Advice to Banks et al
Greg Williams 5 December 2022
I have some advice for banks (and other related parties) when it comes to protecting their customers' money, let's get into it!
The Current Situation
Scammers are smarter than Banks
Scam activity is reaching new heights in light of recent Optus and Medibank data breaches in particular
Nobody can trust any phone call, email, SMS message, web page or PDF invoice
It's not who you think it is
Your bank will blame you if you pay a scammer via Internet Banking
Your bank will refund you completely if your credit card gets compromised
Even though they know, and publish, current scam information, they have not improved their internet banking security
Banks have a duty of care when they hold our money but they pay mere lip service to this notion
First payment to a new payee
This is where most scams start and stop, everyone needs to be aare of the risks of that first payment to a new payee, every scammer who has ever stolen money via bank transfer was the first payment to a new payeeIt's not who you think it is
Whether by phone call, SMS test message, email, web page or PDF invoice
It's not your bank, it's not the NBN. it's not Microsoft, it's not Telstra, it's not Amazon
It's not a renewal, don't call the number, don't click the link, there is no cancellation form, do not access you bank account
It's never that urgentTalk to someone you know personally
If you don't know the person you are talking to, you must be very cautious
Talk to a work colleague, a family member, a close friend, or that bloke who has been at the computer store for 39 years!
Slow it down
In this helter-skelter world we live in, we want everything to happen immediately, and the scammers are taking advantage of the haste
Make the default process slow
Allow any customer to upgrade their process to fast with a signed acknowledgement that the customer takes the risk
Bring people back into the conversation
Banks focus on profit, employees cost money, reducing the number of employees saves money, ie reduce staff levels. That's the approach we have seen for some time and yes we can blame it all on computers. Talk to any bank customer and it is very difficult to talk to someone at a bank branch today, especially if you don't live in a major centre. So you have to contact a call centre and it often takes far to long to get through to a human being. Try calling a bank Fraud Department to report a bank account being operated by a scammer! I have personally spent up to 45 minutes waiting to get through so why would anyone bother. And now we have purely online banks with no branches whatsoever so everthing has to be done by phone or electronic communications which means fertile ground for scammers
Reduce call waiting times
Improve branch staffing levels
Bring people back into the conversation
First payment to a new payee
Here is where all the trouble starts and stops, every single internet bank transfer to a scammer's bank account is the first payment to a new payee
Slow it down, at least by 24 hours
Allow bank customers to opt out of the delay with a signed acknowledgement that the customer takes the risk
Once a payee is added to a customer's internet banking and the payment has gone through safely, those details can be used again with safety
Banks know!
It's quite incredible that all banks know about pretty much every scam. They even publish the details of how the scams work on their websites. And then they rely on old technology to protect us? That is a madness.
Not to pick on the ANZ Bank, but here is a classic case in point
https://www.anz.com.au/security/fraud-detection/latest-security-alerts/
"We are seeing an increase in phone scams, often commencing with a text, which claim to come from ANZ"
"During the call, the scammer convinces the customer to provide a range of sensitive details, including password"
Drum roll please......
"Whilst our fraud team may call customers from time to time to verify suspicious transactions like these..."
You have got to be kidding me! It's like the scammers are getting a walk up start.
There are over twenty pieces of scam advice on that page alone, then we have https://www.anz.com.au/security/fraud-detection/types-of-scams/ which lists seven other types of scam and then links to ScamWatch, Stay Smart Online and ACCC’s Little Black Book of Scams, all very helpful but there is simply too much information for anyone to absorb. There is even advice about Red Flags....
Find a better way than a confirmation SMS text message
All banks know that mobile phones are being compromised by scammers, in which case the scammer gets (and hides) the SMS confirmation, the scam target is encouraged to download and install a remote access app under the cover of a "cancellation number" or "cancellation form" and when the scam target complies, they unwittingly give the scammer complete access to their phone so that when they check their bank account to check a "refund" has been paid, the scammer gains control of their bank account
Improve the confirmation of identity credentials
Incredibly, most, if not all banks, will open online bank accounts without requiring a customer to present at a branch. Worse still, the documentation requirements are less than they are for opening a bank account in person where your face has to match the ID you provide, typically a driver's licence or a passport. Many banks use a company like Equifax to match the data provided with multiple databases and if the data matches the account get opened. However, recently stolen credentials can be used to open accounts where the data matching will pass with flying colours.
If the applicant cannot attend a branch, use video conferencing via Messenger, Facetime or Skype for example
Encourage the use of off-line bank accounts
Credit for this suggestion goes to Rob (thanks!) to limit the exposure of internet bank accounts to scammers
Create an off-line bank account which has the majority of funds
Create an on-line bank account with an automatic monthly transfer from the off-line account which matches monthly spending
Better warnings on internet banking login pages
Most banks are utterly hopeless in this regard, they know about all manner of scams, why no warning at the login page?
Implement a pop-up message with a tick box to the effect Do not login to your internet banking at the request of anyone else
In the fine print, explain whyWhen processing a bank transfer to a new payee, warn the customer New payee, independently verify the bank details
In the fine print, explain why
Let the customer choose their risk level
It's all done with computer today so banks should get the programmers to try a lot harder
Allow customers to opt in or out of OSKO with appropriate advice re scams
Allow customers to set their level of risk, ie what they are prepared to wear in the event of a scam
Some customers may want that level set to $1,000 others may be happy with $50,000 so let the customer choose
Account Name Matching
I get why banks don't want to do this, it will be hell on earth to implement this feature. If they do, it will stop pretty much all internet banking fraud as we know it, so there is an incentive. Except that internet bank scams cost the customer, not the bank. So there is no financial imperative for banks. If they won't do it, the Federal Government must. TWO BILLION dollars lost last year!
Introduce account name matching urgently
This would rub out pretty much all Business Email Compromise scams completely
Make remote access software providers accountable
Scammers are pretending that the "Your Address" number (the Big Red Number) is a cancellation code which you give the scammer thinking you are going to obtain a refund where in reaility you are giving remote access to your phone or your computer without knowing. If the web page or app was known as Take Control of My Computer it would be more obvious but names like Anydesk or TeamViewer or Client Support etc do not give the scam target a chance
Bring pressure to bear on all remote access software providers to add clear warnings to their remote access web pages
For example If you give anyone this number they will gain access to your device with a tick--box to confirm
Find out where the money went
It is astonishing but your bank does not care where the money went, they wil just tell you it's "gone". For every internet banking scam there is the customer's bank which transfer the money to the scammer's bank, both of which are usually Australian bank branches. The customer's bank, and the customer, knows exactly which bank acciunt the money was transferred to but the customer's bank never asks for an explanation as to why the stolen money is not recoverable. I have kept track of over one hundred bank accounts operated by scammers and I have never had any advice from any recopient bank as to where the money went after it left the scammer's bank account. The scammer is hardly likely to walk into a branch and withdraw the money in cash, so it must have been transferred somewhere else? Why is this never investigated?
Force the recipient bank, ie the bank at which the scammer opened the account, to advise the scam target where the money went
The pilice would then have something to chase and more importantly build a profile of where the oney goes and find a way to block it
Try Harder
It is also astonishing that your local branch has no power to assist you, in fact, they are often prevented from trying to assist you by their fraud team, and the fraud team will lead off with we will get back to you in 30 days ie no sense of urgency! What they are trying to do is get you used to the idea the money is gone and then if they manage to "retrieve" some of your money that becomes better than nothing. Worse than that, I have seen local branch managers tell their customers that it is their fault for giving up the confirmation code! They could at least pretend to help.
Where are the red flags?
I have had some incredible conversations with banks about the failure of their systems to detect unusual spending activity on any given bank account. All banks have a red flag system which notices when unusual transactions occur, but they are flaky at best, and sometimes non-existent
All banks should review their warning systems for potentially fraudulent transactions
Note my suggestion re letting the customer choose their risk level, a red flag would apply to every transaction above that risk level
The main weakness is in regard to sepnding patterns
Bank computer systems can easily work out typical spending pattersn and the red flag anything which is out of the ordinary
A $30,000 payment to a scammer out of an account with a typical monthly spend of $1,500? No red flag
Twenty-six payments of around $5,000 over a 4 hour period with a daily transaction limit of $60,000? No red flag
First payments to a new payee at any value? No red flag
All banks need to do better
Credit Cards vs Internet Banking
There is a paradox here. My 91 year-old mother got a text message from her bank at 10:30 pm on a Saturday night alerting her to a one cent transaction on her credit card. The same week as a customer of ours walked into a local bank branch and aksed them to pay $23,600 into a bank account operated by a scammer where the obvious question which should have been asked at the branch was why not just do this at home using internet banking. So the bank staff paid the scammer on the customer's behalf.
Why is it so? Well, with credit card fraud, the first victim is the merchant who processed the fraudulent transaction where their bank takes th money back unless the merchant cam prove the bona fides of the transaction. The second victim is the bank, ie it costs the bank if a) they cannot get the money out of the merchant and b) they cannot prove the customer made the transaction. The customer who owns the stolen credit card for example, is almost never the victim uness there is some criminal level of negligence on the customer's part. The bottom line is, that credit card fraud hardly
Contrast that with internet banking which only ever costs the bank if they concede a mistake but don't hold your breath. They will blame their customer for giving up their SMS verification code in which case too bad so sad and the customer pays. It is a starkly different approach
How many different scams did you say?
All banks will point to the volumes of scam advice they have on their websites. In other words, "we told you about scams therefore it's your fault if you get caught".
My response is OK, let's say I read through all of the scam information on their website, how the hell am I supposed to remember all of them?
Then there are new scams appearing constantly, how often should I check back with the bank scam advice? Monthly? Weekly? Daily? Really?
Australian Phone Number Verification
It's hard to tell who is responsible here but it is discgraceful that any scammer can make a call where the displayed number is bogus
ACMA must
Clearance times
Back in the day, when you paid for something by cheque you had to wait for up to 5 days for the funds to be cleared/approved at the branch on whch the cheque was drawn. This was a good system, albeit slow if you wanted to take possession of what you were paying for immdiately in which case ou paid for a bank cheque which was pretty much as good as cash. Until the bad guys started stealing bank cheque books and suddenly you had to wait 5 days even for a bank cheque to clear!
Fast forward to where we are now
Cheque clearance times have not changed, you still have to wait for up to 5 days
One would think credit card payments are instantly cleared but that is not the case
In fact, for the merchant who accepts a credit card payment, ie all of us, there is no clearance time, not a week, not a month not even six months, each bank reserves the right to charge-back a credit card payment to the merchant who processed it in the event of a fraud being discovered and banks set no time limit for that discovery. Strange but true.
OSKO payments (see below) are cleared pretty much instantly, well, under one minute they say, so there effectively is no clearance time, so everyone gets their money with no backsies, including scammers
OSKO
Here we go, this is the kicker. OSKO is owned by BPay which is owned by the big four banks in Australia. BPay is completely safe to use and OSKO is an unmitigated disaster because payments are made in under one minute which is great if you need to spot a close contact $100 for a night out on the town (OK, maybe $200) but not if you have just paid a scammer ten grand or more.
Before OSKO, it used to take up to a week for the bank transfer to complete. Not any more. And your bank will not only not let you opt out, theye never asked if you wanted it in the first place!
Make OSKO optional at every bank
Shen a customer wants to opt in, make it clear that the scammers will get your stolen funds in under one minute as well
Here are some heartwarming statements by OSKO which are very comforting until a scammer steals your money in under one minute