March 13th, 2013 at 19:46 UTC by Steven J. Murdoch
Today, the UK Cards Association (UKCA) published their summary of bank fraud for 2012. This provides an important insight into banking fraud, and the level of detail which the UK banks provide is very welcome. The UKCA figures go back to 2007, but I’ve collected the figures from previous releases going back to 2004. This data reveals some interesting trends, especially related to the deployment of new security technologies.
The overall fraud losses in 2012 are £475.3m, up 11% from the 2011 level, but for the purposes of comparison it is helpful to exclude the losses from phone banking since these figures were only available since 2009 (and are only 2.7% of the total). If we look at the resulting trend in total fraud (£462.7m) we can see that while there was an increase in 2012, that is from a starting position of a 10-year low in 2011 so isn’t a reason to panic. We are still far from the peak in 2008 of £704.3m.
[You may have noticed the miniaturised graph in line with the text above, which an an example of a sparkline and I'll be using these throughout this post to more clearly show trends in the data. Each graph shows the change in a single value over the 2004–2012 period, and is followed by the figure for 2012 in red.]
However, there is a large omission in the UKCA data – it records losses of the banks and merchants but not customers. If a customer is a victim of fraud, but the bank refuses to refund them (because the bank claims the customer was negligent), we won’t see it in these figures – as confirmed by a UKCA representative in an interview on BBC Radio Merseyside on 2007-02-19. We don’t know how much is missing from the fraud statistics as a result, but from the Financial Services Authority statistics we can see that there were 483,666 complaints in the first half of 2012 against firms regarding disputed charges, so the sums in question could be substantial. But despite this limitation, the statistics from the UKCA are valuable, especially in that it gives a break down of fraud by type.
The UK fraud statistics are dominated by card-not-present transactions (e.g. Internet, mail-order, and phone purchases) (£245.8m), making up 53% of the total in 2012. There’s been an 11% increase since 2011, but still down from the peak of £328.4m in 2008. The industry attributes the fall to requiring customers to enter a password after the online shopping check-out, which is verified by the bank (known as MasterCard SecureCode or Verified by Visa, both being implementations of the 3-D Secure standard).
Undoubtably, 3-D Secure contributed to the reduction but was it the full reason? Coinciding with the introduction of 3-D Secure was a change in terms and conditions which made customers liable for fraud where 3-D Secure authentication took place, as described for example in the Royal Bank of Scotland terms and conditions for their implementation of 3-D Secure, known as RBS secure (clause 9):
“You understand that you are financially responsible for all uses of RBS Secure.”
If the banks used terms like this to pass the cost of card-not-present fraud onto customers (despite the known vulnerabilities in 3-D Secure), it could explain part of the reduction in losses to banks and merchants, which we see in the UKCA statistics.
Despite card-not-present fraud having dominated the landscape, it has received a comparatively small level of investment in anti-fraud technologies, perhaps because the losses are predominantly spread over a large number of merchants. The losses for card-present transactions are more likely to fall on banks, who are a far more concentrated market with more influential players. This may explain why Chip & PIN was introduced at the cost £1–2 billion, in the hope of reducing counterfeit, lost-and-stolen, and mail-non-receipt fraud.
Counterfeit fraud (£42.1m) is up 16% on 2011 but still well below the peak in 2008 of £169.8m. The hope was that the greater difficulty of copying the chip compared to the magnetic strip would reduce the usefulness of counterfeit cards, but even though Chip & PIN became mandatory in the UK in 2005, fraud continued to increase after a dip in 2005/2006 where criminals changed their tactics. The decrease really only started in 2009, which the industry attributes to the growing deployment of Chip & PIN terminals outside of the UK, allowing the magnetic stripe fallback to become less necessary.
Lost-and-stolen fraud (£55.2m) and mail-non-receipt (£12.8m) (where new cards are intercepted in the postal system) show a much more consistent decrease following Chip & PIN deployment, but here it was the PIN, rather than the chip which offered protection. If a criminal stole a genuine card, hopefully they would not be able to discover the PIN needed to make an point-of-sale purchase or ATM withdrawal. In 2012, both lost-and-stolen and mail-non-receipt went up (by 10% and 13% respectively) and since 2011 lost-and-stolen fraud overtook counterfeit.
Again however, the omission of customer losses from UKCA figures raises questions. Since 2008 we have seen an increasing number of customers reporting to us that they have been the victim of fraud but have not been refunded because the bank claims the customer has been negligent. The banks have claimed that if their records show that a chip and PIN have been used, the customer must be liable despite these records having been demonstrated as being unreliable, and there being ways to trick Chip & PIN terminals into accepting the wrong PIN. In a previous blog post we even described how Eve Russell was refused a refund by both Barclays and the Financial Ombudsman Service for transactions carried out on a card she never requested or received (an example of mail-non-receipt).
Other types of fraud make up a comparatively small proportion of the sums involved, though the amounts are still significant. Online banking fraud (£39.6m) is up by 12% following a two year decline but has a history of being volatile. Cheque fraud (£35.1m) has been fairly stable since 2004 and in 2012 only went up 2%. ID-theft (£32.1m) (or more properly, fraud by false representation, where criminals obtain cards under someone else’s name) jumped by a dramatic 42% but is still down on the 2010 figure of £38.1. This year, it was only telephone banking fraud (£39.6m) which fell, by 25%.
There’s a lot that can be learned from these figures, and the UKCA should be congratulated for making them available. But this year, as with previous years, there are big questions remaining which will only be answered if banks record and publish figures on how often they don’t refund customers who dispute charges, and how much money this makes up.