Friday 25 January 2013

The banks can do more

Last week I wrote about how you and I must do everything we can to protect our identity. I didn’t mean in some philosophical, existential way, I mean purely practically. I meant our banking and online identities.

Your bank cards are extremely dangerous things. I don’t just mean that you can go crazy when you’re spending, they’re also a serious crime risk.

You’ll have heard about the crooks that place a secret camera on the ATM that watches and records the keys you press on the ATM key pad. They then use a simple card reader that they insert into the slot where you slide your card and they can quickly produce both a copy of the magnetic strip on your card AND your PIN. Minutes later and they can have a replica card and your money will disappear as quick as a flash.

The simplest way to prevent all of this happening is to treat your PIN the way you would treat cash. Don’t let people you don’t trust look after it for you and, above all, don’t leave it lying around. Every single time you enter your PIN into an ATM or a point-of-sale device in a store or restaurant, cover your hand as you type in the number. Ideally you shouldn’t even be able to see your fingers yourself. If you can’t, then nobody else can and without your PIN a skimmed card is useless.

Critically you shouldn’t ever allow your card out of your sight. There are plenty of cases of staff in restaurants being part of the crime, having been taught by their criminal friends how to copy the card and can then watch as you enter your PIN. You should never let your card out of your sight. Never.

It’s just as risky online. “Phishing” is the latest online way of stealing your identity.

The crook emails his victim, or perhaps a million of them at once, saying that the security of their bank account has been compromised. The email advises them to click on a link in the email to reactivate their account. That link goes to a very cleverly crafted replica of the genuine banking web site, not the real one.

Once there they’ll be asked to enter their user User ID, password and often their PIN. They sometimes even ask for a whole range of other things including all the details often used to prove their identity like their address, date of birth and passport number. 

Not surprisingly many, many people naively enter these details, not realising that they’re giving away their online identity.

Within moments a crook in a far-flung country will have signed onto their bank’s web site, signed on to their account using their identity and, before you know it, will have done their best to transfer money out of their account.

To their credit the banks have been working hard to do this. My bank, for instance, doesn’t allow me to create a new recipient of money without sending a message to my cell number that I then have to enter onto the web site. Without my banking details, my user id, password and my cellphone it’s much harder for a crook to take my money and pay yourself.

However, the banks need to do more. In Europe and even in South Africa banks have introduced “Chip and PIN” cards. Instead of the traditional magnetic strip, these have a tiny microchip embedded in the card. The advantage is that these microchips are much harder to copy than the old magnetic strip giving you an added level of protection

Unfortunately we’re lagging behind, yet again.

The future is even more advanced. The biggest problem with chip and PIN cards is that they still have the magnetic strip because certain countries, most notably the USA, still use them in ATMs. It’s ironic that the supposed technological world leader is lagging behind. The result of this lag is that even newer techniques are being investigated.

The BBC reported recently on ATMs in Japan and Poland where you identify yourself using your finger. Not your fingerprint but the pattern of blood vessels inside your finger which is apparently more personal than a conventional fingerprint.

However none of this helps prevent one of the biggest area of digital crime, the internet. More and more of us are buying things on the Internet and that’s a situation when PINs, signatures, magnetic strips and microchips can’t help.

The bad news is that the fight against crime is an on-going, never-ending, constant battle. Every new thing that the banks invent to help protect us (and them) is going to be cracked by the crooks.

The biggest challenge that you and I face with our cards, other then the crooks themselves, is the banks themselves. Our banks make it very clear that unless we can prove a fraud was their fault then it was our fault. Given that it’s almost impossible to prove it was their fault you and I are in a very difficult position.

But that’s changing. Not yet in Botswana, but elsewhere, in the countries we usually follow. In 2009 in the UK their Financial Services Authority introduced new Payment Services Regulations. These turn the tables completely. In the UK it’s now up to the bank to prove that the customer was at fault. The FSA stated that "It is for the bank […] to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before they can hold you responsible.

We should be pushing for the same here. While the banks are doing some thing to protect us, there is a lot more they can do. They could at least catch up with our foreign cousins and put their customer’s needs above their own.

No comments: