UK Banks Report Lower Online Banking and Card Payment Losses

U.K. banks reported sharply lower levels of online banking fraud and counterfeit cards in 2010, a sign the industry may be getting better at deflecting attacks from cybercriminals.

Online banking losses came in at £46.7 million (US$76.5 million), according to the latest figures from the U.K. Cards Association and Financial Fraud Action U.K., both industry trade groups.

Still, the figure was the second-highest in the last five years. In 2009, banks recorded £59.7 million in losses.

The groups attributed the 22-percent drop between 2009 and 2010 to consumers using up-to-date antivirus software and the use of sophisticated fraud detection software by banks. The decline occurred even as phishing attacks -- which aim to trick people into divulging passwords and other sensitive information -- rose by 21 percent last year over 2009.

Losses attributed to counterfeit or cloned cards fell by 41 percent to £47.6 million, down from £80.9 million in 2009.

Throughout Europe, banks issue chip-and-PIN (Personal Identification Number) cards, which use a secure and hard-to-copy microchip to verify a person's secret 4-digit code in point-of-sale devices or ATMs.

Those cards, however, still have a magnetic stripe on the back containing the account details. If criminals can make a card with a copy of a U.K. card's magnetic stripe data, they can use their cloned card in ATMs and point-of-sale (POS) terminals in countries that haven't yet adopted chip-and-PIN.

One way to obtain that data is from skimming devices, attached by fraudsters to ATMs to read the card's magnetic stripe as it is inserted into the machine. Awareness of skimming has increased over the last few years, with many machines labeled with warnings asking people to report if an ATM appears to have been tampered with.

A copy of the magnetic stripe data is also contained in the chips on the cards, though, and is transmitted in the clear to POS terminals to make a transaction. By tampering with a terminal, criminals could intercept the chip's copy of the data and put it on the magnetic stripe of a cloned card.

However, banks have been issuing an updated type of chip-and-PIN card to prevent that type of fraud. Since 2008, U.K. banks have issued up to 129 million cards with slight differences between the data on the chip and that on the magnetic strip, preventing a card cloned using chip data alone from working in a country where only the magnetic stripe is read.

Other categories that saw declines included card-not-present fraud, where harvested card details are used in, for example, e-commerce transactions. That kind of fraud fell to £226.9 million in 2010, down 22 percent from 2009's loss of £266.4 million.

The decline was attributed in part to the use of 3-D Secure (3DS), an e-commerce security system better known as Verified by Visa or MasterCard SecureCode. The system requires a person to enter a password or portion of a password in response to a personalized challenge from their bank in order to complete an online purchase.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments