By Will Sturgeon, 11 January 2005 18:40
COMMENT
It was always a curious oversight that banks tended only to be open when those of us actually earning money to put in them were too busy working to get along and use their services. It was a bit as if the concessions at the Odeon Cinema only sold popcorn while the films were on or pubs in the City shut at 5pm on a Friday.
Now, of course, many of us bank online to get over this problem, despite much scaremongering and should-we, shouldn't-we dithering sparked by security concerns. But according to recent research from TNS there is now a hardcore of just 24 per cent of banking customers in the UK who don't trust 'that there interweb' thing.
And confidence among the rest of us is growing, despite the issue of phishing which dominated headlines last year. In fact 31 per cent of users are more confident now than they were in 2002 when phishing was little more than a crude nuisance limited to pretty small circles.
But phishing is still an issue and I believe there is still more the banks can do to help limit its impact - not so much for those of us with 'web savvy' but for those who aren't yet fully fledged converts to all things online... which is a kind way of saying those who need protecting from themselves.
And that protection is needed now more than ever with banks suggesting their willingness to reimburse the defrauded is being worn thin by users not exercising enough common sense.
But before they point the finger at others should the online banks be exercising a little more grey matter themselves where this issue is concerned?
There is a confusing array of methods being employed to communicate with customers currently, from regular emails and text updates to occasional emails and SMS messages on an 'as and when basis'.
The more random factor end of this scale creates uncertainty and uncertainty creates opportunity for criminals.
Last week we criticised the move towards gated email communities but perhaps banking is one area where we should embrace such innovation. If users had an email account within their bank account where they would receive personalised communications from their bank it would eliminate a lot of the uncertainty.
Terms and Conditions which say 'From time to time we may...' should be consigned to history. Policies which state non-payment of credit card bills may be followed up with 'either' a text, automated phone call, call in-person or written letter do little to put readers' minds at rest as to how and when they might be contacted by their bank.
It's understandable that customers banking in the virtual world choose to ignore all communications from their banks. How many people now would respond to a solicitation to ring a number and then divulge any personal information to the person on the other end of the phone?
And that is an unhealthy situation because invariably communication is essential where managing our finances is concerned. Ironically the biggest problem with this silence born of fraud is the fact that the most essential communication relates to the very prevention of fraud.
Phone calls or text messages out of the blue raise suspicion. Have the phishers moved from email to SMS or phone? But in many cases those calls or messages are made to query transactions - they are the first warning that something may be happening with your account that has raised alarm.
And users ignore it because they think it's fraudulent. It's an awkward Catch-22 and one which leaves the banks in a 'damned if they do and damned if they don't' situation. With this in mind banks need to think about verbal signatures. We've been using them for years to tell them who we are, why don't they use them to confirm who they are?
If they contact customers out of the blue, then they are accused of muddying the waters where phishing is concerned but if they maintain silence and an account gets cleared out by anomalous transactions they will be the first in line for stinging criticism.
The banks say the customer should always contact a branch or helpdesk if they are approached in a way which arouses suspicion - it is certainly a sensible first step, even though it complicates much of the streamlining intended by banking online.
But banks also need to make a lot more noise about the threat of phishing. No matter how loathe they are to discuss theft and fraud, customers would rather hear about it than experience it.
Have your say, register a Reader Comment below and let us know your thoughts on this issue.
Comments
There are 5 comments. Join the discussion
1. Richard Sarson
I have been phished twice in the last three months. Yesterday was the second time. Immediately, I checked out the Websites of the two banks concerned, Barclaycard (Visa) and Halifax, and on neither could I find intuitively a contact number or URL listed to report the incident quickly. If they consider the phishing threat serious they should make it easier to report.
2. anonymous
Yes, banks must indentify themselves in the same way they expect us to identify ourselves. On registration one set of passphrases is set up for the customer and another (unique to the user) for the bank. Customer doesn't enter anything until the bank identifies itself correctly. This is basic security stuff.
An alternative is challenge/response, but most bank clients might baulk at remembering the response algorithm.
It is inevitable otherwise that eventually a phisher will overcome poor language and business skills and produce a convincing attack. One email I received recently was very well put together and could well fool many people - shame I wasn't a customer of that bank!
3. anonymous
Richard cannot have been looking very hard for a contact for the Halifax. On the login page for Halifax Online is a large red message that says "FRAUDULENT EMAIL ALERT" and selecting that item takes you immediately to a page which says "1. DO NOT access any links within the e-mail, disclose your sign-in details or reply to the e-mail.
Simple to find and simple to understand.
2. Forward the e-mail to ´onlineemailinvestigations@hbosplc.com´ and then delete it immediately.
3. If you are concerned that you may have disclosed any personal or security details, please call our helpdesk immediately on: 0845 850 0629."
4. Malcolm Ripley
How about using good old fashioned paper mail and telephones when contacting customers about security related issues ? Or is that too bleedin obvious!
(Ed note. And how do you know the person on the other end of phone really is from your bank...? Phishers are showing signs of moving to phones. We covered this issue in the rest of the coverage which should be of interest. Also, if your account was being plundered would you really want to wait for a letter? Agree with your next point though entirely...)
Here's a small template for the banks use (FOC) :
Dear Customer,
Please note that our banks policy is to never contact to you via email about sensitive information such as your internet account password, username, account number, memorable data etc This approach ensures that you can safely ignore all forged emails purporting to be from us on this matter.
Yours Sincerely,
Captain Sensible,
Manager of the "Safe Bank".
5. Richard Sarson
Dear anonymous of Leeds, I see no large red notices, when I access www.halifax.co.uk or even when I go to the pages encouraging punters to join the online service.
To put the notice just on the log-on page is no help, because I am not an online Halifax user. You should put the notice on the home page for it to be visible to normal human beings.
I will however send the phish to the address you suggest, and see what happens, but it is now three days old, and I expect the trail is cold by now.