New anti-fraud measures: unintended consequences

boingy

masonic said:

boingy said:

The explosion in scams/thefts has mainly been caused by the bad guys shoulder-surfing you to learn your password/pin then nicking your phone and emptying the account on the spot.

The vast majority of frauds do not happen like this. The fraudster is never in physical proximity to the victim. They make contact via phone, email or social media and trick them into transferring the money themselves. That's why it is known as 'push' payment fraud.

Hence the second scenario which you chose not to quote.

masonic

boingy said:

masonic said:

boingy said:

The explosion in scams/thefts has mainly been caused by the bad guys shoulder-surfing you to learn your password/pin then nicking your phone and emptying the account on the spot.

The vast majority of frauds do not happen like this. The fraudster is never in physical proximity to the victim. They make contact via phone, email or social media and trick them into transferring the money themselves. That's why it is known as 'push' payment fraud.

Hence the second scenario which you chose not to quote.

I only quoted the part of your post that was wrong and required correction. For clarity, shoulder surfing is not the main cause of this type of scam, it is pretty insignificant in the scheme of things.

Se1Lad

masonic said:

boingy said:

The explosion in scams/thefts has mainly been caused by the bad guys shoulder-surfing you to learn your password/pin then nicking your phone and emptying the account on the spot.

The vast majority of frauds do not happen like this. The fraudster is never in physical proximity to the victim. They make contact via phone, email or social media and trick the victim into transferring the money.

Agreed - my phone and banking apps are accessed by Face ID, and then all my banking apps require additional biometrics or entering of a password/debit card details before setting up a new payee.  If someone managed to steal my phone just at the point where I had logged into a banking app, the worst they could do is see my account balances or send money to an existing payee.  That’s assuming that they were able to run off with the phone and find somewhere to stop and use it before it locks again of course.

Even if I disabled Face ID and went back to passwords they wouldn’t be able to access my funds.  Assuming they saw the pin to log in to the phone and also the pin to log into my Barclays app, they would still need my debit card to set up a new payee.  With RBS the pin used to log in to the app is different to the password required to set up a new payee.  With Halifax or Lloyds they wouldn’t see the entire password as you only enter 3 characters to log in, but then require the full password to set up a new payee.

TheBanker

The posts above highlight why APP fraud is now the biggest type of fraud. In the past, fraudsters would target the bank - counterfeit cheques, skimmed or stolen cards, fake ID etc. As the banks made themselves more secure, the fraudsters targeted moved to targeting customers.

All the passwords, PINs, SMS confirmation codes, biometric ID checks, device checks etc don't help when the account holder has willingly logged into their account and authorised a push payment.

eskbanker

In terms of which frauds are most commonplace, the annual figures published by UK Finance are a useful source of authoritative data.  I linked the full report above, but the press release accompanying its issue has a more easily digestible summary:

https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps12-billion-stolen-through-fraud-in-2022-nearly-80-cent-app

Unauthorised fraud:

FRAUD TYPE	TOTAL LOSSES IN 2022	YEAR ON YEAR CHANGE FROM 2021	TOTAL NUMBER OF CASES IN 2022	YEAR ON YEAR CHANGE FROM 2021
Payment Cards	£556.3m	6%	2,732,894	-3%
Remote Banking	£163.1m	-18%	47,473	-46%
Cheque	£7.5 m	+18%	966	+19%
Total	£726.9m	0%	2,781,333	-5%

Authorised fraud:

FRAUD TYPE	TOTAL LOSSES IN 2022	YEAR ON YEAR CHANGE FROM 2021	TOTAL NUMBER OF CASES IN 2022	YEAR ON YEAR CHANGE FROM 2021
Investment scam	£114.1m	-34%	10,085	-16%
Impersonation Police/bank staff	£109.8m	-20%	16,948	-42%
Impersonation: other	£67.8m	-13%	28,419	+8%
Purchase scam	£67m	4%	117,170	+17%
Invoice and mandate scam	£49.5m	-13%	3,340	-23%
Advance fee fraud	£32.2m	0%	27,329	+33%
Romance scam	£31.3m	1%	3,649	+12%
CEO Fraud	£13.4m	6%	432	-6%
Total	£485.2m	-17%	207,372	+6%

Expotter

TheBanker said:

All the passwords, PINs, SMS confirmation codes, biometric ID checks, device checks etc don't help when the account holder has willingly logged into their account and authorised a push payment.

Very true and therefore, I dare ask, is it really the bank's responsibility to refund monies lost when the victim, sometimes going against warnings, willingly and determinedly transfers money to scammers? I am not unsympathetic to their situation, I just question whether it is the bank's duty to give a refund.

For instance, look at this story from The Telegraph
https://www.telegraph.co.uk/money/katie-investigates/scam-mr-sensible-lite-graph-katie-morley/

eskbanker

Expotter said:
is it really the bank's responsibility to refund monies lost when the victim, sometimes going against warnings, willingly and determinedly transfers money to scammers? I am not unsympathetic to their situation, I just question whether it is the bank's duty to give a refund.

Depends whether you're meaning responsibility/duty in the moral or regulatory sense - the whole point of the APP code is to hold the bank responsible for this, unless they can show that adequate warnings were given or various other exemptions:

R2(1) A Firm may choose not to reimburse a Customer if it can establish any of the following matters in (a) to (e). The assessment of whether these matters can be established should involve consideration of whether they would have had a material effect on preventing the APP scam that took place. 

(a) The Customer ignored Effective Warnings, given by a Firm in compliance with SF1(2), by failing to take appropriate action in response to such an Effective Warning given in any of the following: 

(i) when setting up a new payee; 

(ii) when amending an existing payee; and/ or 

(iii) immediately before making the payment. 

(b) The Customer did not take appropriate actions following a clear negative Confirmation of Payee result. R2(1)(b) can only be relied on where the Firm has fully complied with SF1(3) or SF2(2), and actions would, in the circumstances, have been effective in preventing the APP scam; 

(c) In all the circumstances at the time of the payment, in particular the characteristics of the Customer and the complexity and sophistication of the APP scam, the Customer made the payment without a reasonable basis for believing that: 

(i) the payee was the person the Customer was expecting to pay; 

(ii) the payment was for genuine goods or services; and/or 

(iii) the person or business with whom they transacted was legitimate. 

(d) Where the Customer is a Micro-enterprise or Charity, it did not follow its own internal procedures for approval of payments, and those procedures would have been effective in preventing the APP scam. 

(e) The Customer has been grossly negligent. For the avoidance of doubt the provisions of R2(1)(a)- (d) should not be taken to define gross negligence in this context. 

km1500

I have often wondered about the receiving account that the fraudsters control. I know some are 'genuine' accounts that have been hacked but how do they manage to set up.others to receive the funds - fake ID?

It can'tbe that easy to open a new fraudulent account ?

masonic

km1500 said:

I have often wondered about the receiving account that the fraudsters control. I know some are 'genuine' accounts that have been hacked but how do they manage to set up.others to receive the funds - fake ID?

It can'tbe that easy to open a new fraudulent account ?

Aside from hacked accounts, and those operated by people who have been recruited as money mules, there are other weak points in the system. For example, accounts that act as a bridge for deposits into crypto exchanges or e-money transfer services.

eskbanker

km1500 said:

I have often wondered about the receiving account that the fraudsters control. I know some are 'genuine' accounts that have been hacked but how do they manage to set up.others to receive the funds - fake ID?

It can'tbe that easy to open a new fraudulent account ?

It would be interesting to find out what the impact will be of the move to 50/50 liability sharing between sending and receiving banks, which is only viable once all banks are bound by the reimbursement code - the suspicion could be that some non-CRM challenger banks might currently be more accessible to fraudsters and that they'll have to tighten security once they feel financial pain of reimbursing.

Of course, it'll be difficult to source any reliable stats about fraud incidence per institution - I seem to recall that there were some figures published about which (sending) banks had the highest reimbursement percentages, but information about which banks are more susceptible to fraud will naturally be harder to find!