Security

Online Banking Fraud in the UK Hits a New High

Online banking fraud in the U.K. has risen to the highest level in at least three years while card-related losses fell in most categories, according to industry figures released Wednesday.

Online banking fraud increased 55 percent to £39 million (US$62.4 million) in the first six months of the year compared to the same period a year ago, said Financial Fraud Action U.K. (FFA), formerly known as APACS. FFA collects data reported by U.K. financial institutions.

FFA attributed the rise to sophisticated malicious software programs that infect vulnerable consumer computers. FFA also counted 26,000 phishing sites, which are fraudulent Web sites designed to trick people into divulging their log-ins and passwords.

The rise in banking fraud comes as U.K. banks have taken more rigorous measures to combat online fraud. While U.S. banks often only require a log-in and password to get access to online banking, U.K. banks often have several more steps.

For example, NatWest -- owned by the Royal Bank of Scotland Group -- requires customers to enter their birth date plus a unique four digit code. During the second step, a person is prompted to enter some digits of a separate four-digit PIN (Personal Identification Number), which is not the same as the person's ATM card.

Then, the Web site asks for another password, but only specific parts of it, such as the second, four and seventh letter. NatWest asks for a different combination every time. If you fail to log in successfully, the account can't be accessed online.

Nonetheless, most bank security measures are defeatable if a person falls victim to a phishing scam and sends a fraudster their authentication credentials.

Card fraud, however, remains more costly. For the first half of this year, it amounted to £232.8 million, but that was down 23 percent compared to January to June 2008. It's the first time that the overall card fraud figure has declined, said Michelle Whiteman, FFA spokeswoman.

FFA attributes that decline to the use of chip-and-PIN technology. Point-of-sale card readers and ATMs check for the presence of a microchip that uses cryptographic keys to enable a transaction, and a person must enter a four-digit PIN.

Unless the fraudster knows the PIN, the cards can't be used to make in-person purchases, as opposed to the U.S. where cards don't have such protection and a signature completes a purchase.

It doesn't stop a fraudster, however, from trying to use chip-and-PIN cards to buy goods online, known as card-not-present fraud. But that kind of fraud also dropped this year by 18 percent to £134 million [m].

The reason, the FFA believes, is increased enrollment in Verified by Visa from Visa and SecureCode from MasterCard. For retailers that implement those programs, customers must enter a unique password before completing a purchase online. The measure is still defeatable by a successful phishing attempt, however.

Other categories of fraud that saw significant declines included counterfeit cards, fraud on lost or stolen cards and non-receipt of cards through the mail. The only category that rose was card ID theft, which increased 23 percent to £23.9 million.

Subscribe to the Security Watch Newsletter

Comments