Examination of Witnesses (Questions 86
WEDNESDAY 13 DECEMBER 2006
Welcome, everybody. This is the second evidence session of the
Select Committee's inquiry into Personal Internet Security. We
are very grateful to all of the witnesses who are coming to give
evidence today. Thank you very much for coming along and giving
us your time. Welcome, also, to the members of the public who
are here. There is a document availableI hope you have
picked it upabout the inquiry and the Members of the Committee.
To start with, could you introduce yourselves and, if you so wish,
make a brief opening statement. So perhaps we could start with
you, Ms Quinn.
Ms Quinn: Good afternoon. My name is Sandra
Quinn, I am Director of Communications at APACS. APACS represents
the banks in how to co-ordinate their fight against payment fraud.
Mr Whittaker: My name is Colin Whittaker, I
am Head of Security at APACS.
Mr Pemble: My name is Matthew Pemble. I am appearing
as the Chairman of the Joint Special Interest Group between the
Federation of Incident Response and Security Teams and the G8
Line Group in co-operation between computer emergency response
teams and law enforcement, and as co-chair of the Best Practice
Committee of the Anti-Phishing Working Group.
Ms Alzetta: My name is Sandra Alzetta, I am
the Senior Vice President of Visa Europe responsible for consumer
marketing and my responsibility is for the eCommerce channel,
the Internet channel, from a business perspective.
Mr Littas: I am Robert Littas, Head of Fraud
Management in Visa Europe.
Would any of you like to make an opening statement or shall we
go straight into questions?
Ms Quinn: Please go straight in.
Okay, we will go straight into questions. I will ask the first
question. In 2005 online banking fraud increased by 90 per cent
to £23.2 million. Do you have any indications as to whether
this rate of increase will be sustained in 2006?
Ms Quinn: If I may answer that. Those figures
are APACS figures which we put together with our member banks.
It was £23.2 million at the end of 2005. We have half year
figures for the first half of 2006, and those stood at ...
Mr Whittaker: Those were the £23.21 million.
It was £14.5 million in the first half of 2005.
Ms Quinn: For the first half of 2006 the online
banking fraud figure stood at £22.5 million. That was an
increase of 55 per cent in the first half of 2006 on 2005. Obviously
we are not at the end of 2006 yet so we do not have the full year's
figures but we expect the overall rise in this year not to be
as high in percentage terms as the rise in 2005.
But it looks as if it might be close to, you are saying?
Ms Quinn: It is certainly not going to be a
non-dramatic rise, it is still of concern.
The evidence from APACS notes that the number of phishing incidents
grew by 8,000 per cent between January 2005 and September 2006.
Is this phenomenal rate of growth continuing? How much are the
banks now losing to phishing, and how much worse do you expect
it to get?
Mr Whittaker: The rate of growth in phishing
is really down to a number of factors, not least of which is they
have been able to industrialise the methods by which the criminals
know how to launch and sustain the attacks. Secondly, it is perhaps
an indication of how well the banks have been doing at closing
the sites down. The more the banks close down the people attacking
us and launching the phishing sites, the more they have to launch
to try and generate the attacks against us. We see no indication
worldwide that the level of phishing attacks is decreasing, in
fact there is some evidence that we were talking about on the
way in, that the phishing incidents are increasing, again worldwide.
The level of losses from phishing, the overall figures that Sandra
described, include both phishing and malware based attacks. It
is very difficult when you are talking to consumers to distinguish
between whether they have fallen victim to a phishing or a malware
attack. By and large, we believe that the sort of questions that
the bank call centres are able to ask the consumers when they
discuss with them the problems with a fraudulent transaction,
for example, can very quickly discern whether phishing attacks
have occurred because people are talked through a script about
the sort of things they might have seen on their computer and
the way they may have behaved when an email, for example, comes
in. By and large we reckon, and it is very difficult to be totally
specific about this because of the difficulties of attributing
attacks, that phishing accounts for anywhere between 25 and 50
per cent of the attacks that we see that cause losses on customer
Chairman: Does anybody else want to comment
Q91 Earl of Erroll:
I notice you mentioned phishing attacks as the number of websites
which are trying to phish.
Mr Whittaker: Yes.
Q92 Earl of Erroll:
Are more people responding to these phishing attacks or fewer?
In other words, is the public getting better educated about them
and avoiding them regardless of the number of sites?
Mr Whittaker: It is very difficult to determine
because the point of attributing these attacks when you talk to
people is at best subjective. Our indications from some data that
we have been able to correlate between the number of fraudulent
transactions and the number of phishing attacks over the years
is that it seems people are falling victim to phishing attacks
less often, but that is one of the reasons why they are increasing
the volume, because of the number of people they may have to capture
and so on.
Q93 Lord O'Neill of Clackmannan:
Are you satisfied that all of your members are equally rigorous
in the way in which they seek to protect themselves from phishing?
All I can say is that when I tried to open an account in one financial
institution in Britain against another there seemed to be a certain
number of hoops and hurdles that I had to go through with one
institution but not necessarily with the other. I just get the
feeling that there is an unevenness about the security considerations,
some seem to be overly complicated and others might be unduly
simplistic. Do you impose standards on your members?
Ms Quinn: We do not have the authority to impose
standards on our members but what they all need to do is assess
their own levels of risk and the levels of risk that they are
able to accept in their relationship with their customer.
Q94 Lord O'Neill of Clackmannan:
Do you have a name and shame process within the organisation?
We know that you are very secretive as far as the general public
is concerned, but as far as your members are concernedyou
may not have the authority to impose somethingyou can surely
expose the inadequacies of some of the people who bring this threat
on the rest of the members.
Ms Quinn: We collect fraud figures that members
report to us and each individual member will know their level
of fraud as a percentage of the overall loss, so they will be
able to very quickly assess themselves as to whether their fraud
is a larger percentage as opposed to a lower percentage and they
will know how that has happened. The other point to make is that
with phishing attacks it is certain banks that are attacked in
the UK more than others. Obviously fraudsters are very aware of
the kind of banks that we bank with so they tend to attack the
banks that are the names in the high street.
Q95 Lord O'Neill of Clackmannan:
Or the ones that are easier to catch, the fat slow movers?
Ms Quinn: No.
Mr Whittaker: There is no evidence of that.
Q96 Lord O'Neill of Clackmannan:
Is there no evidence because you do not try to collect it or is
there just no evidence?
Mr Whittaker: There is no evidence that one
bank is any worse or any better off than any others. Sandra is
absolutely right, there has been a preponderance of certain banks
attacked but that has changed over time. We have seen the ratio
of different banks being attacked change with the decisions of
the potential people who are launching those attacks. When it
comes to the degree to which the industry co-operates in sharing,
shall we say, best practice and good practice in the way in which
they fight these things, I have been on the inside of the industry
for some time now and have been very impressed with the candour
and rigour with which they approach these areas and their willingness
to share information about how they architect their sites, how
they share information, particularly on the types of attacks,
and learning from those. It is quite profound. Some of it has
to be sensitively handled because we do not want to expose how
well we know the type of methods of attacks they are launching
with us. Sometimes those methods give us a way to be able to detect
when a potential customer is falling victim although they might
not realise it themselves.
Q97 Lord Mitchell:
I may have missed a trick on this but I have not seen any publicity
at all on phishing as such as a member of the general public.
I wonder what sorts of initiatives you are taking to make people
aware. I do not see advertisements, I do not see anything like
Ms Quinn: Perhaps I can start on that. We launched
a website in October 2004 called banksafeonline.org.uk. That was
about a year after these types of phishing attacks first started.
That was specifically to make customers aware of the types of
attacks that could happen and gave them an avenue to advise us
of the types of attacks they were suffering. We get a number of
individuals contacting us on a daily basis about the type of attack
they have, trying to verify whether they are attacks or not. We
have done a lot of work, particularly in the media, specifically
to alert people to this. One of the key responsibilities is with
individual banks to advise their customers and they have all done
that in very active ways. Specifically, if you log on to your
bank website they will all say to you, "We are aware of phishing,
this is what this type of thing is" and there will be some
very key core messages about "Your bank will never communicate
to you in this way".
Q98 Lord Mitchell:
How about the people who are less adept at using the Internet,
who are doing it for the first time and they are getting this
spam stuff through? It is all very well you giving me a website
which, frankly, I have never heard of, and I am not na-£ve
in these things, but it seems to me that there has not been much
of an initiative to make the population at large aware of the
Ms Quinn: What we have done is targeted those
customers who use the Internet and who bank online because those
are the people who are going to fall victim to this. Customers
who may receive an email but do not bank online are less likely
to fall prey to this type of activity. The key thing here is targeting
your customer awareness where it is going to best have an effect.
Mr Whittaker: Certainly from our perspective,
on the banksafeonline site which we manage and operate and provide
all the content for, we monitor regularly the responses we get
from consumers who are responding. The uptake and level of response
certainly shows that people are reading and visiting the site
quite regularly, it is one of the most well visited sites that
we have in our APACS portfolio of information sites. We also get
a lot of value from what the consumers report. One of the areas
they can report, for example, is when they see a phishing email
they are encouraged to report it to a web link that we have where
we handle that sort of information.
Q99 Lord O'Neill of Clackmannan:
Have the numbers increased?
Mr Whittaker: Yes, significantly.