Bernard Hogan-Howe’s comments are a recognition that things cannot continue as they are: banks are fighting an expensive, losing battle against cybercrime, and carrying the can for the overall slow response to the explosion in online fraud. Cybercrime has moved on, and while people do need to take more responsibility for their use of technology, his proposals aren’t the solution.
In the last decade, cybercrime has industrialised. It’s no longer the preserve of a small number of skilled hackers. Tools for carrying out sophisticated cyber-attacks are now cheap, mass-produced, and easily accessible. Hacking communities, discussion groups and online walkthroughs are plentiful and easy to find. The raw material for crime – personal information – is available at low cost and neatly packaged for resale in online marketplaces. It really is possible for anyone, aged 8 to 80, to get involved if they want to.
Unfortunately, simply installing antivirus software does not protect against these newly introduced and more sophisticated malware threats. Modern malware tools can hide code in apparently harmless files, meaning that antivirus can’t detect the danger until it’s too late. Of course, running antivirus is a necessary precaution, but it is just one component of a much larger strategy that needs to be undertaken to mitigate chances of fraud loss.
Similarly, phishing scams are now more sophisticated. It’s no longer about emails purporting to be from your bank, requesting sensitive details like passwords. Today, phishing scams are cleverly designed and carefully targeted using “social engineering” to entice individuals to click on malicious links. Phishing emails can appear to be from almost anybody or any organisation, and they’re believable because they’re built from personal information found online. While banks have improved their notification process when they come across one of these scams, cyber criminals cast such a wide net with this approach that it’s inevitable a small fraction of consumers will mistakenly click on links.
The above are just two scenarios that will raise the question of where does the burden of proof lie – on the organisation or the consumer. Even when the consumer does the right thing, they are still susceptible to fraud.
Fraud losses increase every year, and the scale has grown so quickly that our crime surveys have yet to properly account for it. Banks are expected to pick up the cost of the consumer fraud but it’s difficult to think of any other walk of life in which a product provider reimburses the consumer for goods they’ve had stolen.
Perhaps the time has come for proper online fraud insurance. However, if we’re rethinking this, it’s also time to encourage other parties to re-evaluate their approach to fighting this type of fraud. ISPs need to be encouraged to increase efforts to block malware and take responsibility for what is happening within their networks. Law enforcement should also change their thinking when it comes to fighting fraud more effectively. Cyber criminals are no longer computer savvy individuals. It’s not uncommon for a 13-year-old child to be committing these crimes from the comfort of his home.
While we all try to figure out an effective approach to industrialised cybercrime, here are some things consumers can do to better protect themselves:
Use two-factor authentication in email and financial accounts. Two factor authentication requires extra login credentials, in addition to your username and password, making the account more difficult for cyber criminals to access. For high value accounts, the added security is worth the extra time.
Enable automatic software updates. Updates are usually issued to address vulnerabilities. Patching your system with the latest updates will reduce your exposure to malicious activity.
Monitor your personal information. Stolen personal information can lead to financial problems, if criminals take out credit in your name; or reputational damage, if the information is used in illegal activities. The risk can be mitigated with a fraud protection service, which monitors whether your personal or financial information is being used, as well as providing recovery assistance if it is. You should also check your credit reference files regularly: if someone is making false applications for credit in your name, it will show up immediately.
Share with care on social media. Apparently innocuous details like your pet’s name or your birthday are common identity authentication questions on many sites, and thus useful to fraudsters. Aggregation sites can collect information from multiple Internet sources, making it easy to build up a detailed picture. According to a recent Javelin survey of identity fraud, some 54% of social media users have been the target of an identity threat, and those who are active users and share personal information are at increased risk.