Police not acting on P2P Fraud cases

And isn't helped by these comments, which I partially agree with for customers that have acted stupidly (such as responded to a phishing scam, or voluntarily transferred funds to a stranger), but it sets a very dark tone. More encouragement for fraudsters, than banks:



"Met chief suggests banks should not refund online fraud victims"

gu.com/p/4hzkn?

The Met chief should be encouraging banks to have properly secure financial systems that are secure based on today's threats, notably things like man in browser attacks (where the web browser can do things in the background after you have logged in) or where computers can be completely compromised in other ways so that nothing done or held on the computer itself can be trusted to be the customer.

This means at least one form of authentication not relying on the computer or customer alone, like a text message or code generating device that links the authentication code to the specific payee so a different payee can't be used with it.

Antivirus software is irrelevant. If a virus lets a computer be compromised to the point that a fake transaction happens it's just a sign that the bank was negligent in its security system design. The threats are known, so are the solutions, and blaming the customers isn't one of them.

As a bonus banks might stop training their customers to click on email links to fraud sites by not sending links in their own emails.

This isn't a hopeless case. A few years back First Direct introduced a PIN generator system that didn't link the PIN to any particular transaction, so a fraudster with a compromised browser in their control could use the PIN to do any transactions they wanted once it was entered. A year or so later after complaints they changed to one that linked the PIN to the destination of the money.

And of course P2P can do things but your background already means that you know about things like delaying payments or adding adding other authentication after changes in account money is being withdrawn to.

Faking caller id whilst not trivial isn't exactly impossible either. I would not trust that number read out. The person who initiates the call should prove they are who they claim to be. How they do this could vary. Ringing them back* on a known good number could be part of this.

*carefully. Watch out for people who ask you to call back on a landline and don't close the line. Solutions include using a mobile or ringing your mobile from the landline first to check it rings are simply ways to help protect against that.

Some years back First Direct called me in the week before my mortgage was due to be advanced. Started out by asking for my date of birth to authenticate me, I said sorry, I wouldn't respond because they hadn't authenticated themselves with me so I didn't know it was really them. They switched to leaving a note in my customer record asking for what they were after so I could call in on the usual number and get it. Since I knew the call was probably legitimate I did mention in the first call that I'd probably provide the information they were after later in the same day and did end up doing that. Was one of the checks for updated statements that happens sometimes for auditing or just if it's been a while since acceptance of an offer and advancing the money.

If they hadn't responded so rapidly with the change of approach I'd have asked them to add up the day and month of my birth date and tell me the total as a start to authenticating. That does't disclose either of the original numbers but it'll usually be wrong if someone is just guessing.

Forgive me for what might sound like a stupid point, but... if the police aren't interested in pursuing economic crime like this, shouldn't private prosecution be considered by the industry? I appreciate it's an additional unwelcome cost, but it would put platforms on the offensive. Presumably provisional funds might address the (admittedly, not insignificant) costs associated with such action.

That wonderful champion of the people (as long as you meet their demographic) have written a piece on this:

www.thisismoney.co.uk/money/news/article-3536632/You-conman-raids-bank-account-fraud-epidemic-sweeps-Britain-just-two-1-000-cases-investigated.html


As a fraud epidemic sweeps Britain, just two in 1,000 cases are investigated

"The Daily Mail says victims of banking fraud are being let down by the authorities. More than seven out of 10 victims are told they are to blame for falling victim to fraudsters who empty their accounts. Others are being blamed for giving passwords to conmen or using out-of-date antivirus software on their computer. Instead of offering refunds, banks tell victims to contact Action Fraud, the national cybercrime reporting centre. But eight out of 10 fraud cases referred to Action Fraud are binned. Its call centre with only 72 staff has to deal with 30,000 calls a month, of which only 6,000 are passed to police. And only 1% of cases received by the police are then investigated. Banking fraud is now increasing by 72% a year, with losses in 2015 reaching £755m.
"

In Germany there is a p2plending fraud case where the suspect(s) are in pre-trial custody since 2014:

www.p2p-kredite.com/diskussion/viewtopic%2cp%2c64516.html#64516

[Admin Note]

wiseclerk I've had to replace the commas in the link with the html hex character code %2c to get it to render correctly