This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.guardian.co.uk/technology/2012/sep/27/automated-calls-fraud-banks

The article has changed 3 times. There is an RSS feed of changes available.

Version 1 Version 2
Automated calls, fraud and the banks: a mismatch made in hell Automated calls, fraud and the banks: a mismatch made in hell
(14 days later)
My wife tells me that I make a rather comical sight when I start shouting at the radio. I must have been the picture of sheer hilarity this week as I listened to discussion about automated fraud-checking calls on Radio 4's Money Box and ended up yelling my head off.My wife tells me that I make a rather comical sight when I start shouting at the radio. I must have been the picture of sheer hilarity this week as I listened to discussion about automated fraud-checking calls on Radio 4's Money Box and ended up yelling my head off.
You know about fraud-checking calls, of course. Whenever you do something unusual with your money, like try and close on a house purchase, transfer funds to a loved one who's lost everything while abroad, or buy a major gift for a very special occasion, the transaction is often followed by a call from your bank, demanding that you verify your identity to them, handing over all sorts of personal information to a total stranger who's rung you up out of the blue. Then they tell you that they've noticed something amiss, and is your card in your possession, and did you really just try and transfer a thousand pounds to Lagos?You know about fraud-checking calls, of course. Whenever you do something unusual with your money, like try and close on a house purchase, transfer funds to a loved one who's lost everything while abroad, or buy a major gift for a very special occasion, the transaction is often followed by a call from your bank, demanding that you verify your identity to them, handing over all sorts of personal information to a total stranger who's rung you up out of the blue. Then they tell you that they've noticed something amiss, and is your card in your possession, and did you really just try and transfer a thousand pounds to Lagos?
The banks, bless them, are only trying to prevent fraud, but this is a pretty silly way of going about it. For starters, there's the business of calling up people and asking them to give you all the information necessary to prove that they are indeed a bank customer – all the information that a fraudster needs to impersonate that person at the bank, in other words. The banks have spent decades systematically conditioning us to give our personal information to fraudsters, which is a strange way to prevent fraud.The banks, bless them, are only trying to prevent fraud, but this is a pretty silly way of going about it. For starters, there's the business of calling up people and asking them to give you all the information necessary to prove that they are indeed a bank customer – all the information that a fraudster needs to impersonate that person at the bank, in other words. The banks have spent decades systematically conditioning us to give our personal information to fraudsters, which is a strange way to prevent fraud.
But at least this silliness had one saving grace: a fraudster can only make so many calls per day, and so the scope of losses from such a programme of bad security education is limited by the human frailties of con-artists.But at least this silliness had one saving grace: a fraudster can only make so many calls per day, and so the scope of losses from such a programme of bad security education is limited by the human frailties of con-artists.
Enter the robo-caller. The banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved. Note that most of the categories of purchase that trigger false positives from fraud detection systems are also the sort of thing that customers are anxious to see go off without a hitch. The unusual and the urgent often travel together.Enter the robo-caller. The banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved. Note that most of the categories of purchase that trigger false positives from fraud detection systems are also the sort of thing that customers are anxious to see go off without a hitch. The unusual and the urgent often travel together.
MoneyBox took up the question of robo-calls on 22 September, with a series of finance industry executives explaining their position on robo-call anti-fraud systems. As Money Box pointed out, customers don't know what automated fraud prevention calls are supposed to sound like, or which questions are supposed to be asked. They missed that even if this were common knowledge, it would be trivial to make a homemade robo-caller that perfectly mimicked the calls, and set it loose to call around the clock, to many victims at once.MoneyBox took up the question of robo-calls on 22 September, with a series of finance industry executives explaining their position on robo-call anti-fraud systems. As Money Box pointed out, customers don't know what automated fraud prevention calls are supposed to sound like, or which questions are supposed to be asked. They missed that even if this were common knowledge, it would be trivial to make a homemade robo-caller that perfectly mimicked the calls, and set it loose to call around the clock, to many victims at once.
Santander's statement was that the system allows it to "reach more customers, more quickly, all at the same time". It didn't mention that it's a lot cheaper than paying humans to make those calls, of course. On the other hand, it invited its customers to opt out of the service. But a customer that doesn't even know the service exists won't opt out of it – and if a customer's first experience with a robo-caller is with a fraudulent one, they won't have had a chance to opt out until it's too late.Santander's statement was that the system allows it to "reach more customers, more quickly, all at the same time". It didn't mention that it's a lot cheaper than paying humans to make those calls, of course. On the other hand, it invited its customers to opt out of the service. But a customer that doesn't even know the service exists won't opt out of it – and if a customer's first experience with a robo-caller is with a fraudulent one, they won't have had a chance to opt out until it's too late.
But Nationwide's answer was even worse: it recommended using the return number that showed up on their phones to verify the call by keying it into the internet. Apparently, no one has told Nationwide that any fraudster running a robo-caller machine can also transmit any return number they like.But Nationwide's answer was even worse: it recommended using the return number that showed up on their phones to verify the call by keying it into the internet. Apparently, no one has told Nationwide that any fraudster running a robo-caller machine can also transmit any return number they like.
It got even worse. A spokesman from UK Payments assured the host, Paul Lewis, that the banks' services are secure because they ask you to choose from a list of dates of birth, and "only your bank would have that information about you". Someone needs to tell UK Payments that dates of birth aren't secret – they're matters of public record. What's more, if your date of birth ends up in the hands of an identity thief, you can't change it, making it completely unsuited as a means of authenticating oneself to a bank. Our passwords shouldn't be issued to us at birth, one to a customer, without any means of changing them.It got even worse. A spokesman from UK Payments assured the host, Paul Lewis, that the banks' services are secure because they ask you to choose from a list of dates of birth, and "only your bank would have that information about you". Someone needs to tell UK Payments that dates of birth aren't secret – they're matters of public record. What's more, if your date of birth ends up in the hands of an identity thief, you can't change it, making it completely unsuited as a means of authenticating oneself to a bank. Our passwords shouldn't be issued to us at birth, one to a customer, without any means of changing them.
Lewis quizzed UK Payments' spokesperson on the efficacy of the bank's fraud prevention systems, and forced him to admit that there isn't any hard data to support the thesis that the banks are good at automatically detecting fraud. In the end, the representative was left insisting that the banks' systems were "quite successful at detecting very unusual transactions".Lewis quizzed UK Payments' spokesperson on the efficacy of the bank's fraud prevention systems, and forced him to admit that there isn't any hard data to support the thesis that the banks are good at automatically detecting fraud. In the end, the representative was left insisting that the banks' systems were "quite successful at detecting very unusual transactions".
Well, yes. Computers are good at detecting unusual things. And if you block every unusual transaction, you will block almost all the fraudulent ones, too. You'll also produce a service that will strand your customers in emergency after emergency, by forcing them to go through a tedious authentication dance every time they stray from their usual routine, including when the unusual transaction is the result of an unusual circumstance, such as a personal tragedy.Well, yes. Computers are good at detecting unusual things. And if you block every unusual transaction, you will block almost all the fraudulent ones, too. You'll also produce a service that will strand your customers in emergency after emergency, by forcing them to go through a tedious authentication dance every time they stray from their usual routine, including when the unusual transaction is the result of an unusual circumstance, such as a personal tragedy.
When banks had to pay a salaried employee to make each call, they had to limit themselves to making checks on unusual transactions that were also "funny" – a bit off. Now they've automated the systems, they can twiddle the false-positive dial all the way over to "Kafka-esque nightmare" without having to pay a penny more. They've managed to externalise the whole cost of sorting out real unusual transactions from fake ones to their customers.When banks had to pay a salaried employee to make each call, they had to limit themselves to making checks on unusual transactions that were also "funny" – a bit off. Now they've automated the systems, they can twiddle the false-positive dial all the way over to "Kafka-esque nightmare" without having to pay a penny more. They've managed to externalise the whole cost of sorting out real unusual transactions from fake ones to their customers.
This is a security measure. It secures the banks' profits. But as a means of securing your money, it's a nonsense.This is a security measure. It secures the banks' profits. But as a means of securing your money, it's a nonsense.
Here's another way of designing this protocol, one that won't cost the banks any more to operate. When the bank detects a potential fraud, it calls you, and a robot says, "Look up the lost or stolen card number on your credit card or debit card. If you can't find it, please consult our website. When you get through, please key this case number into your phone." Job done. In order to spoof this system, you'd need to hack the bank's website and/or change the printing on the credit cards already in people's wallets.Here's another way of designing this protocol, one that won't cost the banks any more to operate. When the bank detects a potential fraud, it calls you, and a robot says, "Look up the lost or stolen card number on your credit card or debit card. If you can't find it, please consult our website. When you get through, please key this case number into your phone." Job done. In order to spoof this system, you'd need to hack the bank's website and/or change the printing on the credit cards already in people's wallets.
If the banks cared about preventing fraud – as opposed to minimising the expense that their shareholders bear as a result of fraud – they'd do this or something very like it.If the banks cared about preventing fraud – as opposed to minimising the expense that their shareholders bear as a result of fraud – they'd do this or something very like it.
More from Digital rights, digital wrongs
Cory Doctorow's column on DRM
9 Oct 2012: Giving online customers the chance to pay what they want works
19 Sep 2012: Why Philip Roth needs a secondary source
Digital rights, digital wrongs index
Will my credit card work after going through the washing machine?
4 Oct 2012
One of the most common money dilemmas is whether your credit card is damaged by a wash cycle
20 May 2011
Contactless 'pay at the tills with a mobile' system introduced
25 Oct 2008
Bumped up to first class?
12 Sep 2008
There's a right bunch of bankers at the Halifax
8 Jan 2010
Orange and Barclaycard launch contactless credit card
Barclaycard faces Ofcom scrutiny over silent calls
24 Jun 2008
Britain's biggest credit card company could be fined for making 'annoying' calls to people's homes. By Rupert Jones
Turn autoplay off
Turn autoplay on
Please activate cookies in order to turn autoplay off
Edition: UK
About us
Today's paper
Subscribe
Computers that make calls to check for credit or debit card fraud are infuriating – and they don't even make your money secure
My wife tells me that I make a rather comical sight when I start shouting at the radio. I must have been the picture of sheer hilarity this week as I listened to discussion about automated fraud-checking calls on Radio 4's Money Box and ended up yelling my head off.
You know about fraud-checking calls, of course. Whenever you do something unusual with your money, like try and close on a house purchase, transfer funds to a loved one who's lost everything while abroad, or buy a major gift for a very special occasion, the transaction is often followed by a call from your bank, demanding that you verify your identity to them, handing over all sorts of personal information to a total stranger who's rung you up out of the blue. Then they tell you that they've noticed something amiss, and is your card in your possession, and did you really just try and transfer a thousand pounds to Lagos?
The banks, bless them, are only trying to prevent fraud, but this is a pretty silly way of going about it. For starters, there's the business of calling up people and asking them to give you all the information necessary to prove that they are indeed a bank customer – all the information that a fraudster needs to impersonate that person at the bank, in other words. The banks have spent decades systematically conditioning us to give our personal information to fraudsters, which is a strange way to prevent fraud.
But at least this silliness had one saving grace: a fraudster can only make so many calls per day, and so the scope of losses from such a programme of bad security education is limited by the human frailties of con-artists.
Enter the robo-caller. The banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved. Note that most of the categories of purchase that trigger false positives from fraud detection systems are also the sort of thing that customers are anxious to see go off without a hitch. The unusual and the urgent often travel together.
MoneyBox took up the question of robo-calls on 22 September, with a series of finance industry executives explaining their position on robo-call anti-fraud systems. As Money Box pointed out, customers don't know what automated fraud prevention calls are supposed to sound like, or which questions are supposed to be asked. They missed that even if this were common knowledge, it would be trivial to make a homemade robo-caller that perfectly mimicked the calls, and set it loose to call around the clock, to many victims at once.
Santander's statement was that the system allows it to "reach more customers, more quickly, all at the same time". It didn't mention that it's a lot cheaper than paying humans to make those calls, of course. On the other hand, it invited its customers to opt out of the service. But a customer that doesn't even know the service exists won't opt out of it – and if a customer's first experience with a robo-caller is with a fraudulent one, they won't have had a chance to opt out until it's too late.
But Nationwide's answer was even worse: it recommended using the return number that showed up on their phones to verify the call by keying it into the internet. Apparently, no one has told Nationwide that any fraudster running a robo-caller machine can also transmit any return number they like.
It got even worse. A spokesman from UK Payments assured the host, Paul Lewis, that the banks' services are secure because they ask you to choose from a list of dates of birth, and "only your bank would have that information about you". Someone needs to tell UK Payments that dates of birth aren't secret – they're matters of public record. What's more, if your date of birth ends up in the hands of an identity thief, you can't change it, making it completely unsuited as a means of authenticating oneself to a bank. Our passwords shouldn't be issued to us at birth, one to a customer, without any means of changing them.
Lewis quizzed UK Payments' spokesperson on the efficacy of the bank's fraud prevention systems, and forced him to admit that there isn't any hard data to support the thesis that the banks are good at automatically detecting fraud. In the end, the representative was left insisting that the banks' systems were "quite successful at detecting very unusual transactions".
Well, yes. Computers are good at detecting unusual things. And if you block every unusual transaction, you will block almost all the fraudulent ones, too. You'll also produce a service that will strand your customers in emergency after emergency, by forcing them to go through a tedious authentication dance every time they stray from their usual routine, including when the unusual transaction is the result of an unusual circumstance, such as a personal tragedy.
When banks had to pay a salaried employee to make each call, they had to limit themselves to making checks on unusual transactions that were also "funny" – a bit off. Now they've automated the systems, they can twiddle the false-positive dial all the way over to "Kafka-esque nightmare" without having to pay a penny more. They've managed to externalise the whole cost of sorting out real unusual transactions from fake ones to their customers.
This is a security measure. It secures the banks' profits. But as a means of securing your money, it's a nonsense.
Here's another way of designing this protocol, one that won't cost the banks any more to operate. When the bank detects a potential fraud, it calls you, and a robot says, "Look up the lost or stolen card number on your credit card or debit card. If you can't find it, please consult our website. When you get through, please key this case number into your phone." Job done. In order to spoof this system, you'd need to hack the bank's website and/or change the printing on the credit cards already in people's wallets.
If the banks cared about preventing fraud – as opposed to minimising the expense that their shareholders bear as a result of fraud – they'd do this or something very like it.