UK banks have reported a 55% increase in losses from fraudulent online transactions for the first half of 2006, with phishing mostly to blame.
According to the Association for Payment Clearing Services (APACS), losses totalled £22.5m, up from £14.5m in the first six months of 2005.
The figures underscore banks’ continuing problems with phishing, which involves criminals trying to capture financial details through fraudulent e-mails and sophisticated fake banking websites. Account numbers, log-ins and passwords are often sold to other fraudsters who try to turn them into profit.
Consumer behaviour continues to be a problem, with more than half of consumers who shop online failing to verify that e-commerce sites are using a secure connection, often shown by an "https" in the URL or a padlock in the Internet Explorer browser, APACS said.
Donal Casey, security consultant at Morse, warned that phishing attacks will continue to rise, and as fraudsters get more sophisticated, measures such as using anti-spam and virus technology won’t be enough to protect consumers.
Some banks are starting to put in place two-factor authentication technology, where customers are provided with a unique log-in number through either a token or their mobile phone, which they use to log into their bank account. But there is some evidence from the US that the hackers are already one step ahead of that, too, with the covert code ‘phoning home’ for new instructions from the criminals on how to continue its threat.
If consumer behaviour continues to be a problem, with 50% of consumers failing to verify that sites are secure, then the banks and security software specialists have failed to get their message across, and the consumers have also failed to understand the threats. What has been suggested is that some banks may in future refuse to cover consumers’ losses if they don’t practice ‘safe-security’.
That may concentrate their minds.