Skimming off the top

Police are facing new and complex challenges with identity theft and financial fraud at record levels and social media becoming a ‘hunting ground’ for fraudsters.

Username and password authentication remains de rigueur for verifying identity online, yet most security analysts accept that it is “about as waterproof as an open window”. Many financial organisations now consider biometric-based solutions to be one of the most “promising additions to current authentication methods”, if not a complete replacement for them.

Lloyds Banking Group has been trialling ‘selfie’ technology to enable Bank of Scotland customers to “open a current account seamlessly online”. Customers applying online will be able to complete a simple step-by-step application process to open a current account and take pictures of their UK driving licence or passport, together with ‘selfie’ images to confirm their identity.

HSBC and Barclays, meanwhile, are using voice biometrics to establish the identity of customers, while Santander is the first provider to launch voice-activated payments in the UK. The bank’s smartphone app also allows customers to see their recent transactions and report a lost card, just by talking to their phone, but users will still have to log into the app ‘manually’ using their passwords.

“For most banks, traditional online authentication boiled down to a choice between ‘effective’, ‘easy’ and ‘low friction’, where you can pick only two options. The option usually left out of the mix, was customer experience,” explained Robert Capps, vice-president at the behavioural biometrics company and fraud mitigation specialist NuData Security.

“Banks, in particular, need to provide customers with security reassurance, the security guard at the front door, if you will. Username and password authentication, layered with varieties of 2FA (two factor authentication) provide some of this visual reassurance, but do little in the way of actual security – and banks know that customers also require real protection too.”

He added: “The username and password authentication framework is still the sole method of verifying consumer identity in many non-face to face transactions. The problem with it is that it’s proven to be about as waterproof as an open window. Multiple ongoing breaches, with hundreds of millions of lost records, should be enough to give question to its validity as a valid authentication method.”

Latest figures from Financial Fraud Action UK show financial fraud losses across payment cards, remote banking and cheques totalled £768.8 million in 2016 – more than £2 million a day and an increase of two per cent on the previous year.

The new data also shows banks and card companies prevented £1.38 billion of fraud last year, equivalent to £6.40 in every £10 of attempted fraud being stopped.

Financial Fraud Action UK says impersonation and deception scams, as well as online attacks to compromise data, continued to be the primary drivers behind financial fraud losses in 2016. In all of these methods criminals target personal and financial information, including card data, which is then used to facilitate fraud.

Katy Worobec, Director of Financial Fraud Action UK, says banks take the threat of fraud extremely seriously and “continuously invest in advanced detection and verification systems to protect customers”.

“At the same time, criminals continue in their attempts to circumvent this security by targeting customers for their personal and security information,” she added.

Ms Worobec said “collective action” was needed with banks, police and customers all playing their part.

“The payments industry can’t stop all fraud on its own, so it’s essential that every organisation with a role to play unites to tackle it. We are particularly working with law enforcement and government, through the Joint Fraud Taskforce,” she explained. “Across the industry, and with partners, we are developing new processes to help police intervene when potential victims visit a bank branch, and we are exploring new ways to