What are banks doing to protect consumers from fraud?

By Marianne Curphey

Bank and card fraud is big business. Successful hackers can steal money from bank accounts in a matter of minutes, and siphon off millions of pounds in a matter of hours.

Banks have ways of protecting you - but are they enough?

Tesco Bank is proof that fraud schemes can be successful. The bank ended up paying out an estimated £2.5 million to 9,000 customers after being hacked in late 2016. bank-protections

The Financial Conduct Authority is conducting an investigation, but security experts say banks and card companies are constantly under threat from sophisticated scams and hackers from around the world.

What protections do banks have in place?
In an attempt to thwart attacks, banks and card companies use complex software that builds neural networks around credit and debit card spending to try to distinguish between fraud and genuine spending, says Martin Warwick, security expert with FICO.

An analytic called "behaviour sorted lists" looks for patterns in the way you use your card.

"If you visit three or four ATMs in a row, then that would flag up as suspicious and would score highly, and the bank would most likely contact you," says Warwick.

Each customer has a "behaviour profile", which is updated with every transaction and enables your spending behaviour to be analysed and modelled. Any unusual transactions are flagged and the software sends an alert to question whether a fraudster has compromised your card.

On a large scale, it also profiles the weekly transactions in every shop, so it can pick out fraudsters among the genuine customers.

"Some merchants experience higher levels of fraud and attempted fraud than others, often because of the type of products they sell," Warwick says.

Richard Squire, managing director of Synechron, a digital business consulting and technology services provider, said banks and other new entrants to the financial services market are developing artificial intelligence techniques including "data science and machine learning" to assess card transactions against normal spending patterns to better recognize fraud.

Are banks' efforts enough?
Andre Kay, managing director of RFID shield company VoyagerBlue, believes banks are not doing enough to protect consumers. He has spent many years patenting and supplying solutions to prevent access to contactless documents.

"When you look at what happened to Tesco Bank, it's clear that banks need to do more," Kay says. He points to the dangers of contactless tap-and-go cards in particular, which you can use for small transactions with no PIN or signature.

"Contactless cards and credit cards are designed to enable purchases to be virtually instantaneous," he says. "The objective is to reduce queues. However, if you lose your purse and wallet and you have a contactless card inside, it's free for the thief to use until you realise it's gone."

How hackers target customer accounts
Lev Lesokhin, security expert and senior vice president of strategy and analytics with CAST, specialists in software analysis, says hackers try to infiltrate banks and card companies in two key ways.

First, they are trying to get into the internal system by finding a way through the perimeter wall of security (known in the trade as "perimeter attacks").

Next, cyber criminals who have already broken through the security walls attempt to manipulate the system from within, sometimes planting malicious software within the system and leaving it dormant until they are ready to strike.

"It is so easy to get an employee to click on something that downloads malware onto the network, or for someone at the company to respond to a phishing email by mistake," Lesokhin says.

He said banks see hundreds of attacks coming at them all the time.

"Most of it is attempts at breaching the perimeter, but if hackers might get past the perimeter defences, organisations need to make sure that everything inside them is encrypted all the time."

He says data protection and data handling is part of the bigger picture of how financial services companies protect consumers.

"There is a lot talked about how customers compromise security via social media, but even if you publish your own banking password on Facebook it is not going to affect anyone else - just you," he says. "The real issue is how large amounts of data are protected by the banks themselves."

See related: New EU rules give consumers more insight about personal data, How the fight against fraud impacts card users

Published: 22 December 2016