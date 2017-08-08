Quite interesting, and I dare say, courageous, for the CEO of RBS to come out today and complain about his own customers.
I may be being a little partial, but he basically says they are stupid, fall for obvious scams and as such should not be recompensed.
It is very hard to have much sympathy for RBS - after all, they managed to blow, er, £48 billion on stupid scams and lending which then then asked the taxpayer to bail out with no hope of ever seeing the money again.
So RBS do not start from a good place to preach. However, it is a growing scandal as to how much banks spend on compensating customers for online fraud, well over £1 billion a year in the UK.
There is a balance to be struck, no one wants to have to remember several passwords and use two or three key input devices in order to access their online accounts; on the other hand, the light touch access is easily hacked.
Online crime must surely be the fastest growing type of crime in the world alongside people trafficking in 2017.
So where does the line lie? It can't be right that people hand over their details to strangers or transfer money to strangers and the bank picks up the tab every time. There is a level of responsibility. On the other hand, people get conned, part the job of the bank is to stop this happening to their valued customers.
It is hard, just last week I was called by a guy who was referencing people I knew, telling me about his company and project and then subtlety asking for some key details from myself. It was a very high level scam (called Spear Phishing apparently) where quite some effort had gone into researching my background and contacts ( I would guess through linked-in). Only some tough questioning on my part made them hang-up the phone. The scammers are getting better and better and the Banks must be really worried about how they can keep up in the security war.
I am still not convinced blaming the customers is the answer, but it shows how worried the Banks are.
I agree with the sentiment, but as you point out, it's a bit rich for RBS to be preaching about reckless behaviour.
Good online services are a differentiator for me; I have switched banks before in order to move away from poor online provision. However, I'm also aware that for some customers, particularly the elderly, they don't want to go online or talk to someone in a call centre; they would rather be served in a branch. The banks are slowly removing this option in order to reduce costs, but the very people who are most vulnerable to (/uneducated about) online fraud are the ones who are only online because that's the option being pushed by the banks.
It might seem obvious to you or I that giving away digits 2 & 4, 1 & 6 then 3 & 5 to the person on the phone means they have your whole PIN, but for people who don't have an intuitive understanding of how computer security works, these sorts of attack will continue to happen.
Remembering more complex passwords is also an issue for the non-tech savvy, who won't be using a password manager. Handily, writing down a number of more complex passwords on a bit of paper isn't actually as daft an idea as it sounds; we humans have become very good at looking after little bits of paper. Certainly, having "PAFKSIU780" for a single online service and written down somewhere is more secure than storing "Password1 for everything" in your head.
One good system for people who can't remember passwords is:
- Choose a book. Doesn't matter which one as long as it has a few hundred pages and you can remember which one it is!
- For each password you need to remember, write down a page number and the position of a couple of words on that page.
e.g. "Current account 232, 4, 7" means you'd open your nominated book on page 232, then concatenate the 4th and 7th words.
Two concatenated words are reasonably secure and it would be almost impossible for someone discovering your cheat sheet to work out what it meant.
I have a better scheme than that, Charlie, but I'm not going to tell you what it is.
I think most people would quite happily not do online banking if they'd prefer.
Once cashpoints and direct debits came in I don't recall personal banking being particularly difficult to manage.
It's nice to buy stuff on line, but again. Very rarely anything that can't be bought nearby.
Passphrases I feel should be the answer. Much more memorable, and much more secure than a few short letters and numbers, and only compromised when you actually tell someone it. I have a friend who uses the name of one of their university coursework pieces, something along the lines of "The effect of deformed protein diets on mice" (Obviously not that).
The effect is that the password is both memorable and secure. "PAFKSIU780" could apparently be cracked in roughly one day. The aforementioned one would allegedly take "2 vigintillion years". That is a significant difference.
I do wonder how much personal data gets stolen from within such firms and from their trash. I worked in a lot of call centres in my teens and twenties and security was pretty lapse. Agents tended to write down all your personal details on scraps on paper so not to have to ask you twice. At the end of the day these scraps of paper went in the trash with all the half eaten sandwiches and were left out for the seagulls and urban foxes.
As a student I used to work in a banking call centre doing credit card applications / activations and sales. They didn't really do all that much background checking on anyone, and even if they had, I'm not sure how they would have checked the background of all the Nigerian and other foreign students on the same contract. West Africans were notably higher in attendance there than any of the utilities places in the same city.
At a mobile phone call centre one of the junior managers, a 21 year old, was sacked for allegedly selling information to a private investigator. He apparently had a cocaine habit, which wasn't infrequent in theses places. Indeed, most outbound sales departments seemed to be run by cliques of 'trendy' people (think wannabe 'Geordie Shore' types) who liked to powder their nose at the weekend and appeared to advocate (usually very successfully) promoting people from within their circle.
Passphrases are indeed the best answer - and why I get very annoyed by Banks and other organisations who limit the number of letters allowed and who furthermore insist that any password must contain a digit along with Upper and Lower case letters. Paradoxically, the combination of these requirements actually reduces the number of possible passwords making an attack easier to carry out.
Length is the best defence, but length works best if it can be remembered - demanding digits et cetera makes this much harder for most people.
It's also pretty stupid to use these min/max length requirements on additional questions such as favourite film/food/restaurant/whatever. What's the point if you then won't accept the legitimate answer? It just becomes another (weak) password.
But the really egregious problem is that when your bank 'phones you out of the blue they demand you go through security before they will talk with you. Many years ago I had to make it very clear to HSBC that this was pointless because I would never go through such security without first having them answer questions about my account that only my bank should know. They used to splutter and say they couldn't answer such questions without first verifying my identity, only to have nothing to say when I pointed out that they were phoning me on my mobile telephone so they had a good idea who I was, but I had NO IDEA who they were.
A couple of further points about just how broken our "security" industry is.
I set up VPN access to one client over a wired connection internal to their organisation. I used a "£" (UK pound) symbol in the password.
This always worked over a wired internal connection, but always failed over a WiFi (home) connection.
The problem was traced to that pound symbol with the comment that it must cause problems going over the internet with Code Page conversions.
Except.
For this to be a problem that must mean that they were relying on transmitting my VPN password itself and NOT just an encrypted (hash) of it across the internet. Complete idiocy.
The second point is about anti-virus programs. They demand (and get) privileged kernel access to machines and yet have a terrible record for their code quality and are one of the prime targets for any malicious software.
They may still be better for naive users, but the rest of us are better off without.
Online Identity theft / fraud is quite lucrative but for the big wins siphon off the crypto, wasnt Ethereum hacked for $50m recently? Seems pointless to get ut of bed or less :-)
With all the new ICOs I can only see more opportunities open up ...
Simple.
2FA.
You may well have one for work.
Usually one of
- a thing that has a number on the front that changes every 15secs (RSA SecurID)
- a usb key that you plug in and press, it transmits a number that changes according to a secret sequence (fido etc)
- a code that is sent to your phone that you type in
The key thing is that to get access you enter a username, password and something you are told (from something you hold).
Of course nothing is perfect, but even if someone gets your username and password, they now also have to get your electric key / phone.
Combine that with extra checks if you use an unfamiliar device / location and it starts to become non-profitable if you are a criminal and I am an average punter.
Normally I have little sympathy for any bank as they are nowhere near as secure as they claim, but,
if someone calls you and tells you to transfer your money to another account as your security is at risk, and asks for info to help in the process,
- and you do.
I have even less sympathy for you.
for the big wins siphon off the crypto
These 'crypto currencies' are getting mentioned more and more frequently. I now know of 2 actual acquaintances into them.
Maybe I should invest some of my SIPP into one of these newfangled bitcoin ETN's afterall (because I still don't understand what a 'bitcoin' is other than a piece of software that doesn't actually do anything) or have I missed the boat?
I do wonder what percentage of the population own cryptocurrencies and what what percentage will when the inevitable happens.
