I see from this article on Pinsent Masons’ excellent “Out-Law” site that UK online banking fraud was up by 55% to £39m for the first six months of this year (relative to the same period last year). The payment card figures are down – which the acquirers will doubtless attribute to chip and PIN, and suggest that that is ‘squeezing’ fraudsters towards more lucrative attack vectors. Though, to put that in perspective, fraudulent ‘card not present’ transactions still accounted for £134m of reported loss.
According to the article, the vehicles of choice are phishing (up 26% on last year) and malware attacks on users’ computers.
The Financial Fraud Action group of the UK Payments Association had this to say:
“The increase is largely due to criminals employing more sophisticated methods to target online banking customers through malware scams – which target vulnerabilities in customers’ PCs – rather than the banks’ own systems which have proved more difficult for the fraudsters to attack.”
And there’s where I have a nit to pick. After all, if a bank extends its service, online, so that the point of delivery is the customer’s PC, the distinction between “attacking the user’s PC” and “attacking the online banking system” becomes a pretty fine one.
Up to a point, I see exactly where they’re coming from: after all, if someone manages to get a keystroke logger onto my PC, the damage is done to a component which is not under my bank’s control. On the other hand, if that is going to be used to justify transferring liability from the bank to me (as happened with chip and PIN) for transactions undertaken through my PC, then I would not be happy at all.
Online banking is convenient for me, yes – but it also saves the bank an enormous amount of cost, effort, staff, premises and so on and so forth. Most banks’ retail branch networks are now so skeletal that if everyone switched back from online banking to branch-based transactions, the banks would simply collapse under the workload. Don’t get me wrong – I’m not suggesting that bank clients either want to or should do that: just that the online banking benefit flows both ways, and the banks need to acknowledge that when they consider how to mitigate the risk of PC-mediated fraud.