Tag Archives: Payment systems

Banks, Phishing And A Dereliction Of Responsibility

Online commerce suffers from one major flaw: It’s online. That means we need to use computers (or computer-like devices, such as cellphones). It means we need to use the Internet. Together this is a lethal cocktail. And for online banking, it just may mean it is fatal.

Online banking, for example, is not like using an ATM. Or a credit card. Or a cheque. Or even cash. All these types of transaction are vulnerable to fraud but they are relatively easy to protect yourself against. If you lend your credit card, cheque book or ATM card to strangers then you are probably not taking the right precautions. For banks, deciding whether you as a customer have taken ‘reasonable precautions’ is quite an easy calculation to make, and they will make it in assessing whether or not they will compensate you for losses.

But what about phishing? Online fraud is — and will become — a lot more complex than offline fraud. Firstly, most folk don’t really know what’s going on in their computer, so how can they take reasonable precautions? I bet, for example, that if you ask most people to identify the icons in their system tray they won’t be able to get all of them. Secondly, if you use broadband, you are connected to the Internet most of the time. It’s a bit like hanging out overnight on a street corner in a bad part of town: You can’t reasonably assume that you won’t attract the attention of some bad guy at some point.

These are calculations of risk the individual should make when he or she conducts any kind of transaction online. But they are hard. We can look around for suspicious type when we stand at an ATM machine, or hand over a credit card to a store clerk, but online we have no really easy way to measure our security and safety. Online banking is not the same as undertaking other transactions.

Which is why I think banks are wrong if they try to pretend it is. The BBC quotes Britain’s payments association, the Association for Payment Clearing Services (APACS) as saying that in a few years’ time “compensation could be denied if people had safety information but ignored it”. Apacs director of corporate communications Sandra Quinn is quoted thus: “What we have always said is that we won’t forever provide a guarantee. A good parallel might be with something like card fraud – if you act reasonably, you are covered.” The bottom line: where a customer had “not acted with care and been negligent”, the BBC quotes her as saying, banks in three or four years’ time could begin refusing refunds.

I’m sorry, but I think this is daft and the wrong way around. Banks were very, very slow to get off the mark over phishing. If I was a customer and had been phished I would have sued the pants off my bank for not warning me about it. Banks have a duty to monitor their website, their name, in fact the whole Internet, to protect their customers. For example, one company I spoke to gave me a list of website names registered that appeared designed to impersonate legitimate banks — Citibank was a favourite, with hundreds of names that could be mistaken for a legit Citibank site. Most banks, he told me, weren’t interested in subscribing to this service. Why? Because they didn’t feel monitoring these names — and the accompanying websites — was worth their time or their money. If I was a customer I would be livid: If a scammer set up a fake bank in the high street to defraud customers, you would hope the bank in question would be on top of it within seconds, warning customers everywhere to watch out and doing its damndest to close the operation down. The Internet is now the high street and banks need to start patrolling it, not ignoring it.

Sadly, I think banks still don’t get it. They think phishing is a static problem that will recede as more people know about it. But that’s not it at all. Phishing is the thin end of a new wedge that will lead to increasingly sophisticated efforts to use technology and social engineering to part consumers with their data and money. The banks’ role is not to put a few silly little warning notices on their website and set up silly little websites nobody visits (like this one) but to throw serious resources at protecting their customers: by building secure sign-on systems, by monitoring the bad guys, by offering well-staffed and accessible customer support hotlines. Anything less is a dereliction of responsibility.

Wiretapping Your Way Into Credit Card Fraud

If you think the Internet is a scary place for stealing your sensitive bank data, try your local gas station.

The Star Tribune in Malaysia reports that criminals there are increasingly intercepting the transmission of credit card data between the point of sale machines that swipe your card and the bank. This data, incredibly, is being sent in unencrypted text form so all a criminal has to do is ‘wiretap’ the phone line and capture the data — usually onto an MP3 player.  All they need to do is find the phone line, either in the outlet’s Main Distribution Frame room, or that of the bank itself and record the gurgling modem sound. A special decoder can then convert that noise into data. Your data.

The banks are finally getting onto this. Malaysia’s central bank has ordered all credit cards in the country to be EMV(Europay/MasterCard/Visa)-compliant by end-2005 (this means smart, and supposedly fraud-proof). But for now, The Star Tribune says, the banking industry is trying to encrypt data. Unfortunately, so far nothing has been agreed on.

At the risk of sounding appalled, I’m appalled. How can such data be transmitted without a modicum of encryption? This means that when we’re typing our credit card number into a web page it’s actually more secure than if we give it to the guy at the gas station or restaurant?

I was never that happy anyway doing the latter, given the prevalence of skimming — where a crooked employee would either double-swipe your card, or swipe it into a separate device that stored your details — but now, it seems, the data is up for grabs even when it’s being transmitted to your bank for verification. Yikes.

Phishing And The Future Of Banking

Could phishing kill off online banking?
 
Probably not, but it’s likely to force greater regulation by central banks and others which will, reckon British-based Internet security consultants mi2g, mean “the next generation of electronic banking may have to rely on deeper layers of authentication that couple passwords with biometric security and smart card authentication.”
 
Mi2g estimate there have been 110 unique incidents of phishing — identity theft by faked emails and/or keyboard-logging viruses — in less than a year. Here’s an abbreviated list:
  • USA (7 banks; 82 incidents)
  • UK (6 banks; 8 incidents)
  • Australia & New Zealand (5 banks; 16 incidents)
  • Canada (2 banks; 2 incidents)
  • Spain (1 bank; 1 incident)
  • Hong Kong and Singapore (1 bank; 1 incident)
  • Latvia (1 bank; 1 incident)

I have to say I think that’s an underestimate. And it’s not quite clear from mi2g’s release as to whether these are successful attempts, or just attempts. Given banks’ reluctance to admit to breaches, I’d guess it’s the latter. And mi2g point out that it’s not just banks that have been attacked: The Federal Bureau of Investigation (FBI) to eCommerce/information portals and their associated payment systems have all been hit. Mi2g counts 90 unique attacks on eBay.

Mi2g say such attacks are getting more, rather than less, successful: “Phishing scams’ success rate has risen from 0.1% on average to 0.5% in the last six months as the techniques have become more sophisticated,” it says.  This would mean thousands of victims and big headaches for banks: “In some instances the genuine web site has to be made inoperable for several hours or even days whilst the targeted bank investigates the extent of the financial fraud and related losses,” says mi2g. 
 
Claims by mi2g have not always been taken seriously, particularly their estimates of damage. In this case, mi2g reckon that “worldwide economic damage for 2003 from phishing scams is estimated to have been between US $13.5 billion and $16.4 billion… The damage for 2004 has already crossed $8.9 billion in the first two months of the year. ” I know they have some sort of formula for this, but as others have pointed out, these estimates seem to be more designed for grabbing headlines than serious analysis.

That said, phishing is a problem, and I would agree that online banking is going to have to add layers of security to avoid more breaches. But will customers accept that? If online banking gets too fiddly, will folk just give up? Or switch to something else?

Worm Hits Diebold’s Windows ATMs

It’s not happy days for Diebold, the company behind ATMs and electronic voting. Its e-voting machines have been the source of much controversy — earlier this month it withdrew its suit against people who had posted leaked documents about alleged security breaches in the software. Now its automatic teller machines have been hit — by viruses.

Wired reports that ATMs at two banks running Microsoft Windows software were infected by a computer virus in August, the maker of the machines said. The ATM infections, first reported by SecurityFocus.com, are believed to be the first of a computer virus wiggling directly onto cash machines. (The Register said in January that the Slammer worm brought down 13,000 Bank of America ATMs, but they weren’t directly infected: the worm infected database servers on the same network, spewing so much traffic the cash machines couldn’t process transactions.)

But how can an ATM get infected? SecurityFocus says that while “ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.” In other words: the folk who write worms are smarter than we are.

News: Horses For Main Courses; Handphones for Bones

 Good piece by the BBC on how micropayments may not be taking off online, but are with handphones. “While many of us are happy to use a credit card online, spending tens, hundreds, and occasionally thousands, of pounds, parting with just 50p is less common.” Despite the lack of any common system for micropayments, the BBC says, “spending via mobiles is starting to take off, albeit only for extra mobile phone content.” 
 
Read techdirt’s take on it here.  My tupennies’ worth: people need to be confident of several things before they adopt a system of payment that they’re not previously exposed to:
a) it’s easy to figure out;
b) it’s convenient, both for the transaction and the eventual physical payment;
c) it feels safe.
Micropayments mostly don’t work online because they’re too hassly for what you’re doing. You’re sitting at home, you got everything you need, what is there to make a micropayment for that could make your life any richer? But if you’re stuck in the subway at midnight and need a chocolate bar, or a ticket home, that’s a whole different game.

News: The Ugly Truth About The Self-Checkout Lane

 I live in Indonesia, which teaches you tons about credit cards and how easy they are to get fraudulent with. But at least here they don’t allow you to swan past security with riding lawn-mowers you haven’t paid for. From the Sacramento Bee, a cautionary tale about the self-checkout lane in supermarkets where you swipe your credit card, wave a scanner over your goodies, and leave.
 
 
Speed and convenience, the paper says, have made the most basic fraud deterrent — checking IDs — nearly obsolete. Crooks know this, police say, and are abusing the technology with frequency. Sacramento County sheriff’s detectives estimate they receive 140 cases of credit card fraud each month.
 
Another interesting snippet: Most credit card companies and retailers don’t reveal their fraud numbers because if consumers knew how much fraud really occurs, they might lose faith in the credit system and the technology that accompanies it, said Stuart Taylor, vice president of VeriFone, the leading manufacturer of point-of-sale terminals. The company reports that payment systems fraud is growing at an alarming rate in many countries, including the United States.

News: When An ATM Isn’t An ATM

 From the These Thieves Are So Smart, Why Can’t They Get A Real Job Dept comes a story about ATMs. The Canadian Press reports of a scam in Ontario where the bad guys have rigged a number of existing bank machines allowing them to make working copies of customers’ debit cards by putting on a mask.
 
 
The thieves install a false front on an ATM machine for a few hours, painted identically to the actual front of the real machine.When a customer slides a debit card into the card slot on the false front, a small electronic device attached to the front reads all the information contained on the card. A tiny camera installed just above the machine’s number pad videotapes customers as they type in their personal identification numbers. The thieves then produce their own magnetic cards containing identical information to customers’ cards.

News: Come To Australia, Skim Central

Looks like Australia is becoming a haven for credit card fraud, or at least a part of the business. An article on News Interactive says that losses by Australian banks to credit card skimming have risen by more than 400 per cent in the past year, according to The Australian Crime Commission (ACC). Organised groups have used portable card skimmers to obtain credit card data at gas stations, restaurants and in taxis, before selling this data to gangs in Malaysia, Indonesia, Hong Kong and Thailand, where it was transferred to plastic cards bearing the logos of Australian banks, before making fraudulent purchases.

Credit-card skimming involves the unauthorised copying of electronic data from a legitimate card. It is often done by dishonest shop assistants. Stolen data can then be encoded onto a counterfeit card, with the original card holder none the wiser until details of unauthorised spending start appearing on his or her statement. Current laws still allow the importation of skimmers, embossing machines and credit card blanks, but the ACC is calling for closer co-operation with police.“From some of the material [the ACC] has gathered so far, it would seem that since 2001, the problem of card skimming and card fraud has migrated to Australia”, ePaynews.com quoted cybercrime co-ordinator Scott McLeod as saying.