You keep using that word, I do not think it means what you think it means.
A senior police commissioner has complained that it would be wrong to interpret his comments about preventing online fraud victims from claiming compensation as a proposal for online fraud victims being unable to claim compensation. Sir Bernard Hogan-Howe asserted that the problem was systemic, telling The Times: “The system …
Doesn't have the same meaning. "Encouragement" is a broader term, where "incentive" normally implies a financial encouragement.
"Disincentive" is also an acceptable word for discouragement that's achieved financially.
I don't particularly like the verbs formed from "incentive" or "disincentive", mainly because there are older, shorter back-formations of those nouns into verbs in the shape of "incent" and "disincent".
I look forward to the day when any officer likely to undergo a disciplinary process is denied the option of taking 'early' retirement. We don't want to encourage lax behaviour do we?
Might as well payback all those PPI compensations as well. After all it was our own fault for not reading the small print in the 5 minutes when we were sold stuff.
The reason why banks refund fraudulent payments is that it draws attention away from the fact that the system is fundamentally moronic in its design and cannot possibly be secure.
In a secure system, customers would initiate payments (cash or BACS) instead of giving payees the authority to take money off them (16-digit numbers, Direct Debit or, craziest of all, "contactless").
my hunch is contactless fraud is very low-level, if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV.
Bear in mind in the UK the maximum loss possible from contactless payments is £90.
And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small.
What I meant (as I suspect you knew) was that destroying the CV2 number on my card(s) reduces he risk of someone who has physical access to the card making a note of it and then using it online.
I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine.
Normally I don't worry about being misunderstood. But I think destroying the CV2 is such a neat trick - and certainly within the skillset of an El Regger - that it needs promoting.
Amazon don't ask for the CV2. I am not sure whether there are others like that.
I read somewhere (here?) that it's because the CV2 is not allowed to be stored, it can only be used immediately. And Amazon prefer to have your card details stored for later purchases, so they don't worry about the CV2.
Not sure whether that affects fraudulent buying from Amazon.
> Not sure whether that affects fraudulent buying from Amazon.
Amazon have their own fraud detection systems that seem to be really efficient. Twice now they've reversed the transaction within minutes on e-books I bought from "strange locations" (once while travelling, once because I was still connected to a "screw you, Netflix" VPN).
"I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine."
Oh no they don't. If they want to get paid by me that is. And not face a polite but increasingly loud conversation, overheard by a lengthening .....
Are these online criminals the AI's everyone's been warning us about?
Or maybe - just maybe @JimmyPage realises that the chance of having your CCV number compromised is more like to happen via physical access to your card, rather than a leaky online database.
Sort of. While cvv are Always needed for legitimate online transactions, they are not stored. What IS stored: a verification flag that only changes when the cc exp date is near or reached or the main Number changes. If you get a replacement card due to physical card damage, some banks will send you a replacement sight the same main number, same exp date, different ccv. The ccv changing does not invalidate a good-flagged card number, so there is no reason to change it on record, for recurring transactions.
> > "And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small."
> Do you really think online criminals are looking at your card?
No, they're looking at the postit note on the monitor where he wrote down the CV2 as a reminder.
"if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV."
i'd love to see were you get this worthless idea of a fact from,
as i'd think its to total opposite in the real world
A charity and helpline in the UK called “Action for Elderly Abuse” http://elderabuse.org.uk/ has noticed a large increase of theft from the bank accounts of elderly european citizens, the presumed method of this loss is family members (or sometimes care staff) who have access to the elderly person’s wallet/purse have been making repeated micro-thefts (below the €20 threshold) by using the tap-and-pay method, without the agreement of the card owner.
This has led to comments in the Daily Telegraph and elsewhere of practical methods to disable the RFID, (as allegedly requests to some UK banks for non-RFID credit/debit cards were met wth a negative response)
The method from DT comments seemed to involve shining as many lumens as a 3.7V Li can blast out of a Cree LED holding a torch like http://www.amazon.co.uk/dp/B014H1UDA4/ against the RFID credit-card and use a marker to trace the antenna loop - then being careful not to drill any 0.5mm holes in the wrong place to invalidate it as a non-RFID credit card.
I had to insist with Natwest a year or so ago, but they did send me a new card. With retrospect I wish I'd microwaved it and returned it saying it was broken, and blaming the RFID antenna as a fire hazard.
It'll be interesting to see what happens when the replacement card comes up for renewal.
On the other hand when LLoyds sent my wife an shiny new fraud enabled card and she took it back they immediately sent her a replacement. The very helpful lady commented that a lot of their customers are rejecting them. Promised the account would be marked for non RFID replacements in future.
Banks learning to serve their customers? Anyone know the best treatment for frostbite on a flying pig?
> Credit and Debit Cards don't have RFID chips in them.
What planet have you been hiding on for the last few years ?
In the UK at least, I think most (all ?) the banks have now taken to issuing RFID (aka contactless) cards - some of them several years ago. I know because I've had "discussions" with every bank I do business with regarding having a non-contactless card.
Some have been quite OK - just told them I wanted non-contactless and they obliged.
One was willing but it needed a bit of a workaround. The lass at the other end had to issue a new card (they've cancelled the old one as they'd detected fraud), then cancel that, and only then send a new non-contactless replacement !
And one point blank refused - so I told them "in that case your card won't be in my wallet".
And as to the outright lies they tell. The good old one is "you'd get your money back if it's fraud". Yeah right. I know someone who's been on the receiving end of that "guarantee". Like heck did he get his money back. He was unlucky enough to have his account emptied (well run up to it's overdraft) just after pay day. They sent a long list of transactions and he had to identify the ones that weren't his - but they wouldn't take his word for it, he had to "prove" that it wasn't him as the money was spent locally. Some he could prove from work timesheets - commercial driver so he could prove he was elsewhere. But for some he couldn't. The police were useless - well actively obstructive. He observed that significant amount had been spend on food and drink, so he asked the copper if he'd contacted the establishments to ask them to retain any CCTV that might show the criminal at work. The copper responded along the lines of "when I get round to it", but when my mate said he was going to go round and ask them, the copper threatened to arrest his for interfering with a police investigation !
And given that security researchers have proved (not suggested, but actually proved) that bank (and in particular, card) security has holes - yet the banks still persist in their 100% secure lie ...
Pop over to https://www.lightbluetouchpaper.org/ and you'll find some interesting and quite frankly frightening news.
Card fraud is a possible cost.
Dealing with cash is a definite, rather high, cost.
Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that.
Also, doesn't the government love the fact that all electronic transactions are traceable?
We have financial interest and we have political interest. That will over-ride the fraud costs, which in the end, everyone pays through higher fees or higher transaction fees charged by the bank to the merchant and passed on to the customer in higher prices.
Certainties in life: Death, Taxes and Theft inc. card fraud
"Dealing with cash is a definite, rather high, cost."
Probably less than fraud or can you cite otherwise?
"Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."
Credit/debit card Merchant service companies charge me between 2.5 and 4% so not such a small cut!
For cash, businesses do get charged a handling fee by the banks. My bank charges 0.5% to pay in bank notes, coins are a lot more. Not sure about withdrawals.
"Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."
Business banking isn't free. The banks get their cut of the transaction when the business deposits the takings and/or "buys" the bags of coins. But that cut probably isn't big enough for them, especially since so many shops offer "cash back" as a way of "getting rid" of cash to reduce the banking fees.
he market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds.
Hardly surprising, one of the big things chip-and-pin and contactless did was require merchants to invest in new card readers, which were designed to be taken to the customer and hence the card didn't leave the sight of it's user/owner...
Magstripes suck. Moving to chips can only improve the situation. Contactless as it is still a bit young. Thing is, it's rather limited (a handful of payments without entering a PIN, up to a low ceiling - yes, there were initial bugs with those, they've been ironed out a while ago).
So all in all, right now, it seems that even if fraud *could* work easily on contactless, it's unlikely it *would*, as it couldn't provide much ROI to the fraudster before being noticed.
They seem to be turning now to direct attacks on online bank accounts, accessed via phishing, dataleaks, and others.
The reason why banks are okay with paying? Because it's cheaper. Devising an unbreakable scheme would cost a lot, first in development and deployment, then in lost business. "Unbreakable" rarely goes together with "easy to use", and customers would just start using shiny beads and seashells rather than be subject to a DNA test before buying a beer.
"Don't know where you are but the market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds."
Most of the civilised world has only used mag stripe as a next to last resort fall back since chip'n'pin was introduced (which admittedly has it's own issues)
When you use direct debit be it via a proximity RFID chip in the card or physically inserting the card and using chip & PIN, you are not handing the merchant the credentials needed to draw against your accounts. What you are doing is giving the bank permission to send an identified merchant a specified amount of dosh for a specific purchase at a specific place and time. Yes your purchases and buying habits are being analysed and tracked, which (aside from being more than a little scary) is also used to help detect fraud against the bank, and to a lesser degree, you.
As pointed out by others, the bank refunds fraud victims when it is their system that has been compromised; "chip and PIN" was introduced to lessen the bank's liability and increase the onus on you. There are many people (especially millenials) who don't seem to understand this concept. They hand their bank card to a mate and give out their PIN without much thought to the fact that they are responsible. If the bank discovers that you compromised security the likely hood of getting compensated for a fraudulent transaction is reduced.
> I send them money but don't give them my credit card details.
But are you aware of the amount and nature of personal information (about you) that PayPal transmits to the merchant? I implemented a merchant solution some years ago and we were basically getting the entire contents of the user's profile: name, address, phone number, email, the lot. Our API would throw all that away as we had no need for it and didn't want any data protection headaches plus we took pride in respecting our customers' privacy. However, I am not sure every other business is the same, so I stopped using PayPal after that.
> In a secure system, customers would initiate payments (cash or BACS) instead of giving payees the authority to take money off them (16-digit numbers, Direct Debit
Not sure what you mean. With my usual bank, for direct debit, I need to authorise a specific receiving account and set a maximum limit. Only the account that I configure is then allowed to debit from mine, and only up to the specified amount per month. I have no need for direct debits so I have never actually tried it though.
> or, craziest of all, "contactless").
I do not understand how does contactless fail to meet your "initiated by the user" requirement. Could you please clarify?
Too true. Rather interestingly, in the case of getting money converted to foreign curency and trasferred to an account (where the cash to cash rip-off rates and commissions generally don't apply) there are changers of two sorts; those who operate the usual internet model of provide them with a card number etcetera, and those who require you to transfer funds to them using a transfer initiated by you (which is pretty easy and very quick using fast transfer). I use only companys which (a) have a good reputation and (b) receive the money by interbank transfer; that way I don't have to trust them to keep any of my keys/passwords/credit card numbers/etcetera safe.
They tried that - by bundling near-obligatory "fraud prevention" windows only software.
HSBC tried that, a few others as well. Forgot what it was called, named after some dog breed.
I tried to point them that they are offering an insecure redirect to an insecure download out of a hijackable non-https page to do that. Not just that, the whole set-up was asking to be abused for phishing or cross-site-scripting attacks. All of these rather simple thoughts could not be parsed by whoever is in charge of that part for them. I also tried to point to them that there is no way in hell you can run that crapware on a Mac or Linux, that did not parse either. Same result - it was like trying to teach a macaque quantum mechanics.
All in all - I did not get very far and after a litany of failures from HSBC security dept I fired them. With great pleasure. Moved my business elsewhere which is marginally better.
The truth is, nearly all management in charge of retail electronic commerce security in a most UK banks is as incompetent as you can find and then some.
@Voland's right hand
I doubt they've improved since I also fired them about 10 years ago.
At that time the process for settling an HSBC credit card via an HSBC bank account was clunky - I'm sure it was trying to hand over from one system to another and trying to make it look seamless. Whatever, one night it clunked a little too much and failed. I tried to give them a friendly heads up and their sole response subsequently confirmed in writing was that "we don't support Firefox and Linux"; no attempt to even listen to the information they were being given or recognise that I wasn't looking for support for my software. Neither Lloyds, Barclays or the Coop had any such restrictions. Together with the fact that they'd closed my preferred branch they got the push.
About a year ago I took a look at their First Direct arm. Their internet banking page stated that "PCs and Macs connected to Local Area Networks are not supported". I pointed out that any broadband connection uses a LAN to connect to user's machines. They promised to look into that and get back to me. I'm still waiting and that nonsense is still on their site today.
It doesn't have to be Wi-Fi - for a start anyone connecting through a device that has an address in one of the IPV4 private ranges (10.n.n.n 172.16-31.n.n 192.168.n.n) is clearly using a LAN. It would be interesting to know what First Direct thinks a LAN is. A journalist should ask them why they're excluding the majority of their users from support.
"... connecting through a device that has an address in one of the IPV4 private ranges (10.n.n.n 172.16-31.n.n 192.168.n.n) is clearly using a LAN."
Whatever the complexity/simplicity of your home LAN wiring and Wi-Fi, when you connect to some site outside your home then you appear to be coming from an IP address assigned by your ISP. Have a look at www.whatsmyip.org to see a clear demonstration of this. (Also useful for checking that your VPN is working.)
I'm not talking about how a device looks to someone on the internet - most home users are behind NAT routers that make them appear to have a single public IP address. But we know that, they're on a LAN based on that router so they're technically "not supported" for internet banking purposes.
I do hope the hacking crews make Sir Bernard "twaddle" Hogan-Howe their number one target and then let's see what tune he spouts. Perhaps then he may realise just how many security holes there are in e-commerce systems and that merchants and banks have a duty to ensure that their systems are up to date and have the latest security measures as well as making them scam/fraud proof as possible. If there were no financial incentive for institutions to make good losses you can bet your house that their security would be non existent and tough shit Mr/Ms A customer.
A stupid comment by an idiot who hasn't a clue or has friends on the boards of Banks, the cynic in me thinks it's the latter.
Indeed, can you imagine the first court case when a suitably clued-up litigant gets the judge's approval for a full and public audit of the banks systems. You know, including those banks still on XP and IE6 because they have internal stuff that demands it?
And the same for Government offices who request you pay on-line to them, will they want to be held to the same standard of public auditing?
You can be damn sure the banks have considered the cost of liability and the cost of mitigating it (and loss of business if folk just stop using on-line payments, etc) and have come to the conclusion the current arrangement is the least-worst option.
"Personally, on my system I’ve got a propriety security software and I got an update a few months ago and it sat there for months, I didn’t quite get round to it."
So he's a knob end who can't be arsed to update his (Apple/MS?) software, and has an anecdote to prove his thesis.
Me: I run Linux/BSD end to end at home with multiple VLANs and a firewall policy that is way stricter than most "enterprise" systems I look after. It's also monitored. Properly. I'm an IT consultant by trade. I patch my home systems as often as is wife acceptable, and I clothe myself in tin foil. I'm under no illusions that despite the fact that my home IT security is pretty much as good as is reasonably possible, mistakes can and will inevitably happen. Yes, I have done a risk assessment. Yes, I am a bit obsessed. Yes, I probably should get out more.
So given *my* anecdote, do I get to be upset when I do something stupid and click on a link in an email and lose money? Where does my responsibility stop and his start? At what point does my bank take responsibility for stupidity? Should I really take up their offer of free AV software to provide complete protection online.
I don't know and I want to know: Who is responsible for what in a world where nearly anyone in that world can virtually knock on my metaphorical front door with a massive cyber door-twatter?
Yes, you should get out more.
Seriously, similar here, reviewing system logs everyday is a pain that many can't be bothered with. I am paranoid too because there are many people out there way smarter than I am.
I was hammered by a Chinese IP address a couple of days ago for an hour and a half using the Jsky scanner. Loud as fuck... script kiddie. They managed to get a directory listing for one folder. Thanks to that attack I fixed the leak.
And did I say you should get out more :-)
"And did I say you should get out more :-)"
You might have mentioned it at one point. Still, it's the day job and I generally test stuff out at home before letting it loose at work. Wife Acceptance Factor >= corporate change control if you see what I mean.
I was hammered by a Chinese IP address a couple of days ago for an hour and a half using the Jsky scanner.
I had a similar experience which prompted me to fix up log rotation, log dropping and monitoring in general *sigh*
In beating newspaper sellers to death? Or pumping Brazilian electricians full of soft nosed bullets? Or taking backhanders? Or harassing their own whistle blowers? Or ignoring anarchist demonstrators to try and stop government budget cuts? Or shutting down half of central London just so the BBC can do doughnuts round the Cenotaph? Or leaking information to the Murdoch press? Or besmirching public figures on hearsay, and then not even having the grace to admit they're wrong?
Let's face it, the only place for the Hogan Howe brand is on the side of one of those blue bags carried by dog walkers.
although not just yes there is more....
I had the exact same experience trying to report a scam phone call from "Microsoft" who needed access to my computer apparently.
(Which is interesting as I have two devices at home one a chromebook, and one a laptop running linux.)
Anyway the action fraud website form didnt even ask for the telephone number they called from. It was a series of about 6 dropdown boxes on the type of fraud attempted.
I pressed submit and was shown a thankyou.
Wow. So as you said its simply a statistics gathering website.
I like the fact that the old(?) website www.actionfraud.org.uk is still up and running.
Looking at the Whois report: (http://www.nominet.uk/whois/?query=actionfraud.org.uk#whois-results )
and an ownership report (http://who.pho.to/gemma_burke/ )
It would seem the old actionfraud site itself is destined to become a scam site...
For those interested the new website and the place where you can report fraud is now www.actionfraud.police.uk
From the new website:
Action Fraud refers all fraud crime cases and information on fraud to the National Fraud Intelligence Bureau. This is run by the City of London Police - the lead force for fraud in the UK.
City of London Police? This is better? Seriously?
If you recall what happened with Phorm, that was something 'investigated' by CoL police as well. The quotes were added there quite deliberately too: it was a farce that ended up with the case being closed with no action being taken. This was after the officers concerned had been wined and dined by the company but before any formal interview ever took place.
I think the phrase 'lead force for fraud in the UK' was a rather unwise choice in the circumstances ('nobody commits more fraud than us!').
Besides which, how can we be certain that this is little better than the previous attempt to gather statistics - detailed or otherwise - and little more?
Another thought: is it really a good choice to make CoL police responsible for this when they're partly funded by the corporations that have their offices in the City of London?
Surely their focus is going to be on protecting the commercial interests of those corporations and not so much the interests of the general public?
Why should we expect them to care about fraud generally, especially if it highlights problems that their corporate friends can't easily fix, such as chip and PIN, or contactless payment for example?
Incidentally perhaps this helps explain the attitude shown in the interview? If they're not doing their job then they shift the blame for the underlying problem onto the victim?
At the moment the official line is the the *bank* is the victim and should do the reporting. Which it is, as Mitchell and Webb so ably demonstrate.
Sir Commish appears to have fallen for the banks' PR spin, as have many ministers (all presumably planning on a nice non-exec role when they retire).
"I don’t suppose I’m much different to anyone else but I guarantee if someone said to me if your card is done or something happens online I’ll give you nothing back, you’d change your behaviour."
Yes, I would stop using the card completely and immediately close the account.
The reason that banks refund fraud losses is to prevent loss of confidence in the system, it's cheaper to pay for a few losses than to lose business and possibly cheaper than finding a stronger security process that doesn't inconvenience every customer.
My email account was compromised a while back during one of the many bulk hacks/releases of logins that've happened. OK, I spotted it within an hour and updated all the security credentials but if I hadn't? Would I be to blame for that? It wasn't my security that was lax. Email accounts are a big risk, as so many other services will reset their passwords by a simple email.
If they'd used that to reset some of my other accounts, with real money involved in them, would that be my fault?
Well, according to the BBC article on this, RBS have reported that 70% of fraud victims do NOT get their money back.
If this is true, it goes against what he's saying. Then you also have the delay in getting the refund inconveniencing the victim, the hassle of reporting it, and the fear and uncertainty they'd feel while going through the process.
Basically, people don't patch because they don't think they'll be victims. Once they are, they'll patch like crazy. AKA people are generally lazy.
I'm less bothered about the temporary disappearance of the few quid that went before the bank spotted an unexpected sequence of transactions (the fraudster testing my card first) than having to do without my card for up to a week and having to re-enter my account details to all the websites that stored them.
...wait a mo... perhaps it's all the websites storing my card details that were part of the problem...
The the banking system totally fails to offer a reliable and secure payment system is a scandal.
To blame the users deserves retribution!
E.g. Barclays has just changed its on-line system. so that it now prompts the user to re-input the account number from what you typed in, not from the original document. Thus you confirm an error, rather than discover it.
90 percent of Rapes could be avoided if women were not allowed out.
90 Percent of armed robberies could be stopped if we were all armed to the teeth.
90 Percent of theft could be avoided if we went back to the old days or adopted the Argos way of doing things and kept everything behind the counter.
90 percent or lawyers and journalists could be avoided if anal sex was made a hanging offence.
The problem is that you are all "disincentivised " we should take a proactive step as stake holders and we should walk it back in these intellectually bankrupt times we live in.
/Crappy use of English.
The problem with card theft is that we still have the Mag Stripe. Once that gets removed then a lot of fraud will stop.
My local Halfords STILL to this day require Chip&Pin PLUS a swipe so they can get the magstrip data. I now take cash with me when/if I need to buy something from them.
Online Transactions are also getting much more secure, not great, but much better.
I think the biggest amount of theft comes from foreign banks letting the cards run though their ATM's and really empty the system.
I would LOVE to see "Foreign" withdrawal/purchases blocked by default, and like to see the ability for you to add a limit on them or even perhaps specify only a group of countries that you will allow your card to be used at.
Many years ago I made a online order via Dabs (When it was worth using) and my CC company though that a £1,200 order seemed a bit excessive.. So my bank locked ALL of my cards.. I pulled up to the Shell Station, filled my tank, and found 3 of my cards all not working, it took about an hour to sort things out. Sometimes they reach too far, other times they don't reach for enough.
The ATM should start face scanning the people using the cards. Have 6 people used the same card this week - yea?, somethings wrong flag it. There is a lot they can do, but until losses exceed the cost of implementation then don't expect any changes.
that more of my personal data floats around the interwebs through the security incompetence (or often sheer we-cant-be-botheredness) of banks, telecoms companies, online retailers... you name it, than through my own incompetence. I've had a few talks to security people in banks and the results have consistently been disappointing. I never had the feeling that security enjoys the priority it should have.
So before BHH lambast the general public he should perhaps look into the way supposed "professionals" go about their IT security.
When someone gets money off a bank that they are not entitled to, it is the bank that has been defrauded - not the person that was impersonated.
The banks have successfully created an imaginary crime of identity theft - to shift responsibility back to their customers. You could argue that it isn't such a bad thing to do as the weakness in the bank's security is mainly their customers and the trillion and one idiot things they do. But fundamentally it is the bank that is the victim of the crime.
As for this story, the police commish is wrong by trying to imply a Moral Hazard effect of the customer's being immediately reimbursed when the bank suffers a fraud whereas the reality is that the customer's are not being defrauded and the banks are trying to improve their securities by making their customers suffer when they do.
The whole concept of payment cards is flawed. We should have moved away from this decades ago at this stage.
How does an industry expect not to have massive fraud when they've a broken system that largely relies on a 16-digit number and an exp date and ccv that is handed to retailers on the basis of trust. I know there are optional extra security measures but the card can still be potentially cleared out.
The security on my gmail is far harder than my credit card! That's absolutely insane and a massive indictment of the whole financial sector.
They're not addressing fraud because they've a bit insurance slush fund and they're wasting law enforcement time and inadvertently allowing terrorists, criminals and who knows else to get money out of weakly secured systems.
I wonder which Bank's board he's going to sit on after that?
The banks set up the security.
The banks don't let you set the password length or complexity you'd like. (try a long password such as
Therefore it's the banks issue.
When they let people do what they want, then it's the people's issue.
Perhaps it's also a crime seems to have slipped past him....
One can try to apportion blame and say things like "If you go out and leave your front door open it's your own fault if you get robbed," but at the end of the day the blame is with the fraudster/thief not the person being robbed. Without them the crime wouldn't happen. One can also say that the customer has a certain amount of responsibility to lock his door or not give his PIN out, or click dodgy links, etc. But even if one accepts this, the "disincentive", ie. punishment, is completely disproportionate to the "offence" of being somewhat lax with your security.
"Been phished? Had your savings cleaned out? Ha, that'll teach you!" I don't think so.
On the other hand, the banks can afford to take the hit. Hopefully they will then in turn try to do their bit to educate their customers, and with a bit of luck to improve the systems too.
The guy is a cockwomble. I've had my CC used for online fraud at least twice. They didn't get that number from me or my computer. So he want's us to be responsible for any merchant's (online or not) CC system? Think all the break-ins to places like Home Depot, Target, etc. The guy is daft.
Worth remembering that this was published in The Times. The Murdoch press have got it in for Sir B. because of the investigation and prosecution of their journalists and Rebekah Brooks. News Corp. Is out for revenge. You only have to look at The Sun's front page from Tuesday.
He's a career politician of course, so he and his minders should have been aware of the risk, but I bet he was set up.
"[BHH] and his minders should have been aware of the risk, but I bet he was set up."
Andy Hayman, former anti-terrorism expert at both ACPO Ltd (ACPO = Association of Chief Police Officers) and the Metropolitan Police, and also the man in charge of the first "phone hacking" inquiry and the man who made this pantomime submission  to Parliament's Home Affairs Committee, was/is a Murdoch employee subsequently. You'd have thought the two of them could have had a quiet word down the Lodge.
 https://www.youtube.com/watch?v=F-Rv3u9Zrlo (a minute or so from Channel 4 News, the full show is around somewhere but I couldn't quickly find it)
Pretty disappointing that someone who is clearly incompetent on a subject should wax lyrical on said subject. It's bad enough he is incompetent, but worse when he does have self awareness .
The system as is, is that if you shown to be negligent you don't get recompensed. This would be things like writing down you password or PIN, or sharing it. Of course the banks, with there usual bias to self interest manage to pin that on anything they can, or just by default apply it and wait for the complaint to whatever ombudsman looks at it, reading before it's report as 70% at RBS is not refunded?
Apart from that wrinkle, that's a reasonably fair system, if you leave a wad of cash out, and someone nicks it, that's your lookout. But what where you do take reasonable precautions, it should not. Now a question is, what's reasonable to the average folk. Make everyone sign up for two factor authentication for email, stop them using windows, training in how not to get phished? Maybe a safe banking certificate awarded after some CBT training?
But anyway doesn't matter, right now, because that 30% is the main motivation for the banks to systemically improve their security. The people who can, if they choose, employ analysts, designers and developers and the rest required to provide reasonably friendly, secure service. They are going on-line because it's cheaper for them, they make it secure, because its cheaper for them.
But no, this idiot want to make the security of THEIR SERVICE irrelevant to THEIR BOTTOM LINE. How not to motivate a bank. 101. Would HSBC cough for free pin pass cards, or sign up to VISA secure question if they didn't think it would save them money?
I haven't seen quite so many howls of abuse about slow running, inexplicable problems, unmitigated horror, and so on, over the last couple of years.
Is this because UK banks have stopped recommending/requiring it, or (gasp!) perhaps TR has fixed all its problems? (Compare Microsoft...)
Hmm, aren't these the same lot who are wasting ~20% of their IT budget each year, refusing to admit how much they've they've pissed away on failed projects and avoided any accountability?
Maybe if for every pound wasted on such projects a pound got deducted from wages of those who signed off on those projects it might result in better accountability.
As for bitching about fraud victims getting their money back (in 30% of cases...) my experiences of trying to report fraud, ID theft or suspicious withdrawals have been met with a flat refusal to take a crime report unless I can name a specific person.
I could show clear dodgy transactions with identifying features that presumably could be followed up on, such as car insurance being paid for (we don't own a car), payment for an ISP connection 300 miles away, or pizza delivery half way across the globe. Oh, and an ATM withdrawl (failed 9 times, passed on 10th) in Thailand, when the "same" card had been used 90 minutes before in the Netherlands. Cops bent over backwards to avoid taking a report, but the bank refunded us within 24 hours.*
So Sir Bernie, if you want the banks to stop refunding fraud victims, that's going to require you lot doing a huuuge amount more work, when you currently aren't able to process all the "normal" crime, how the fuck are you going to handle ID theft and low end (sub $2000) fraud? That work is currently "outsourced" to the banks because the cops simply do not have the resources for it.
* they did send us a letter where we had to sign off that we had never performed those transactions,
..if we are told that we'd be responsible for all loses we would change our behaviour: we'd stop using banks and credit cards.
I'm sure Hogan-Howe is a nice chap but he lives in a world where we are perceived to be the problem and his words reflect that. Having people be better computers is not a solution to anything. History shows we are incapable of being more secure. Even those who are conscientious will fail some time.
Clearly the banks don't want us to walk away. Perhaps the other side of the story was not covered by Hogan-Howe or not so newsworthy. The other side is that banks also have options. One is to make it impossible for our accounts to be hacked or used fraudulently. However this is, at the moment, prohibitively expensive. It's much cheaper to have the actuaries work out the cost of fraud and set the cost against profits like any other business expense such as marketing or accounting. So that's the status quo. It exists not because we are all evil (stupid maybe) but because its the least expensive option that is also reliable and managable.
You keep using that word, I do not think it means what you think it means.
Well, he (the Met Commissioner) does come from South Yorkshire, so you can expect some non-tonic vowels to be suppressed and some "r"-s to disappear, but getting from "proprietary" to "propriety" without noticing that it's a different word with a completely different meaning does seem rather extreme; but it's rather likely in context that "proprietary" is what he meant.
But I really like the footnote on it.