In the very first paper I wrote on ATM fraud, Why Cryptosystems Fail, the very first example I gave of a fraud came from the case R v Moon at Hastings Crown Court in February 1992. Mr Moon was a teller at the TSB who noticed that address changes weren’t audited. He found a customer with over £10,000 in her account, changed her address to his, issued a card and pin, and changed the address back. He looted her account and when she complained, she wasn’t believed.
It’s still happening, most recently to a customer of the Abbey. Bank insider issues extra card, steals money, customer blamed – after all, chip and pin is infallible, isn’t it? Expecting banks to keep decent logs might be too much; and I supppose it’s way too much to expect bank fraud staff to read the research literature on their subject.
8 thoughts on “An old scam still works”
Many banks nowadays send you an SMS when you perform a transaction with your account. Maybe they should do the same when you change your address or phone number.
Who’s need research? Research is theory, bank fraud staff needs practice, not theory. Yes I know you have worked in the banking sector for some years, but you were an exception professor Anderson.
If you invest your saving some financial crisis could wipe out your account; if you don’t, some bank’s insider could wipe out your account: I guess that the mattress is becoming a viable option.
In this 350th year of the Royal Society, I will merely say this: that science consists of the marriage of theory and practice. People who just do theory (mathematicians who prove theorems about cryptology but never touch real systems) and people who just do practice (the typical fraud manager at a bank) both lose out.
That’s why we need research: we need people who can bridge the gap between theory and practice. That’s what the pioneers of science, men like Newton and Halley and Flamsteed and Boyle, were about.
The basic principle still stands. Theory without practice is sterile, and practice without theory is chaos.
I couldn’t agree more, I was just ironic: unfortunately many in the business emphasize only one side of the coin, practice indeed; and what’s more, they mistook research for theory.
Could you clarify what you mean by “Many banks nowadays send you an SMS…”? Do you mean UK banks? If so, which ones?
Personally I am not convinced that the use of mobile phones should be advocated for authentication in banking systems. Zane Lackey, iSec Partners, and Luis Miras, an independent security consultant, suggest telephones are becoming popular for phishing style attacks. Surely it would therefore be prudent to avoid their use for authentication purposes?
Zane Lackey and Luis Miras (2009) Attacking SMS. In proceedings of Black Hat Briefings USA, Caesars Palace, Las Vegas, USA.
Jeff Anderson (2010) Mobile Spoofing. BBC Watchdog, http://www.bbc.co.uk/blogs/watchdog/2010/04/mobile_spoofing.html
Lloyds will send you an SMS if your card is used abroad (http://www.lloydstsb.com/mobileservices.asp?WT.ac=HPwtbMobile and click “Free Text Alerts”)
It’s not an authentication mechanism but a warning mechanism. Presumably the idea is that Lloyds loses less money if notified of unintended use earlier and so it’s in their interest to pay for the SMS. If the bad guys find that Lloyds cards get shut down faster than others, it might make them less desirable too.
The thing is when data systems are able to be changed by users, there are going to be problems. There are also other information leaks, such as the back of wheelie bins. My local council advised me to write my address down on a sticker for said bins. I just wrote the house number on and left it at that. If i include the street name, this makes it easier to acquire my address. A quick lookup on the would supply the postcode, thus supplying the whole address to whomever is querying it. So, the house number is acqured from my wheelier bin, the street name is at the end of the road, the full address is generated by Royal Mail, supplies the physical location, whilst switching to satellite/street view gives anyone a good look round, without having physically visited. This gives rise to the question: Is it at all necessary for individuals to have such access to what people would assume to be relatively private?
My apologies for entering the tags wrongly in my comment above. http://www.royalmail.com and http://maps.google.co.uk respectively.