Fraud losses on UK cards fell by more than a quarter to £440 million last year, the first drop since 2006, said the UK Cards Association (UKCA) in its latest 2009 fraud report. Criminals seem to be switching over from traditional attack vectors and targeting online bank accounts instead though with losses totalling £59.7 million here, a 14 per cent rise on last year. Phishing attacks were also up by 16 per cent compared to the 2008 figures.

The reduction in card fraud losses detailed in the 2009 UKCA fraud report - the 28 per cent fall is equivalent to a saving of £170 million against 2008 figures - is being attributed to a combination of industry initiatives. The UKCA cites chip and PIN, the Police's Dedicated Cheque and Plastic Crime Unit, the increasing use of sophisticated fraud detection and behavioural tools by banks, and schemes like Verified by Visa and MasterCard's SecureCode system, which have cut card not present (CNP) fraud, where items are brought online, or via the phone or mail, by 19 per cent since 2008; £266.4 million was lost in this fashion last year.

Card losses from traditional skimming and cloning counterfeit attacks more than halved to £80.9 million last year, while mail non receipt fraud, where cards or PIN numbers are stolen in the post, fell by 32 per cent. Surprisingly, so-called fraud abroad, which has risen steadily in recent years due to introduction of chip and PIN in the UK, fell by 47 per cent to £122.7 million last year, perhaps because more countries are adopting similar PIN schemes, thereby cutting the opportunities for cloned magnetic stripe scams. Fraud at cash machines was down 20 per cent to £36.7 million.

Commenting on the encouraging news regarding credit and debit cards, Melanie Johnston, chair of the UKCA, said: "A fall in card fraud is good news for everyone." She went on to recognise though that "cards will always be targeted by criminals, which is why we are determined to continue to prevent, detect and deter those who are behind this type of crime, ensuring that innocent victims don't lose out."

Online banking fraud up On the down side, the 2009 UKCA fraud report showed losses in the online banking channel rising to almost £60 million. This is largely due to criminals using more sophisticated methods, notably malware, which targets vulnerabilities in PCs rather than the banks' own systems, which are becoming more difficult to attack as more and more payment analysis processes are installed. Some banks are now trying to counter this malware attack vector too - for instance, RBS is seeking to extend protection out towards its customers' own PCs by offering a free web browser anti-malware device from Trusteer. To date, 1.5 million customers have downloaded the product free of charge and it has blocked thousands of account hijacking attempts (see our FST Awards 2010 shortlist for details on this submission). More such devices need to be deployed though if we are to see fraud figures for the online banking channel fall in future. Customer education, in terms of teaching people not to share personal details on social networks and to recognise spam, will also play a vital part. Help and advice is available via the industry website http://www.banksafeonline.org.uk, but relying on consumers themselves to fight this menace alone will not suffice. More comprehensive, multi-layered security tools and procedures need to be introduced by banks as well.

Unfortunately, as Mel Morris, CEO at online security vendor Prevx, admits online fraud is just too easy to commit. "For example, anyone with a PC can purchase a banking fraud kit on the web for a few thousand pounds, enabling criminals to infect PCs anywhere in the world with a trojan that can monitor keyboards and online activity, searching out passwords and other personal details."

Steve Brunswick, strategy manager at Thales, worries that the rise in online banking fraud seems to indicate that the improvements seen two years ago have stalled. At that time three major UK banks introduced Chip and PIN-like card readers, adding two-factor authentication to their customers' online banking security, but there have been no further moves by other UK banks since then. "Many banks are instead relying on back-end analytics to protect their customers from online banking fraud," he says, "and while this certainly plays an important part in protecting customers, relying on back-end analytics without strong authentication of users is like installing a burglar alarm while leaving the front door wide open. We have all heard the complaints that it's inconvenient having to have a card reader, but mobile phone based two-factor authentication, for example, is an effective alternative." Naturally, as a vendor, Brunswick would like to see more devices deployed but it is up to banks to decide where best to spend their money. The war against fraud is an ongoing battle with ever changing attacks and countermeasures, so the aim must always be to keep it in check, while still being able to provide relatively cheap banking facilities.

The scale of the threat is illustrated by the fact that there were more than 51,000 phishing incidents recorded during 2009, according to the UKCA. Phone banking losses totalled £12.1 million in 2009, the first time they have been recorded. This too could be a growing threat in the future as criminals seek new ways to break into secure banking and payment systems.

Cheque fraud dropped 29 per cent to £29.8 million, mainly because this form of banking is increasingly falling out of use. But new threats are inevitably arising and vigilance is required.

Share Story: