Sunday, 27 March 2016

An Open Letter to Mr Bernard Hogan-Howe

http://www.moneysavingexpert.com/news/protect/2016/03/stop-refunding-victims-of-online-fraud-police-chief-tells-banks

Mr Bernard Hogan-Howe recently stated that victims of online fraud should not be refunded. It worries me that a man of your power and position is incapable of understanding that being safe from fraud is not just a case of updating your software. The biggest factor in any hack is the human factor. The attacker is specifically hoping to take advantage of a weakness, whether he may pretend to a relative of the victim, or targets an employee of the financial institute to bypass any protection procedures in place. It's common knowledge that in order for a claim of fraud to go through, and to protect the bank from malicious users, banks must do everything to protect their customers, in this case it could mean asking for additional confirmation with unfamiliar transactions. The user also has to show there was no negligence, e.g. pins were covered. The banks should be the people trying to prevent the fraud happening in the first place. If somehow the user has committed fraud, does that not point to flaws in the detection of these crimes? If the banks did their job, they would be able to stop these transactions going through in the first place. 

People get smarter, they learn from their mistakes. The same thing happens with criminals. Credit card fraud isn't a small crime. It's big, there are gangs making millions. Do you really think that your systems would stop them? They've been milking your financial institution for ages, yet not one company has looked at resolving fraudulent transactions, or at least looking at how to reduce them.

I know certain online payment methods ask for additional verification when completing transactions, so why can't this be done for banks or online credit card payments? It's not always the user that is at fault. No matter how good your software is, or how good you think you are with your personal information, these people have proven time after time that your virtual security does not mean anything. If they are able to find one weak link, especially a human one, then you never stood a chance in the first place. It's not a case of just updating your systems, it's about educating people on safe practices. 

Use HTTPS, make sure the green padlock is there. Don't use your information on sites which don't have a good reputation, you'll have no recourse. Look at additional safer methods to protect your card details, can you buy a gift card? Even in a case like this, what happens when the company themselves get breached, who protects the cardholders then?

"My broad point is that if you are continually rewarded for bad behavior you will probably continue to do it."

These people aren't doing this on purpose. Have you ever been a victim of fraud? Have you any idea how daunting it could be? Do you really think someone will be the victim of fraud twice through their own doing? They've been victims because it's your own system that has failed them in the first place. If you looked after your customers information, encrypted them accordingly, you wouldn't have breaches like the ones we've had that resulted in thousands of credit card details being leaked. If that information was encrypted, it wouldn't even be a problem right now. Your systems get abused on a daily basis by these criminals and you want to shift the blame on the user? You can only do so much to educate the user, you can implement policies that protect both parties but at the of the day, the weak point in this chain is not the user, it's the failure to detect these fraudulent transactions in the first place. I agree that if I was told that if I didn't protect my PIN, if I'm hit by fraud then I am liable for charges. 

The problem is, you're assuming everyone is breached because of their own fault. Almost every single case of credit card fraud has happened because the people committing the crime have been smarter, they've been duped into handing over CC details on what they believed was secure communication lines, or they were just unlucky and got affected like the victims of the Target breach. As part of the police, your job is to provide the public with the tools so they can be more aware of these scams and learn to protect themselves better. The public look to you to provide them with the support they need, instead you tell them their pretty much on their own if they didn't know. It's not like these people are committing crimes when they get targeted, they've not been aware of what's been happening to them. Do you know how credit cards get harvested? Either through breaches of cardholders, ie online stores, or when cards have been intercepted, ie, skimming. Neither of these were the customers fault so would you put the blame on them? 

You should be making your ATMs more secure so criminals can't install unauthorized devices and making mandatory regulations that anyone who holds certain information must be handling it securely. Failure to comply with those regulations and you get fined for endangering customers. The same way courier scams take advantage of the fact that a customer is not protected if he hands over his card and pin to anyone else, the fraudsters take advantage of weaknesses in your system. The courier scam victim would have to pay back all the losses, but why should they be held responsible if you allowed a stolen transaction to go through approval, despite the transaction appearing from a device that's not familiar, or from a different location. These people get away with it because people let them. They take advantage of gift shipping options as to avoid conflicts with billing & shipping addresses, that's not an issue with the people, it's an issue with the system processing the payment. Credit card fraud happens because your own payment systems get abused and tricked. The same way Amazon protects me by asking me for my full credit card number, if I log in from another device or a different location, banks need to offer more protection, so just having a set of details doesn't mean the abuser is always going to get away with it. Focus more on educating and preventing rather than shifting blame. It also helps if you look at the root cause of an issue rather than assuming you can update your systems and be safe, if that was the case, no one would be getting hacked.