Tuesday, 8 August 2017

Rights and respobsibilites - online fraud and the security war

Quite interesting, and I dare say, courageous, for the CEO of RBS to come out today and complain about his own customers.

I may be being a little partial, but he basically says they are stupid, fall for obvious scams and as such should not be recompensed.

It is very hard to have much sympathy for RBS  - after all, they managed to blow, er, £48 billion on stupid scams and lending which then then asked the taxpayer to bail out with no hope of ever seeing the money again.

So RBS do not start from a good place to preach. However, it is a growing scandal as to how much banks spend on compensating customers for online fraud, well over £1 billion a year in the UK.

There is a balance to be struck, no one wants to have to remember several passwords and use two or three key input devices in order to access their online accounts; on the other hand, the light touch access is easily hacked.

Online crime must surely be the fastest growing type of crime in the world alongside people trafficking in 2017.

So where does the line lie? It can't be right that people hand over their details to strangers or transfer money to strangers and the bank picks up the tab every time. There is a level of responsibility. On the other hand, people get conned, part the job of the bank is to stop this happening to their valued customers.

It is hard, just last week I was called by a guy who was referencing people I knew, telling me about his company and project and then subtlety asking for some key details from myself. It was a very high level scam (called Spear Phishing apparently) where quite some effort had gone into researching my background and contacts ( I would guess through linked-in). Only some tough questioning on my part made them hang-up the phone. The scammers are getting better and better and the Banks must be really worried about how they can keep up in the security war.

I am still not convinced blaming the customers is the answer, but it shows how worried the Banks are.


Charlie said...

I agree with the sentiment, but as you point out, it's a bit rich for RBS to be preaching about reckless behaviour.

Good online services are a differentiator for me; I have switched banks before in order to move away from poor online provision. However, I'm also aware that for some customers, particularly the elderly, they don't want to go online or talk to someone in a call centre; they would rather be served in a branch. The banks are slowly removing this option in order to reduce costs, but the very people who are most vulnerable to (/uneducated about) online fraud are the ones who are only online because that's the option being pushed by the banks.

It might seem obvious to you or I that giving away digits 2 & 4, 1 & 6 then 3 & 5 to the person on the phone means they have your whole PIN, but for people who don't have an intuitive understanding of how computer security works, these sorts of attack will continue to happen.

Remembering more complex passwords is also an issue for the non-tech savvy, who won't be using a password manager. Handily, writing down a number of more complex passwords on a bit of paper isn't actually as daft an idea as it sounds; we humans have become very good at looking after little bits of paper. Certainly, having "PAFKSIU780" for a single online service and written down somewhere is more secure than storing "Password1 for everything" in your head.

One good system for people who can't remember passwords is:

- Choose a book. Doesn't matter which one as long as it has a few hundred pages and you can remember which one it is!

- For each password you need to remember, write down a page number and the position of a couple of words on that page.

e.g. "Current account 232, 4, 7" means you'd open your nominated book on page 232, then concatenate the 4th and 7th words.

Two concatenated words are reasonably secure and it would be almost impossible for someone discovering your cheat sheet to work out what it meant.

dearieme said...

I have a better scheme than that, Charlie, but I'm not going to tell you what it is.

Electro-Kevin said...

I think most people would quite happily not do online banking if they'd prefer.

Once cashpoints and direct debits came in I don't recall personal banking being particularly difficult to manage.

It's nice to buy stuff on line, but again. Very rarely anything that can't be bought nearby.

HD said...

Passphrases I feel should be the answer. Much more memorable, and much more secure than a few short letters and numbers, and only compromised when you actually tell someone it. I have a friend who uses the name of one of their university coursework pieces, something along the lines of "The effect of deformed protein diets on mice" (Obviously not that).

The effect is that the password is both memorable and secure. "PAFKSIU780" could apparently be cracked in roughly one day. The aforementioned one would allegedly take "2 vigintillion years". That is a significant difference.

Steven_L said...

I do wonder how much personal data gets stolen from within such firms and from their trash. I worked in a lot of call centres in my teens and twenties and security was pretty lapse. Agents tended to write down all your personal details on scraps on paper so not to have to ask you twice. At the end of the day these scraps of paper went in the trash with all the half eaten sandwiches and were left out for the seagulls and urban foxes.

As a student I used to work in a banking call centre doing credit card applications / activations and sales. They didn't really do all that much background checking on anyone, and even if they had, I'm not sure how they would have checked the background of all the Nigerian and other foreign students on the same contract. West Africans were notably higher in attendance there than any of the utilities places in the same city.

At a mobile phone call centre one of the junior managers, a 21 year old, was sacked for allegedly selling information to a private investigator. He apparently had a cocaine habit, which wasn't infrequent in theses places. Indeed, most outbound sales departments seemed to be run by cliques of 'trendy' people (think wannabe 'Geordie Shore' types) who liked to powder their nose at the weekend and appeared to advocate (usually very successfully) promoting people from within their circle.

Wildgoose said...

Passphrases are indeed the best answer - and why I get very annoyed by Banks and other organisations who limit the number of letters allowed and who furthermore insist that any password must contain a digit along with Upper and Lower case letters. Paradoxically, the combination of these requirements actually reduces the number of possible passwords making an attack easier to carry out.

Length is the best defence, but length works best if it can be remembered - demanding digits et cetera makes this much harder for most people.

It's also pretty stupid to use these min/max length requirements on additional questions such as favourite film/food/restaurant/whatever. What's the point if you then won't accept the legitimate answer? It just becomes another (weak) password.

But the really egregious problem is that when your bank 'phones you out of the blue they demand you go through security before they will talk with you. Many years ago I had to make it very clear to HSBC that this was pointless because I would never go through such security without first having them answer questions about my account that only my bank should know. They used to splutter and say they couldn't answer such questions without first verifying my identity, only to have nothing to say when I pointed out that they were phoning me on my mobile telephone so they had a good idea who I was, but I had NO IDEA who they were.

Wildgoose said...

A couple of further points about just how broken our "security" industry is.

I set up VPN access to one client over a wired connection internal to their organisation. I used a "£" (UK pound) symbol in the password.

This always worked over a wired internal connection, but always failed over a WiFi (home) connection.

The problem was traced to that pound symbol with the comment that it must cause problems going over the internet with Code Page conversions.


For this to be a problem that must mean that they were relying on transmitting my VPN password itself and NOT just an encrypted (hash) of it across the internet. Complete idiocy.

The second point is about anti-virus programs. They demand (and get) privileged kernel access to machines and yet have a terrible record for their code quality and are one of the prime targets for any malicious software.

They may still be better for naive users, but the rest of us are better off without.

hovis said...

Online Identity theft / fraud is quite lucrative but for the big wins siphon off the crypto, wasnt Ethereum hacked for $50m recently? Seems pointless to get ut of bed or less :-)

With all the new ICOs I can only see more opportunities open up ...

andrew said...



You may well have one for work.

Usually one of
- a thing that has a number on the front that changes every 15secs (RSA SecurID)
- a usb key that you plug in and press, it transmits a number that changes according to a secret sequence (fido etc)
- a code that is sent to your phone that you type in

The key thing is that to get access you enter a username, password and something you are told (from something you hold).

Of course nothing is perfect, but even if someone gets your username and password, they now also have to get your electric key / phone.

Combine that with extra checks if you use an unfamiliar device / location and it starts to become non-profitable if you are a criminal and I am an average punter.

Normally I have little sympathy for any bank as they are nowhere near as secure as they claim, but,
if someone calls you and tells you to transfer your money to another account as your security is at risk, and asks for info to help in the process,
- and you do.
I have even less sympathy for you.

Steven_L said...

for the big wins siphon off the crypto

These 'crypto currencies' are getting mentioned more and more frequently. I now know of 2 actual acquaintances into them.

Maybe I should invest some of my SIPP into one of these newfangled bitcoin ETN's afterall (because I still don't understand what a 'bitcoin' is other than a piece of software that doesn't actually do anything) or have I missed the boat?

I do wonder what percentage of the population own cryptocurrencies and what what percentage will when the inevitable happens.

andrew said...


I recommend you read Ms Kaminska at FT Alphaville for her (caustic) views on electronic currencies / blockchain etc.

Of course this does not mean that if you buy some, you won't make a profit.

However when the lights go out and the internet shuts off, best of luck spending those BTC.

Bill Quango MP said...

I have know old men and women sending thousands of ponds by simple money transfer to the Ukraine.
All banks and money agents are supposed to ask why.

So the scammers insist the elderly claim for it's a dear old friend in need of hospital treatment.

Once they are scammed, they usually feel foolish. And the reason they give when RBS or whoever, ask why they didn't tell them the truth of what they were doing, they are told, " I thought if I told you, then you would not let me do it."

So a big problem. Even Pa Quango has been being scammed. Multi-million property developments with loans overseas. In years gone by he would have spotted them not anymore. 88 years old. Doesn't see the scam anymore.

EK is wrong. Banks aren't closing because they are too busy.
They don't produce. A senior, senior, senior guy I know at RBS told me they would get shot of the lot if they could. They make as much on a single decent sized currency transfer as they do from an entire year's retail banking. They don't want to know.

hovis said...

BQ: Banks should be at most like utilities facilitating payment. Given they loan you nothing but you own promise to pay, their charges are scandalous. Will be interesting how the whole system.

Andrew - given that around 8% at most of what is used as money is cash, and the rest is electronic bank credit backed then when the lights go out we're all f**k*d?

I think the majority current interest in crypto is bubble mania driven by the spike in values. Which in turn is driven by the distrust of the QE on speed monetary system. However they do offer a volatile but interesting way of circumventing exchange restrictions.

I am not in it but have been to a few conferences in Fin Tech - so much fluff, and the way the banks want to co-opt blockchain - I hope they fail miserably.

Haven't read Kaminska (or the FT for that matter in eons)

Anonymous said...

@Andrew - agreed on 2FA, although not via text, easily circumvented, even though it is the most used.

Bitcoin and the like will be around a bit. They're basically an online Gold Standard with an internet spin, which amuses me greatly.

@EK - may be a generational thing. I love online banking, makes life a lot easier. And the likes of Monzo are going to end up inheriting retail. I'm early 40s and the ability to track bills and spending makes my life a lot better.

Steven_L said...

I recommend you read Ms Kaminska...

I got the drift after post #50 or so and stopped, but I still didn't really understand what a 'bitcoin' or a 'blockchain' is. I did actually email her yonks ago pointing out if a 'bitcoin' was simply software and 'legally speaking 'digital content' and not a 'financial service' consumers are entitled to a 14 day cooling off period when they buy it. But she never replied.

Since you can't actually pay for anything other than narcotics, malware ransoms and child porn with it, I do still question whether it is a 'service of a payment nature' and not simply a piece of software, but I am in a minority of one on this. But after the bubble bursts, and with the benefit of hindsight, I can see the Supreme Court or ECJ saying it's not a financial service and FS law was never intended to regulate such dubious nonsense.

E-K said...

I was being sarky. But if security is such an issue I know we can take a step back and still be nowhere near queueing in banks.

The big conveniences are in cards, DDs and cashpoints.

Anonymous said...

Andrew - "if someone calls you and tells you to transfer your money to another account as your security is at risk, and asks for info to help in the process,and you do. I have even less sympathy for you."

I think you have to remember that many of the victims are old enough to have come of age in the low-crime, high-trust UK of the post-war years, when any job in a bank was a secure, well paid job for life, and only persons of good character got employment there. They were the sort of people, along with teachers, solicitors and priests, who you got to verify documents or provide references.

Sixty or so years on the UK natives are much less law-abiding than in those days, and we have blaggers of all sorts from half the globe taking advantage of the legacy of our high-trust past. But no one, least of all any of our main party politicians*, will tell them that, nor will the BBC. So they're not to be blamed.

*Indeed Cameron not long before that 'series of unfortunate events' was telling us that Britain's best years lie ahead.

andrew said...


All that 'people were more trustworthy in the old days' is just complete bobbins.
A lot of people believe it, but then lots of people believe in things that do not reflect reality.

Some evidence heres a starter:
a) http://www.vrc.crim.cam.ac.uk/vrcresearch/paperdownload/manuel-eisner-historical-trends-in-violence.pdf
b) http://blog.ukdataservice.ac.uk/long-term-trajectories-of-crime-in-the-uk/
c) https://fullfact.org/crime/crime-england-and-wales/

Now, eating my words a little, I do think that most people do not understand that their bank login is effectively a key to all their liquid assets.

If someone asked them to empty their account and post the money to this_address, they would not be too polite.
However, on a fairly repeating basis providing a username and password is not seen as the same thing.

But, after a few more years, we will learn (the hard way).

Anonymous said...

"The scammers are getting better and better and the Banks must be really worried about how they can keep up in the security war."

Well, they could stop closing their branches and invite people to come into the bank where the staff can evaluate the 'customer' face to face.

RBS? No sympathy for that load of shysters, They've had £110bn over the last eight years and still losing money at a rate of around £6bn per year.

Should have been shut down and the ground it stood on burned and salted.

Anonymous said...

@Steven_L - "Since you can't actually pay for anything other than narcotics, malware ransoms and child porn with it"

Ummm, nope. It has been becoming slightly more mainstream, and is continuing on that path. A number of payment processors accept it, as do the likes of Microsoft, and there are even a few brick'n'mortar spots accepting it. Even a CEX in Glasgow accepts it.

I've not invested in it, but kind of wish I did in the early days. Could've easily set up one of my old machines to mine away and be worth a nice chunk. Ahhh, coulda, shoula, woulda!

@EK - cards are the target for shoulder-surfing'n'swipers, fake readers and malware in card reading machines. Higher volume, lower value.

And ask Gloria Hunniford how safe branches are - https://www.thesun.co.uk/news/1656232/bbc-presenter-gloria-hunniford-reveals-santander-bank-account-was-targeted-by-fraudsters-before/.

Convenience-wise, I can faster-pay an invoice whilst sat in the pub sipping JD and losing at pool, track my expenditure and query a payment over email or livechat and have anything major fraud checked.

I can do things I used to have to in branch, only without having to take time out of work, and
- in most cases - outside regular hours.

Internet banking is ridiculously convenient, which is why people sacrifice a bit of security to use it.

Anonymous said...

The biggest fraud I suffered was from a Bank starting with N. I estimate it has cost me at least 30,000

They presuaded me to switch a good pension into a bad one.

Anonymous said...

Andrew - your links, in order, are bobbins. Did you study criminology by any chance? I used to think that social science academics were disinterested seekers after truth, too.

a) starts in 1200 - big deal. Steven Pinker has drawn similar conclusions in The Better Angels of Our Nature. Doubtless we were more violent in hunter-gatherer days, too, but that is of zero relevance to someone born in 1945.

b) shows reported crime trends since 1982! Try from 1952 if you want to work out why a 75 year old might be more trusting than a millennial. Do the sums on the ages.

In August was the Jackal born
The Rains fell in September
"Now such a fearful flood as this,"
Says he "I don't remember!"

c) shows crime trends since 1981. Try crime trends since 1951 for a better picture (tenfold increase if you want to know). It's not 36 year olds who are being ripped off here.

Anonymous said...

Andrew - take a look at House of Commons research paper 99/111, "A Century of Change", comparing Britain in 1899 and 1999. Take a look at the graph on p15, "Indictable Offences Known to the Police (per thousand of population) in England & Wales 1900-1997."

The number of indictable offences per thousand population in
1900 was 2.4 and in 1997 the figure was 89.1. The graph records
offences that are reported to the police and recorded by them.
The British Crime Survey estimates unreported crime; in 1997
56% of crimes were not reported to the police. In earlier years,
this figure was probably higher and accounts for some of the

Reported crime peaked in 1992 when 109.4 indictable offences
were recorded per thousand population. A rising trend in
reported crime began in 1954, when the figure was 9.7. Since
1992 (to 1997), the rising trend in reported crime has been
reversed. Before 1992, the reported crime rate did not fall
significantly at any time.*

*Actually, the fall in the 1950s was probably in the same order of significance as that in the 1990s, it looks small because all the early figures are squashed in the bottom of the graph by the large post-60s figures.

hovis said...

Anon 11.34: "RBS? No sympathy for that load of shysters, They've had £110bn over the last eight years and still losing money at a rate of around £6bn per year.

Should have been shut down and the ground it stood on burned and salted."

love it, so rather than Carthage, "RBS delenda est"...?

StevenL - the point about only bad things being paid for by bitcoin, not so true these days, and a bit of a smear by those who would control everything we do.

Remember one of the biggest driver of internet as we know it today technology (servers built to serve images and video and online) and online payments systems was of course the porn industry - the first industry to embrace the web...

Steven_L said...

But porn isn't illegal in most of the western world, in the UK we regulate it, have 'R18' video classifications for it etc.

Bitcoin does appears to be used for actual crime and money laundering an awful lot.

Anonymous said...

The issue with respobsibilites is that few people understand them, never mind being able to spell them.

Place has gone downhill since we joined the EEC

Steven_L said...

But how would I ever know if I've received a genuine 'bitcoin' in payment or just some other random piece of software?

Electro-Kevin said...

Anon at 8.26 - banking while drinking.

Are we sure that this is all attibutable to fraud ?

Charlie said...

@Steven_L - this is worth a read: http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/

Steven_L said...

Thanks Charlie, I will read it. But it strikes me as odd how so many people that know very little about cyber-security and tech suddenly claim to completely understand bitcoin.

Kind of like people watching a conspiracy video on youtube suddenly claiming they understand 9/11 or 7/7. Aren't they just believing what they want to believe without really having a clue?