I love the BBC’s Money Box programme with Paul Lewis and I listen to it every week. A recent episode included what, I’m afraid, has become an all-too-familiar story.
Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?
The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud she asked the bank for the money back and they said no.
From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email and text message or something when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that is normally used only for direct debits and standing orders would hardly need Watson to flag up a warning. From the bank’s perspective, I can see why they feel they are not responsible since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).
Whether the bank is at fault or not for this specific scam the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem and I can understand why consumer groups are upset about what they see as a lack of action from the banks.
The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.
It isn’t only phone calls. There’s a huge amount of e-mail fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitors account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow.
A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch and an account number to receive the funds. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitors real payment details from some fake payee details when reading an email. If you are expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.
Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before a transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase.
Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”.
Indeed they have. But if I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?
I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year,
if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.
In other news, MasterCard are apparently launching a bid for VocaLink.
This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I am sorry to say, no longer fit for purpose.
Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.
“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I am able to login to the solicitors email server and then send emails masquerading as them, it’s the solicitor that is being negligent not the bank!
Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?