The recent article talking about the “Courier Scam” published in The Guardian is an interesting read for those of us in the industry, and an important one for both consumers and banks to pay attention to.
While the police’s explanation of the scam seems plausible, I actually think the scam may have been even more sophisticated. The police figured that the cardholder was watched while he withdrew money from a local ATM, followed to his house and then contacted
by the fraudsters, posing as his bank.
This explanation however has flaws; mainly, how did the fraudsters know what bank he was with? Yes, they could have been close enough to see his card, but that’s risky, especially if they are going to follow him home later. The closer you have been to the
victim, the more likely they will recognise you or notice something strange as you are followed. I think another possibility much more likely…
To me, a much more technologically fitting explanation is that his home computer was first compromised with some form of malware. Once the malware is in place, the fraudster can harvest all the required information directly from the online banking account
– bank name, transaction history, and personal information – everything they would have needed to carry out the crime.
So what can consumers do to protect themselves from this sort of crime? Most importantly always remember that your bank does not need to see your physical card or know your PIN (even when typed into the phone) in order to assist you. They have all sorts
of sophisticated systems in the background that store your sensitive information securely so that no operator needs to know it directly in order to investigate suspicious behaviour or to send you a new card. Just imagine the costs involved if banks used couriers
to pick up every card that was deemed suspicious! It’s a lot cheaper to simply switch off your old card and send you a new one via normal post.
Also, when you call your bank directly, there is typically a sequence of security events that validate you as you call in. This definitely doesn’t preclude the fraudster from playing back a recording of various log in questions from your bank, but keep an
ear out for things that don’t seem normal and you are much more likely to spot something’s up.
The unfortunate fact of the matter is that fraudsters are always going to find a way to run scams in the hopes of getting cash out of people, but banks can take steps to reduce the likelihood that the scams are successful, regardless of if you hand your
card to the fraudster.
For starters, it’s important that any personal information about your, that is accessible via online banking, is kept secure and treated as sensitive; just like a PIN is. This means that in order to view or change your personal details, the bank should require
the customer to use some sort of stronger authentication, not simply be allowed to browse everything once successfully logged in. In this case, it may have stopped the fraudsters getting access to the personal details of the victim (assuming my analysis of
the attack is correct).
Secondly, banks can use modern cross channel profiling and detection systems to see that a login to Online banking has occurred perhaps from an unusual IP address or a device that isn’t in your normal profile. Combine that with a peek at a customer’s personal
data and then some out of character card transactions and this is a scenario that the Bank can use to stop fraud before money is lost.
Overall the fact that this story is getting good coverage, although unfortunate for the writer, is an excellent chance for some consumer education and also an important scenario for Banks to analyse in order to prevent it happening to their customers. Fraudsters
will try to do what they do until it stops working for them, so the sooner we can all learn their scams, the better for everyone…except the fraudster!