose him his money, that’s his problem. Where a fraudster has given instructions to the bank that lose them a customer’s money, that should be their problem, not the customer’s.
There doesn’t seem to be much ‘identity fraud’ in your friend’s case to be honest. It’s just fraud, and identity didn’t much come into it.
The banks could do far more to improve their security and inform their customers of how to use and tailor a more secure system to their needs. I do not want to bank my money with organisations that have little interest security, but as of yet no bank offers proper security. So in answer to your questions: yes, I would like to go back to secure banking.
Some of these fraudsters can be very convincing – they may claim they’re from the bank or another trusted third party. You shouldn’t really be so hard on your friend – it’s very hard to reliably challenge and identify someone who might be contacting you in your best interests — especially when bank fraud departments do in fact do this after potentially risky purchases, and ask similar questions.
At the end of the day the money belonged to the target, and the best ideal outcome is that we can protect them even if they are duped.
We have an obligation to ourselves to protect as much personal data as possible. However, what ever happened to have a meeting face to face with your bank manager to arrange a loan? If banks want to cut down on staff and automate more and more services, then they have to build in more robust safeguards and protection. They can’t have their cake and eat it twice. It may also be time for banks to review accounts charges. If we demand more protection, we may have to pay for this through higher bank costs. There is only going to be one winner ….. The Banks.
Providing better security is relatively inexpensive. More passwords and identity checks to access accounts; the facility to set limits on maximum card transactions; strict notification before using cards abroad; ability to set limits on use of cards online; transfer checks by the bank on the phone; facility to restrict the number of accounts accessible online or to require separate secure access to each account, etc.. Customers should be able to set these limits and checks to suit their needs and level of security. If customers opt for a more secure account it should cost less, not more, than the pathetically insecure accounts the banks force them to have. If a bank offered a secure account, I would have one and most people I know would switch their banking to have one. I make a point of writing to all the banks with which I have an account(s) to inform them that I think their security is deficient and that I should, so to speak, be able to opt for more secure settings. Their replies make amusing reading.
Personally I use a Monzo card as it’s prepaid debit, so there’s a limit to how much I can be dunned for if something goes wrong. I transfer money to it as needed from the account into which I have my salary paid
That is a solution but I am not sure why I should have to be put to all bother. I also like to do my banking as far possible in branch because I and others are trying to keep high street branches open (not much hope, but there you go). This is very time consuming in these parts, but it also means my banks ‘should’ more easily detect unauthorised activity (again, not much hope, but there you go).