On the measurement of banking fraud

Kidnapping is not an easy crime to be successful at…

… it is of course easy to grab the heiress from outside the nightclub at 3am. It’s easy to incarcerate her at the remote farmhouse. If you pick the right henchmen then it’s easy to cut off her ear and post it off to the frantic family.

Thereafter it gets very difficult — you must communicate directly several times and you must physically go and pick up the bag of money. These last two tasks are extremely difficult to manage successfully which is why police forces solve kidnap cases so often (in its first 5 years the Metropolitan Police Kidnap Unit solved 100% of their cases).

Theft from online bank accounts also has its difficulties. It remains relatively easy to gain access to a victim’s bank account and to issue instructions on their behalf. Last decade this was all about “phishing” — gathering credentials by creating fake websites; more recently credentials have been compromised by means of “man-in-the-browser” malware: you think you are paying your gas bill and that’s what your browser tells you is occurring. In practice you’re approving a money transfer to a criminal.

However, moving the money to another account does not mean that the criminal has got away with it. If the bank notices a suspicious pattern of transfers then they can investigate, and when they see the tell-tale signs of fraud then the transfers (which were only changes to computer records) can be trivially reversed. It is only when the criminal can extract folding money from an ATM, or can move the money abroad in such a way that it will never be repatriated that they have been truly successful. So like kidnap, theft from bank accounts is somewhat harder to pull off than one might initially think.

This has turned out to be a surprise to the Treasury Select Committee.

Last month I was asked to give oral evidence to them and the very first question related to how much fraud there was relating to online banking. I explained that the banks collated figures showing how much money was actually “lost” (viz: the amount that the banks ended up, usually anyway, reimbursing to the unfortunate customers who had been defrauded).

However, industry insiders say that about twice this amount is moved to another account but — and this is basically Very Good News — it is then transferred back so there is no actual loss to anyone. We don’t know the exact figures here, because they are not collated and published.

Furthermore, the bank should also be measuring “money at risk” that is the total amount in the compromised accounts. If their security measures failed and criminals stole every last penny then these would be actual losses — an order of magnitude more, perhaps, than the published figures.

The Select Committee chairman is now writing to the banks to ask if this is all true and what the “true” fraud figures might be. If the banks reply with detailed information then we might finally understand quite how difficult bank fraud is. I fully expect the story will run something along the lines that <n> accounts with 10,000 pounds in them are comprised, that the crooks fraudulently transfer 995 pounds from most, but not all of these <n> — but that half the time the fraudulent transaction is reversed.

If this analysis is correct then online banking fraud is a still, on average, much more lucrative than kidnapping — but we must make up our mind as to whether to measure it using the figures of 10,000 or 995 or “about half of 995 is permanently lost”. There’s justification to every way of measuring the problem — but it it’s important to understand the limitations of any single measurement; failure to do so will mean that the banks will not deploy the right level of security measures — and the politicians will fail to give the issue an appropriate level of  consideration.

3 thoughts on “On the measurement of banking fraud

  1. What scares me is that after introduction of Bitcoin, the kidnapper does not have to go anywhere to physically get his money.

  2. @Evgenij: short term problem, with any luck. It shouldn’t be too hard to implement a Bitcoin blacklist; that wouldn’t help the victims get the money back, but it should be possible to make it difficult for the kidnappers to spend the ransom or convert it into cash.

    Alternatively, if blacklisting proves unsuccessful, Bitcoin is likely to be criminalized.

  3. Richard, the Australian Govt has just received Financial System Inquiry report that includes a chapter on Digital identity with one of the objectives being “Ensure digital identity management processes help to prevent crime, improve security and enhance privacy.”
    Seems to me the calls for federated identity management must have been falling on deaf ears for the last ten years. Nevertheless, the arguments put in Murray’s report are well put together. It will be interesting to watch how they are received by the Govt.

Leave a Reply

Your email address will not be published. Required fields are marked *