The latest CIFAS Fraudscape figures for the UK show identity theft up by half again in 2015. And there’s no end in sight. I’m genuinely not sure whether the fraudsters are getting smarter or the public is getting stupider. It does seem to me that some of the frauds being perpetrated might well be beyond the defensive capabilities of even the most advanced technology.
A taxpayer who bought and handed over £15,000 in Apple iTunes gift card vouchers is one of “hundreds” of HMRC customers to be defrauded in the past month, a scam bulletin says.
So much of the fraud going on depends, in one way or another, on the lack of an identity infrastructure and the useless proxies that support our daily interactions. That taxpayer had no reasonable way to determine whether they were talking to HMRC or not. There’s not going to be a green light on the phone that tells you the caller is who they say they are, although I can imagine how a some sort of digital passport that can check whether other digital passports are valid and I’m sure someone could come up with good mobile UX for it. The consequences are pretty significant.
The annual cost of fraud in the UK could be as high as £193bn a year, far higher than a government estimate of £50bn, according to a new report. The latest Annual Fraud Indicator, based on research from Portsmouth university, has estimated that private sector losses could be as high as £144bn a year — much larger than the public sector figure of £37.5bn. It also counted the cost of fraud against individuals.
Well, let’s not panic. After all, £193 billion doesn’t buy as much as it used to. Let’s call it £200 billion for a round figure. Against this, card fraud is a miserable half a billion, about a quarter of a percent. Hardly worth worrying about. And, of course, thanks to EMV and 3D Secure and all that, it’s going down. Oh wait…
Statistics by Financial Fraud Action (FFA) UK show fraud losses on UK payment cards totalled £567.5 million in 2015, representing an 18% increase from £479 million one year before.
OK, so it’s going up but we should be doing about it? Since there doesn’t seem to much enthusiasm for a general identity infrastructure to actually fix the problem, we should probably continue to focus on better authentication against revocable tokens in tamper-resistant hardware for payments for the time being (although that really isn’t going to stop people from sending gift vouchers to the “inland revenue”) and then see if we can move that model into other areas. If I can have a token that says I can pay by Visa but does not give away my actual PAN, then why can’t I have a token that says I’m over 18 without giving away my age or allowed to drive a car without giving away my address?