I love the BBC’s Money Box programme with Paul Lewis, and I listen to it every week. A recent episode included what, I’m afraid, has become an all-too-familiar story.
Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?
From BBC Radio 4 – Money Box, Cheaper energy when it rains
The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT, and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud, she asked the bank for the money back and they said no.
From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email, and text message or something, when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that’s normally used only for direct debits and standing orders would hardly need Watson to flag up a warning. From the bank’s perspective, I can see why they feel they are not responsible, since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).
Whether the bank is at fault or not for this specific scam, the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem, and I can understand why consumer groups are upset about what they see as a lack of action from the banks.
The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.
From Super-complaint response lets banks off the hook – December, 2016, Which? News
It isn’t only phone calls. There’s a huge amount of email fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor, and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitor’s account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using email for important transactions. But nobody paid any attention, and the problem continued to grow.
Fraud on the increase
A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch, and an account number to receive the funds. I defy anybody to carry around the six-digit sort code and nine-digit account number of their correspondents in their heads, or to be able to spot their solicitor’s real payment details from some fake payee details when reading an email. If you’re expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski, then you might be a little suspicious. But if you get an email asking to switch from sort code 12-34-56 to 34-56-78, it’s less obviously a fraud.
Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before I transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant, as the number of frauds continues to increase.
Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams.”
From Super-complaint response lets banks off the hook – December 2016, Which? News
Indeed they have. But if I tell my bank to send £10,000 to the NatWest in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out of date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It’s not obvious at all that it’s my bank that should be compensating me for my mistake. If a scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC), isn’t it?
I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year,
if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee, then that might be very attractive to a great many people.
In other news, MasterCard are apparently launching a bid for VocaLink.
From Are the banks telling you that you may as well use bitcoin? – Consult Hyperion
This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and the bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure, and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I’m sorry to say, no longer fit for purpose.A system based on the gold standard of gas bills is, I'm sorry to say, no longer fit for purpose Click To Tweet
Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.
From Stockport identity fraud victim’s £500k home put on market – BBC News
“Having forged his signature, they then transferred the deeds to his house into Ghani’s name.” Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime … should a homeowner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I’m able to log in to the solicitor’s email server and then send emails masquerading as them, it’s the solicitor that’s being negligent, not the bank!
Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?
READ NEXT: How a fintech bank would tackle fraud
– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here. Image: ESB Professional, Shutterstock.com