Blog article
See all stories ยป

Online Banking Fraud

Financial Fraud Action have recently announced that during the course of 2014, there was a 48% increase of Online Banking fraud in the UK, driven by a rise in malware and fraud perpetrated through social engineering.

While the FFA states that the losses are "relatively modest", it is fair to say that despite increased media coverage of the risks to customers from both malware and targeted social engineering attacks, the levels of fraud from this channel are increasing.

So what are the options available to financial Institutions to protect their customers; and to customers to protect themselves?

If we consider the financial institutions, first and foremost is a need to understand how customers have been compromised. For a number of years, fraudsters have been targeting institutions with poor password reset processes. By obtaining customer information through social engineering, fraudsters have been able to take over customers' accounts by passing limited ID&V processes. Once past the ID&V process, fraudsters change contact details and request online banking password resets. They subsequently gain access to the account online and withdraw funds. There is a need for financial institutions to move away from static authentication and implement knowledge based authentication to ensure that a more robust validation of the customer is in place. By asking validation questions, for example those based on historical information (such as "where did you live 8 years ago) reduces the opportunity to fraudsters to passing ID&V.

Secondly, systems must be in place to monitor account activity, to detect for abnormal behaviour such as increased calls to customer support, then changes to contact details, followed by a request to reset online banking passwords. Having such monitoring in place may even detect instances where internal fraud has also played a part in the process.

Lastly, customer education still has a part to play. A number of financial institutions in the UK have provided customers free access to online security programmes to support their existing antivirus products on their home PCs, while others have education programmes targeted and the more vulnerable in the community. There are also a number of initiatives by banks, schemes and industry bodies, working with the media to ensure the message is out there.

But while Financial Institutions are keen to provide protection to their customers, what can customers themselves do to protect themselves?

Initially, there is a need to ensure that their home computing (including phones and tablets) are protected by adequate Anti-virus and Anti spyware technology. And while anti-virus and anti-spyware protection is vital, what is also critical is to ensure that their devices all have the latest system updates and patches; and that they are running the latest browser technology. A number of malware attacks have targeted known weaknesses in browsers and operating systems, and if a consumer has not performed the necessary updates they could be vulnerable.

Further to this, any programmes or files downloaded from the internet should be from a reputable source, and scanned through a systems antivirus technology. It is well known that digital downloads can contain malware and as the old saying goes, if a deal on software is too good to be true, it usually is.

Finally, there is a need to protect their information, especially passwords. While it is common sense to not write your passwords down, we all know that some people still do. If there is a need to store passwords, antivirus software from some vendors contains a virtual vault to store such items. Likewise, if a person receives a call pertaining to be from their bank, or from law enforcement; if the caller requests their online security credentials then the likelihood is that the call is not genuine and should be ended and reported.

So there it is, while financial institutions are looking to protect their customers, there is still more that be done, not only by the financial institution, but by the consumer themselves. 


Comments: (2)

A Finextra member
A Finextra member 09 April, 2015, 09:10Be the first to give this comment the thumbs up 0 likes

The responsibility to protect the user's money and sensitive informations stays with the bank; the strong part with money, knowledge and resources. From the consumer perspective it obviously makes sense to behave correctly in Cyberspace and avoid the bad guys, but there is no guarantee for not beeing infected. For the banks there is no other way forward other than assuming that the user device is infected and invest in technology that mitigates the threats.

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 10 April, 2015, 15:12Be the first to give this comment the thumbs up 0 likes


You're quite right, and ENISA guidance has had 'assumed compromise', typically though not necessarily through infection, in place since 2012. The problem is that banks aren't taking the mitigation steps far enough.

The forthcoming 'early adoption' of PSD2 through ECB/EBA SecuRe Pay strong authentication requirements may well go some way to address this from August, depending of course on how they are managed (if they are managed!)

Now hiring