back to article Banks 'not doing enough' to protect against bank-transfer scams

UK banks have been told they needed to go further protecting consumers against money transfer scams - a growing form of fraud. The Payment Systems Regulator said institutions must improve the way they respond to bank transfer scams and do more to identify fraudulent payments without advocating changes in liability for …

  1. kain preacher

    Why would they it's not their money. They are not going to spend their own money to protect you. You want top stop this pass a law saying that every time there is a breach no bonus can be paid out and no dividends on the stock can be paid. If there are more than 5 beaches in a year the stock can not be traded for six months.

    the only way to stop this is to take cash out of peoples pockets. These people care more about money then any thing else.

    1. Charles 9

      Potential collateral damage, as honest shareholders may not be able to sell, either.

      1. allthecoolshortnamesweretaken

        No, damage it may be, but it's not collateral.

        Hint: it's called a share because when you buy some, you actually own a part of the company. And have a say in who runs it and how. And as such get not only to share (there it is again) profits and losses, but also responsibilities. Stuff everybody should be aware of before buying stocks.

        1. Anonymous Coward
          Anonymous Coward

          Knowledge is not always there. Due diligence is not always possible.

  2. BarryUK

    So what is the argument for making the banks liable anyway? Sure, there are some measures the bank could take to try and catch unusual transactions but at the end of the day, if you transfer money from your account to someone else's why would you expect the bank to pay for your mistake?

    1. Anonymous Coward
      Anonymous Coward

      why would you expect the bank to pay for your mistake?

      If the money lost and/or scammed is all or most of some poor unfortunate's life savings, it may well be that they are more likely to have to fall back on the help of the state at some point.

      So maybe you could look on it as a choice between the bank' shareholders paying, or the taxpayer paying.

    2. Alan Brown Silver badge

      " if you transfer money from your account to someone else's why would you expect the bank to pay for your mistake?"

      In a large portion of these cases, the victims _didn't_ transfer the money, someone else did.

      Part of the problem is that in most of these cases the transfer is made to another domestic bank - hard to spot, but a series of random inward transfers can (and should!) set off security watchers, so a mule is employed to do cash withdrawals at daily intervals, handing the money over to someone else for a small cut (usually 5-10%) who takes it somewhere else to be deposited.

      This was explained to me at a point when I was unemployed, by someone trying to recruit mules. The Met police were spectacularly uninterested in following it up despite the handler making few efforts to make her hard to find.

    3. streaky

      So what is the argument for making the banks liable anyway?

      They'll be insured against losses plus the banking system can do things internally to clawback losses that consumers can't - for starters.

      1. teebie

        "So what is the argument for making the banks liable anyway?"

        The sending bank's systems make it far too easy to send money to the wrong account by mistake. Adding a name check or some sort of a checksum (as in an iban) would save customers several orders of magnitude more than it would cost the bank.

        In cases where customers receive a email claiming to be the customer's lawyer asking for money for a house purchase to be sent to a particular account, the receiving bank doesn't do enough to stop people from setting up fraudulent accounts (or treating setting up an account, receiving on large transaction, then immediately removing all of the money as suspicious.)

  3. Aodhhan

    Don't blame the bank

    This isn't talking about breaches into banking system. It's about people not performing due diligence before they give their money to someone.

    If you write a check out to a fraudulent or criminal enterprise, it isn't the fault of the bank. Transfers should be no different.

    If you're going to perform a fund transfer, it's worth taking 30 minutes of your time to do a bit of background research first. It isn't difficult to validate a real corporation, individual or charity. Don't use any of the information they provide to you in an email, phone call or message. Get the information from phone books, call information, etc. Then use what you find to contact them and validate.

    1. JimC

      Re: Don't blame the bank

      Nice victim blaming.

      The other side of it is that the banks are supposed to be the experts on financial matters, and use that to attempt to justify their huge executive salaries and the like. I'm quite sure a great deal more could be done to make life difficult for fraudsters, but if the banks have no motivation to do it then they won't.

      1. DNTP

        Re: Don't blame the bank

        Say I run our chemical stocks, as a safety officer and chemist, and my job is to distribute materials for other units of the company. I could simply assume that workers know what they are asking for and provide the safety sheets as the legal minimum corporate policy requires- but you can bet if someone requests something unusual or dangerous I am also going to make personally sure they know what they are getting and what not to do with it before they walk out. In the long run this benefits everybody, and to paraphrase Isaac Asimov, "It's my responsibility because I know about it."

        Unfortunately bank executives, who get paid on average way more than CSOs and have advanced knowledge of a much more intricate system than physical chemistry, somehow don't feel the need to exceed a minimum standard regarding advising their own customers.

        1. Chemist

          Re: Don't blame the bank

          "have advanced knowledge of a much more intricate system than physical chemistry, "

          What !!!!!!

          1. DNTP
            Flame

            Re: Don't blame the bank

            Well, they get paid more anyway.

            And copper-glycine complexes won't try to deceive you into signing up your dead relatives and their pets for seventeen Wells Fargo accounts. I guess while chemistry is basically accessible to any decently intelligent person, it takes a real "special" kind of operator to run a banking business.

            1. Charles 9

              Re: Don't blame the bank

              No, chemicals can kill. Directly. So they're exceptions, subject to extra regulation. Since when has wire stupidity directly killed anyone?

              1. Anonymous Coward
                Anonymous Coward

                Re: Don't blame the bank

                Suicides last time I looked.

                1. Charles 9

                  Re: Don't blame the bank

                  Still indirect. A bank transfer can't stop your heart, but inhaling hydrogen cyanide vapors can and probably will.

  4. EJ

    Banks could simply require 2FA and it would put a huge dent in the problem. That's on the banks.

    1. Chemist

      "Banks could simply require 2FA and it would put a huge dent in the problem. That's on the banks."

      ALL my banks (3) do require such. All are sufficiently onerous that I don't set-up a new transfer lightly

    2. katrinab Silver badge

      No it wouldn't. These people believe they are transferring money to their builder / solicitor / whatever, but someone else intercepted the communication and gave them different bank details.

  5. Anonymous Coward
    IT Angle

    Protecting consumers against money transfer scams

    How exactly does one go about executing such a scam?

    1. Anonymous C0ward

      Re: Protecting consumers against money transfer scams

      Asking for a friend?

    2. DNTP

      Re: Protecting consumers against money transfer scams

      Hello friend you are lucky I am here to help you with a quick demonstration of these principles, to protect you and your loved ones, or to earn money (for you and your loved ones). To continue gaining valuable advice about money transfer scams, please wire a nominal service fee payment of $49.95 via Western Union to-

    3. katrinab Silver badge

      Re: Protecting consumers against money transfer scams

      One example:

      Hack into the email account of a property solicitor

      Send out an email to one of the solicitor's contacts asking them to pay the house purchase money into a different account

      Withdraw that money elsewhere as quickly as possible after it arrives

  6. Doctor Syntax Silver badge

    More hindrance than help

    A few days ago my bank send out an email about this. Or, strictly speaking, they didn't. They had a marketing company spammer send it out with a From: line purporting to be the bank, naturally a noreply address.

    So I have an email purporting to be from the bank but originating from an IP address not owned by the bank. Look like a phishing email much?

    And it gets worse. There are several links in the email which appear to point to the bank's domain. However when I look up the address of the sub-domain server for these links (the same subdomain used for the From: address) it's not in the bank's block. It belongs to the same spamming business that sent the email. Look like a phishing email supported by a bit of DNS poisoning much?

    The only indication that it's probably from the bank is the address to which it was sent. It's one that's provided only for the bank.

    Instead of training customers to be aware of scams, the overt purpose of the email, it's actually training them to be phished.

    And I wonder if their IT security manager, assuming they have such a thing, is happy to have a subdomain resolve to a server not controlled by the bank. If I were in that position I'd be livid.

    1. Anonymous Coward
      Anonymous Coward

      Re: More hindrance than help

      And I wonder if their IT security manager, assuming they have such a thing, is happy to have a subdomain resolve to a server not controlled by the bank. If I were in that position I'd be livid.

      I doubt that the ITsec team even knew about it before the retards of marketing let that loose. And they're probably doing so much internal fire-fighting that they can't proactively chase the incompetence of people outsourcing "marketing".

      1. Anonymous Coward
        Anonymous Coward

        Re: More hindrance than help

        Pff. Either he didn't knew about it or marketing can overrule him. Reminds me of a nice security mail my company sent out:

        The customers where advised to check all incoming emails where sent from our domain, contains the users full name and shouldn't contain any links or attachements.

        Except for attachements, the email violated all of those rules. For extra happy points the links all redirected to some third party statistics website that then redirected the user to us. The statistics website had an invalid SSL certificate. Prompting many customers to believe our website was "hacked"

        It was a fun week for customer service. Marketing managed to somehow get extra brownie points from management for getting the customers interested in security despite those fuck ups.

    2. Anonymous C0ward

      Re: More hindrance than help

      And did they even have it set up to pass SPF/DMARC?

  7. Daniel Bower

    I work with some some crime underwriters and some of the scans are very sophisticated.

    Fire example having into a solicitors email system and watching house conveyances go through the process and at an opportune time get the buyer to transfer the deposit to a scam account.

    All very convincing as they've been watching the whole transaction and a) pick the right moment and b) use the right language-none of this uncle in Nigeria nonsense.

    Personally I don't think the banks should be liable but the institutions who have so poor security their emails can be compromised in this way.

  8. Anonymous Coward
    Anonymous Coward

    How is this different from cash?

    I subscribe to Which so I know of the examples they speak of.

    An example in the magazine was someone wanting a kitchen from an ad off gumtree which was cheap and "looked really nice", and they chose to make the payment online by bank transfer "for a discount". And it turns out to be a scam. He then asks the bank to refund the amount because no kitchen. The bank refused, so he went to Which. Which went to the bank and got the same response.

    If the person had paid by cash, would he/Which expect the bank to reverse the ATM withdrawal? If he had posted in, would he expect Royal Mail to be liable too?

    That's why things like 2FA won't help - this is not about hacked accounts or fraudulent account access or intercepted comms as people are commenting above. It is the account holder themselves performing an authenticated and verified transfer that Which is demanding that provisions need to exist to have the bank reverse such customer generated verified transfers. I don't understand how a bank can be liable and be required to reverse every payment transaction, at anytime. The cost of provisioning this would be onerous.

    Credit and debit cards already exist that offer protection - these require payment processors who ensure payees are registered and verified, and to me it does not make sense to create similar barriers towards basic bank account opening.

    So I don't agree that the bank is responsible in the examples they give. I mean buying of all things a fitted kitchen online off gumtree??? I don't think that sort of silliness should be protected by regulatory burden, we all make mistakes and we should learn to suck it up and learn from it, not go whine that someone else should fix it. I'd have more respect for the argument if Which actually proposed practical and cost effective solutions instead of just demanding that the banks solve it "somehow".

    There is another consumer action in Which that annoyed me. They want any SW update to be ignorable and dismissable "without any consequence". So they want to be protected from security holes, but without having to install any SW updates. "Somehow". Nice one.

    1. Anonymous Coward
      Anonymous Coward

      Re: How is this different from cash?

      "So I don't agree that the bank is responsible in the examples they give. I mean buying of all things a fitted kitchen online off gumtree??? I don't think that sort of silliness should be protected by regulatory burden, we all make mistakes and we should learn to suck it up and learn from it, not go whine that someone else should fix it."

      Problem is, errors of these type can be one-way: catastrophic, meaning there's no lesson to learn because the victim is now without a way to come back: dead-ended. And no government wants to be in the position to tell someone, "You lose. Game over. Better luck next life." because people with nothing left to lose tend to turn to crime and/or revenge, which affects all of us. It's like saying a kid should learn about the perils of electricity by sticking a penny in the light socket; problem is some don't survive the experience.

      1. Anonymous Coward
        Anonymous Coward

        Re: How is this different from cash?

        They'd lose the ability to live a free life - a life of crime would be the answer for few.

        It has to be justified against the cost of it, and besides someone transferring a life changing sum online to someone they do not know has to be an even smaller number of people.

        It would be like passing a law that all plug points must be on the celiing, every parent must wrap the entire house with insulation and their kids too. Because you know, a kid might get to the plug.

        I think it is reasonable to ask the banks to put up a big red warning message when a payee is being added (suggesting perhaps credit or debit cards for purchases), so then there isn't the excuse that the potential victim did not know.

        1. Anonymous Coward
          Anonymous Coward

          Re: How is this different from cash?

          "It would be like passing a law that all plug points must be on the celiing, every parent must wrap the entire house with insulation and their kids too. Because you know, a kid might get to the plug."

          But try telling that to the parent (especially a widowed parent) of their only kid who lost their life to the plug.

          1. Anonymous Coward
            Anonymous Coward

            Re: How is this different from cash?

            You actually think a widowed parent would have wanted such regulation passed????

            At even if they had that view, that it isn't a purely emotional stance?

            In any case, in spite of plugs not being on the ceiling, pretty much almost every kid isn;t dying. So yeah I don;t think such a law should be passed for the sake of a widowed parent.

  9. Will Godfrey Silver badge
    Unhappy

    I can't see this improving. The banks still won't accept that the whole credit card setup is insecure when it has been demonstrated multiple times. And to make absolutely sure of it, they add another insecure layer on top of it i.e. contactless.

    1. Charles 9

      Well, you got any better ideas that won't produce lots of collateral damage?

  10. anthonyhegedus Silver badge

    There's a bit of commonality here - email

    Could it be the dire state of email that's to blame? Email is generally insecure, easy to spoof, unreliable in terms of knowing whether an email has been received or not. Different email systems have different types of security checking: Consider gmail, hotmail, outlook.com, yahoo etc. People aren't well versed in how email is meant to work. Nobody is going to sit through a training course in all the security features their email service provides, and it seems to keep changing anyway.

    As long as email is as easy to hack into as it is now, nothing is going to change - there will always be some way of scamming people. When the crims start hacking the phone networks, there'll be even more.

    In the meantime why don't the banks have some kind of reverse check so that when you make a transfer to a bank account number, you get feedback on the name of the account you're sending to?

    Just a thought,

    1. Stuart Moore
      Thumb Up

      Re: There's a bit of commonality here - email

      I agree completely - something that gives you some detail on the other end of the account before you click yes. E.g. "Please confirm you want to send money to Bodgeit and Scarper builders". If you send money via mobile phone to someone's number, you get that.

      If the owner of the account doesn't match what you're expecting, it gives you a 2nd thought. And if the scammers are going as far as getting the name to match the company they're impersonating, it's an extra thing where the bank ought to pick them up on it.

      1. Charles 9

        Re: There's a bit of commonality here - email

        Not necessarily. That could make them harder to pick up if they can tick all the boxes and pose near-perfectly as the actual firm. Some of the crooks are sophisticated enough to go that far.

      2. Red Bren
        Boffin

        Re: There's a bit of commonality here - email

        Not sure this "feedback" is feasible or legal.

        Unless you're transferring funds to an account at the same bank, your bank is not going to know the recipient details. Adding this functionality would fundamentally change the transfer process across the whole industry from batch to real-time, which would cost a fortune.

        It would breach the data protection act by sharing customer information with an unauthorised third party.

        It opens up a new fraud opportunity: submit a sort code & account number, get instant confirmation of the account holder's name.

        A better solution would have the payment system verify the supplied recipient name matches the actual account name. If you state your payment is going to the account of "Honest Bob's Solicitors", the payment should fail if the recipient account name is "Dodgy Dave Scammer"

        See point 7 on How Faster Payments Works

        1. Datahoarder

          Re: There's a bit of commonality here - email

          Thats actually how the system works by default. The receiving bank has the option to refuse the transaction if the data is not valid. The issue is that banks have given up on blocking payments if the names don't match because sheeple can't spell something without errors.

          For example a payment to "Honest Bob's Solicitors" would fail if the customer writes "Honest Bob's Company" or "Honest Bobs Solicitors","I DONT KNOW"or "THE COMPANY I BOUGHT THAT STUFF FROM"

          As someone who did customer service for a bank once, you'll have no idea how sloppy people are with bank transfers. One of the biggest call reasons are people who call that they accidently entered the wrong bank account details and now need to change it, DESPITE 3 SEPERATE PROMPTS IN LARGE LETTERS TO CHECK THE DETAILS BEFORE PRESSING SUBMIT and a warning that they can't reverse it afterwards.

          My entire family and I never created a transaction to the wrong person by accident. Some of the customers called about once every few weeks about a "accident".

          And by the way, just sending the money to a wrong or fraudulent account doesn't automatically mean the money is gone.

          There is a legal system thats quite adept at getting your funds back, at least here in Germany it's worth it for amounts of 100€+ in Germany and about 2000€+ worldwide. But oh no, better complain to the bank.

    2. JimmyPage
      Unhappy

      Re: There's a bit of commonality here - email

      Dead right. Now try and fix it.

      Encrypted and verified email would probably kill 99% of scams dead. But given how few *businesses* bother, you are never going to get the end punter to manage.

      Be aware that it's stories like this, which go to support a whole "it's better the government run the internet" sort of movement.

      Also, the dirty little secret, is a lot of scams rely on peoples naked greed - either by "saving the <insert local equivalent of VAT>", or promising something for nothing. And then there are the "victims" who - despite all the Daily Mail Sad Face - would would not have been victims if they had followed their banks instructions to start with. I am particularly reminded of a journalist who managed to write a 2-page story about an "incredibly sophisticated scam" which relied on said journalist GIVING THEIR PIN to the scammers. Remind me again about Bank Card Security 101 ????

      You can't protect people from their own stupidity or greed. Just can't be done. I'd rather we devoted out efforts to improving the lot of people who aren't greedy - as Einstein observed, there's little that can be done about human stupidity.

      1. Charles 9

        Re: There's a bit of commonality here - email

        "You can't protect people from their own stupidity or greed. Just can't be done. I'd rather we devoted out efforts to improving the lot of people who aren't greedy - as Einstein observed, there's little that can be done about human stupidity."

        Trouble is, human stupidity often has knock-on effects that extend beyond the stupid person. If we don't stop stupid people, society ends up with innocent casualties, and innocent casualties tend to raise the common's wrath. Raise it enough and things get ugly.

  11. irksum

    What about inside-jobs?

    A friend of mine wrote a cheque for a large sum which he knew had been received by the payee as they'd acknowledged it by letter, but a subsequent phone call (on the same day that said letter was received) from someone claiming to be from his bank told him that there was a problem clearing the cheque and that they'd have to take him through security, which, suspecting a scam, he played along with giving false info. Given the timing of the call, it could be argued that someone at his bank had tipped-off the scammers and if proven, then surely the bank _would_ be liable for any losses?

  12. mwnci

    If it's systemic then, its the Bank's fault/ liability, if they have failed to conduct their business with due regard and diligence...If it's the customer giving out their Pin or Password then it's their fault.

    Otherwise, we are in that space when someone leaves their front door unlocked, the Insurance company will be forced to pay out for the customers lack of due regard / Gross negligence.

    If you leave your car unlocked and it gets stolen, it's on you. The problem with Cyber / e-crime etc, is that it takes a Generation for the message to hit home.

    Look at Drink Driving, wearing seat belts in Car etc. It takes 30 years plus to make common knowledge common...Cyber crime is the same, there is no such thing as a NEW SCAM, just a new way of implementing an old scam.

  13. Anonymous Coward
    Anonymous Coward

    Banks can only do so much...

    ... their is a limit to what a bank can be liable for!

    The only thing one can expect from the bank is to have the persons money available at any time to be used, and to give it to the owner or to whom the person wants.

    This said, I think banks, world wide, are doing a really bad job at making sure every transaction is really valid. Why? Because they don't have proper, and exclusively dedicated, hardware just for that, like display the information really being authorized, to whom, how much, and allow the user to authenticate it self in a really secure way into the device (fingerprint + some password), so that they can be sure it was the user to authorize.

    Scams can still happen, if people are socially tricked to send to the wrong person, or if the person is threatened with death... but that isn't the banks fault! That may be something for the courts to decide, not the banks... the same way the same person could have give the money in paper and coins.

    The only thing people expect from the banks is: only give my money to other or to me, when I request/ authorize that explicitly! Simple.

    1. mwnci

      Re: Banks can only do so much...

      @ ANON - "Allow the user to authenticate it self in a really secure way into the device (fingerprint + some password)," that's kind of nonsense as you aren't appreciating that a Fingerprint is nothing but an Electronic signature, or a method of generating one. If there are flaws in it's implementation, or ill-considered design or imperfect code (and there always is) then there is always the risk it can be tampered with, bypassed, replayed, usurped or injected.

      Equally "The only thing people expect from the banks is: only give my money to other or to me, when I request/ authorize that explicitly! Simple." That's exactly what happens, other people get inside the authorisation loop, whether it's forging Cheques, or stealing passwords / PIN numbers, or passing IDV on the Phone. It's the integrity and authentication of the transactions that is key.

      As a reality check, security does not exist, at best it's a simple adjective for talking about the concept of RISK. Financial Institutions deal in risk, e.g for a Certain amount of Profit, X amount of fraud exists, consider it like waste in manufacturing. You need to factor in how much you will tolerate, and how much you will not, as by going too draconian, you throw good money after bad e.g Why prosecute a £500 fraud, if it will cost you £250,000. Equally if it's too much the other way, you make huge losses or go out of Business.

      The most interesting development is the Cipher-Block-Chaining / Public ledger architecture of BitCoin and things like Ethereum, which will make possible transactions with considerable levels of integrity built into the transactional system. Equally, utilising the future possible use of Quantum Key Encryption, means that Key's will rotate if view by a 3rd party (e.g Man-in-the-middle-attack) and rotate and therefore make it clear to party B, that party A's transaction has been intercepted. Really Cool Stuff IBM is working on....http://www.research.ibm.com/quantum/

      1. Charles 9

        Re: Banks can only do so much...

        "You need to factor in how much you will tolerate, and how much you will not, as by going too draconian, you throw good money after bad e.g Why prosecute a £500 fraud, if it will cost you £250,000. Equally if it's too much the other way, you make huge losses or go out of Business."

        And what happens when the two start overlapping, such that the happy medium turns into the UNhappy medium?

      2. Johnnicei

        Re: Banks can only do so much...

        Finger readers have been around for a long time, but it can be some iris scanner, blood analyzer, or anything else physical PLUS something you know like a password. The physical finger would be for example the first authentication and only then go to the password... this way it should be secure... if correctly implemented...

        This would be some kind of HSM (Hardware Security Module), but in a format of some credit card sized calculator with touch screen to display the information to be authorized in it self.

        Can it contain flaws? Absolutely... specially if they are made in some country's that almost require it (like say: China, EUA, Israel, UK, France...)... but if not, it is such a dedicated hardware that doesn't need to include third party software "add-ons" so it can really be secure... and several company's could be contracted to do security audits (design/ implementation/ code) to make sure of that.

        Security can exist but just in some narrowed parameters, at least in computing technology (and yes, subject to knowledge and technological evolution).

        The problem of the frauds is not about the bank, but about the clients! When someone money is stolen, and the banks says it is the client fault, even if the client couldn't have done nothing to prevent (like say: data stolen from his debit/ credit card by wireless readers... because of that NFC technology that banks almost oblige into their clients.. and many banks say that you either accept the card or you don't have any card at all.. just search youtube and you will be amazed with how easy it is to stole debit/ credit card this days with this NFC "wireless" cards)... then the costumer will loose the money, and forget the insure... it is almost impossible to have the money back... you have to proof beyond any doubt and most likely go to the courts... depending in your country you may never see the money! And for some people £50 is nothing, to others can mean that they won't eat that week.

        Bitcoin kind of money transfers, if really improved to be really secure/ private/ safe, it would be a good idea... but for now it doesn't seem it will happen.

        The Quantum algorithms security remains to be seen... problems seem to keep popup every time someone really decides to give it a closer look... but some seem better then others, eventually something will come... probably from NSA to make sure their is a backdoor into everyone devices like now with NIST P-256 and NIST P-384 (the only one that seems ok "NIST P-521" has mysteriously disappeared from almost every browser support for example... because the spy agency says aes256+sha384+NIST P-384 would be just fine... if the SPY agency says that and is job is to spy... and everyone else (NIST and Ecrypt II) says to have 256 bit security you need AT LEAST 512 bit hash and 521 bit elliptic curve... I would see the recommendation of the 384 bits with very concern! But apparently I'm the only one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like