Experts are worried about a recent rise in online fraud, but the banks assure us their services are safe. By Clare Francis
EXPERTS are warning of the risks of online banking as criminal gangs target customers by sending bogus e-mails – a technique known as “phishing”.
Messagelabs, an anti-virus company, has reported a surge in phishing e-mails over the past 12 months. In August last year, Messagelabs intercepted just 14 phishing e-mails; it now stops about 250,000 a month.
The e-mails purport to be official bank requests. They ask customers to confirm their online banking details either by e-mail or by entering them into a website.
The e-mails are becoming more sophisticated. The early ones were relatively easy to spot as fakes. These days they often carry a bank logo and a website link. If you click on the link, you seem to go through to the bank s genuine website. If you are asked to enter your Pin number or password in full, this is proof that it is not genuine banks only ever ask for certain digits for verification purposes.
Last week the National Hi-Tech Crime Unit and Association of Payment Clearing Services (Apacs) issued a joint warning about another trick.
Criminals send e-mails containing details of a fictitious order for computer goods and thank the recipient for a non- existent order. The e-mail also displays the apparent cost that will be charged to the recipient s credit card and contains a link to a web address so that the order can be viewed.
If the recipient is duped into visiting the site from an unprotected computer, a code known as the Trojan is then downloaded into the victim s system. Each time the customer uses the computer to log on to his or her online bank, the Trojan captures key strokes and can, therefore, potentially record secret passwords and Pins.
Some experts believe that online banking is unsafe. Professor Neil Bennett, a specialist in computer criminology, said: I don t bank online and you won t find many people in the information-technology community that do because it is relatively easy to hack into a bank account.
The banks have beefed up their own security to combat fraud, but customers are vulnerable. Dave Martin at Logica CMG, an IT company, said: The banks systems are pretty secure, which is why fraudsters are targeting customers they are the weakest link.
The banks alert customers to the risk of fraud by posting messages on their websites and cash machines. A spokesman for Halifax said: Online banking is safe the bank s website is totally secure. However, hackers rely on holes in the security of your own computer. It is therefore essential to ensure that you install a personal firewall and have an up-to-date anti- virus and security system. Any customer who is a victim of online fraud is protected by our online guarantee. If they have not broken the terms and conditions of their account, any financial loss will be refunded.
Under the terms of the banking code, you must not write down your Pin or divulge it to anyone. If you do, your bank may refuse to cover any fraudulent use. However, the banks say you would be protected if caught by a phishing scam.
It is not just about money. If you are the victim of fraud, it can be traumatic. Neil Munroe at Equifax, a credit- reference agency, said: Even if you get your money back, the problems can go on and it is very unnerving not knowing if the criminal will use your details again. It can take victims up to 400 hours of work to resolve problems caused by fraud, which can be very distressing.
About 13m people bank online and internet fraud cost the banking industry more than 45m in 2003. Bennett said: The banks want to encourage online banking because the cost for a bank of an online transaction is much lower than one in a branch. It is therefore essential to make it more secure.
Criminals also use crafty techniques to obtain credit-card details. Say, for example, you book a table in a restaurant and give your contact details. You then pay for the meal with a credit card. Fraudsters can get hold of your telephone and card number through a corrupt member of the restaurant staff.
A few days later you get a call, apparently from the card firm, claiming there is a problem with a payment you made in the restaurant. The criminal is convincing because he or she has your details. All that is needed from you is further verification such as the security code on the card, your address, or date of birth.
Counterfeiting is one of the most common types of card fraud. A person s card is skimmed using a special machine that downloads the information on the card so that a replica can be made. Skimming often occurs in restaurants, petrol stations and shops.
Debit cards can be cloned at cash machines. The fraudsters attach a skimming device to the card entry slot in the machine and hide a mini camera, overlooking the Pin entry pad. The criminals can not only replicate the card, they can also find out the Pin, enabling them to use it to withdraw cash.
Chip-and-Pin cards are designed to combat this type of fraud. Your details are held on a chip rather than a magnetic strip, making cards harder to copy.
Card-not-present transactions, where a criminal uses your credit-card details to make a purchase over the phone or internet, are now the costliest type of fraud. Gangs can hack into the databases of retailers and obtain the credit-card numbers of all the people who have bought something using a card.
Bennett said: In some cases, they are then able to hack into the card issuer s database as well. They can get hold of thousands of credit-card numbers at a time, and sell them on to criminal gangs for 1 a number.
The fraudsters then look for websites that will enable them to use the cards without further verification. The Sunday Times has been notified of a number of cases where people s cards have been used to place online bets. Fraudsters pay any winnings into a separate account.
Anita Williams at Barclaycard said: Criminals place a bet on every horse in the race using different cards to make sure they back the winner. The industry is looking at changing the law so that winnings could only be paid back on to the card, which would ensure there was no benefit to the fraudster.
Bankwatch 