Examination of Witnesses (Questions 100
WEDNESDAY 13 DECEMBER 2006
Q100 Lord O'Neill of Clackmannan:
Can you give us some hard figures?
Mr Whittaker: If I remember rightly, in September
we were approaching about 35,000 emails a month.
Ms Quinn: We had a fraud initiative at the beginning
of November where we specifically went out to the population to
encourage people to protect their PINs, their passwords and the
personal information that we all have, and at the same time we
were releasing the up-to-date fraud figures to give some level
of assessment so that people could understand what the risks were.
We highlighted in particular the website that we have there and
the other website that we have, which is the Cardwatch website,
and the number of hits that got increased by 300 per cent in that
Have the banks informed people about the website?
Mr Whittaker: Yes, they do. They do on their
own web pages. It is interesting that when some of the banks notice
that there are what we call phishing email lines going out for
their brand they put a notice on their website which links to
our website and we can see and track which people are referring
to our banks' websites and we can draw direct correlations between
when brands are under attack and when they put a notice on the
websites and hit rates from that bank or that bank's customers.
Q102 Earl of Erroll:
Banks have set a great deal of store by their customers having
to authenticate themselves properly on the website, and there
is a lot of talk about bringing in further authentication. Forgetting
about that, what about websites authenticating themselves to the
customers and the users, surely would get rid of a lot of the
phishing problems if people could be certain they were visiting
the right website.
Mr Whittaker: I think there are a lot of initiatives
coming on shortly technically that will help in the future and
we will have to examine their impact. Microsoft's recent announcement
of the extended validation certificates that they are issuing
to certain institutions may go a long way to helping that when
IE7 and Vista are jointly launched together in the future. When
it comes down to it all banks rely on using the current method
of authenticating sites, which is using secure web sessions and
so on, and those can provide a measure of confidence that you
are at the right site.
Q103 Earl of Erroll:
Am I allowed to name banks? For instance, the one I was going
to mention, Alliance & Leicester, I know uses a picture chosen
by someone, so when someone goes on to their website when they
log in as a user the website is effectively authenticating itself
back to the user. I know that is not perfect but there are some
simple techniques which seem to be being ignored by other banks.
Ms Alzetta: I would just like to explain Visa
first of all and the silence until now from both Robert and myself.
We are a membership association of banks who look after online
shopping, so our responses will be very much with regard to online
shopping as opposed to online banking, which is not our area.
It is from an online shopping perspective that we know from the
consumer's perspective there are some huge benefits to be gained
from online shopping. This is very much an area that we are looking
at just now. We have done a lot of work in this area and we know
that there are some concerns about security. There are consumer
concerns about security and there are issues with security. We
are doing a number of things about this now and one of them is
to do with authentication. We have introduced a new system called
Verified by Visa. The idea is very similar to what is happening
on the high street. On the high street the banks and the retailers
have now invested in Chip and PIN. I am sure everybody here has
a card, you will have a chip on the card, and when you go to buy
something at a retailer you will now be asked to put in your four
digit PIN number. That confirms you are who you say you are, as
nobody else could know your PIN number, so you are confirming
your identity, you are authenticating yourself. Until now that
has not been the case online, so as a consumer I do not know who
the merchant is and the merchant does not know who the consumer
is. By introducing Verified by Visa, we are trying to replicate
online what is happening on the high street. Participating merchants
in Verified by Visa will have this logo on their site. This means
as a cardholder I will go through the normal checkout procedure
and when I get to the final page asking me to input my card details,
I will put them in and the next thing I will see will be a page
from my bank who has given me my card. The reason I will know
that page has come from my bank is because there will be something
on that page which will be my personal security message which
I chose, so it is obviously not a phishing page because I chose
that message. My cat's name is "Moochie", for example,
so it could be that. I know it has come from the bank. It will
ask me to put in my password, a pass code that I have chosen.
I will put it in and it will go to the issuing bank who has given
me the card and they will confirm that the two match. If they
match there will be a positive response back. If they do not match
there will be a negative response back. That is the first step
in introducing authentication online. What that does from a consumer
perspective is make the consumer feel much more comfortable that
it is possible to shop safely online and from a retailer's perspective
it means that retailers can have much more confidence in accepting
Q104 Earl of Erroll:
Do you have a high percentage of take-up from retailers and banks
Ms Alzetta: We have been working on this for
a couple of years and what we have learned from Chip and PIN is
when you are talking about infrastructure it takes time. Just
now we have around about 15 per cent penetration. We think this
is going to be an important year for Verified by Visa, the reason
being that quite recently some of the very large retailers have
joined. British Airways has been a participant for some time.
We have lastminute.com, John Lewis, Next, Tesco joined a couple
of weeks ago, and in the forthcoming year we expect to see Ryanair
and many other large retailers. In total we have got many thousands
but what really matters is the big names who give the big volume.
We are working with the banks and the retailers to introduce this.
You describe a lot of this very well in your paper and you are
also advocating that the Government should take up some of these
initiatives as well.
Ms Alzetta: Yes. I think anything that encourages
further security has got to be good news. The research that we
carried out with our consumers told us that there is a concern
amongst consumers about shopping online, the number one concern
is security. There are various other things but that is still
the number one concern. 30 per cent of the people we asked said
security was a concern for them. The reality is that whilst it
is our job collectively here to look continually at what is happening
to make sure that we stay one step ahead of fraudsters, fraud
is still is very small portion of what is happening in the Internet
world. A lot of consumers are not shopping on-line because they
still have some concerns, which is a real pity for them in that
there are lots of advantages to be gained from shopping on-line.
Q106 Lord Harris of Haringey:
Is there not a problem that what happens is you are now requiring
individual members of the public to acquire yet another password
and yet another security code, and people are now faced with such
a plethora of passwords and security codes that the natural thing
to do is you write them down, or you place them on your own computer
somewhere where you can find them but of course anyone who might
have access to that could find them. Is there not a problem that
you are creating systemsand there are a whole series of
different systems being replicatedwhich are in fact going
to make it more difficult for the public who will then take simplistic
measures by perhaps using the same password for absolutely everything?
Are you not increasing vulnerability rather than reducing it?
Ms Alzetta: That is certainly not our intention
and it is something that we are looking at for the reasons you
have said. I think everybody here will be familiar with the fact
that everything you want to do on-line will require some sort
of password. The idea obviously is to add security, not to take
it away. So first of all we would say to people the usual things,
choose your password carefully and so on. The next step for Verified
by Visa is to introduce what should be a more simple way for people
to authenticate themselves and it is using Chip and PIN technology,
and that was referred to earlier. The idea there will be that
cardholders will use their standard Chip and PIN card, put it
into a portable reader and they will put into this reader their
PIN number, the PIN number that they use on the high street that
they are very familiar with, so there is no need to remember separate
pass codes. By putting in the PIN number, you are confirming that
you are the valid cardholder. A unique one-off number will be
generated and that is the number that you will then put into the
on-line shopping site. So it does two things. It will increase
the level of security because instead of having the same password
each time, you are putting in a one-off number which once it has
been used it cannot be used again. It is confirming that you are
who you are because nobody else has your PIN number but also,
most importantly as a consumer, all you have to remember is your
PIN number which is the number you use every day on the high street.
We will start seeing that rolled out by some of the UK banks in
the summer of next year.
Chairman: This is well described in your
memorandum. It would be useful for us to have data about the take-up
of these ideas. I think we are going to have to move on. Lord
Q107 Lord Paul:
Can you provide for us a detailed breakdown of the £23 million
of fraud. What kinds of fraud are involved?
Ms Alzetta: I think that is the APACS figure
for on-line banking fraud.
Mr Whittaker: As I was saying earlier on, those
£23.5 million frauds (£25 million worth of losses) is
down to on-line banking fraud, and it is wholly down to people
making fraudulent transactions on people's accounts across a range
and variety of sorts of accounts that the banks allow Internet
access to. There is no evidence yet to believe that any of the
compromise of Trojan or phishing against on-line bank accounts
has led to anything in the sense of identity theft in the sense
of the taking of people's identities. It has been solely down
to making fraudulent transactions from the victim's account to
a middle account which we call a "mule" account.
Mr Pemble: There are essentially three main
fraud methodologies involved in these sorts of figures: phishing,
which is the one that has already been described, where you get
sent essentially a spam e-mail which has a link in it to a fraudulent
bank site which will then ask you (as your bank never will) for
your full authentification details; and malicious code Trojans
have already been mentioned. We know that there are a lot of computer
viruses out there and there are different definitions of exactly
what they are. If you have an infected machine there are a number
of different payloads, key stroke loggers, things that can recognise
when you are on a banking site, and all this was already mentioned.
If you have stored sensitive personal details on your machine
they can potentially search through your machine hard disk and
see what they can find of potential interest to the fraudsters.
There is also a third type, which is a lot rarer in the UK, which
has the unfortunate name of "pharming" and that involves
making alterations to the Internet infrastructure, particularly
the domain name service system, to misdirect people who are attempting
to go to their legitimate bank site.
Q108 Lord Paul:
We have been told that one bank dominates the statistics. Is this
true and, if so, which bank? We have also heard that the number
of accounts compromised, and hence the amount of money at risk,
is soaring. Do you have figures on this? Should we conclude that
things could very rapidly get much worse?
Ms Quinn: As I was saying to my Lord Chairman
at the beginning of our evidence, in fact there is no evidence
to suggest that the figures that we will be publishing at the
end of 2006 will be statistically in percentage terms much higher
than the figures in 2005. That is not to say that we are in the
least way complacent about this because fraud is still rising,
but it is not rising at the level it had been rising. We do hold
confidential data but we are not in a position to share that in
open session. I may be prepared to share that if that would go
no further through the Committee.
Mr Pemble: The Anti-Phishing Working Group statistics
show that the primary targets worldwide for phishing still are
eBay and PayPal, although there has been a general move towards
attacking financial institutions, presumably because the fraudsters
are able to get real money out of those. The other thing that
has been seen is a quite significant rise in the number of different
organisations being targeted. It is difficult to be precise but
we are talking about, I think, 180 different organisations in
a month. That is not evidence but it indicates that when the fraudsters
start attacking an organisation, that organisation will quite
quickly get up to speed with dealing with it, and certainly you
are seeing attacks in America, which is still dominating the statistics,
against smaller and smaller banking organisations. Obviously the
UK banking community is not as fragmented as the American banking
Q109 Lord Howie of Troon:
We have been told according to a survey that consumers feel more
endangered by eCrime than by being burgled or mugged. First of
all, is that true and secondly, if it is true, how are you responding
Ms Quinn: I think the key is that it depends
on the question you ask. We all get concerned about where we are
talking about our own personal financial details. If we do bank
on-line it is something we do regularly so it is very front of
mind. If you are asked about the risk you might think in terms
of the number of times I use my on-line banking service and therefore
it is slightly more risky as I walk around very safe streets at
night and I do not anticipate being mugged. I think if you asked
people what they would prefer to happen to them that would be
a different answer obviously.
Q110 Lord Howie of Troon:
So you are not sure if it is true?
Ms Quinn: I think it very much depends on the
kind of questions you ask. There is a level of fear that depends
on the level of usage and the level of awareness.
Mr Whittaker: There are some very rich paradoxes
out there. Sandra is absolutely right, it depends on the question
you ask. If you go to the same people in one breath and ask them
are they worried about security, they will quite clearly and reasonably
have fears that they will wish to express. If you ask them in
the following question how many people shop on-line, buy their
groceries from an Internet merchant like Tesco, Sainsbury's or
Asda, and have them delivered at home for ease and convenience,
the same people will put their hand up and say yes. If you then
ask them who banks on-line or has done a transaction on-line,
they will put their hand up and say yes. It depends on what questions
you ask and in what frame of reference you ask them.
Q111 Lord Howie of Troon:
That is quite true but it is true of all surveys. Some people
might ask, "Do you approve of Gordon Brown?" or, "Do
you approve of that dreadful Scotsman Gordon Brown", and
the answer might be quite different.
Ms Quinn: Absolutely.
Q112 Lord Howie of Troon:
Do you believe it is true?
Ms Quinn: I think it is quite difficult from
an organisational point of view to say one way or the other. The
easiest way is to express it in personal terms. I do not feel
as I bank on-line that this is the highest risk. I live in a very
safe area and I take the normal personal security precautions
that we all do. I think I would weigh up the fear of personal
attack much higher than eCrime.
Lord Howie of Troon: So you are very
sceptical about this conclusion and therefore you do not respond
to it at all really? I do not blame you, by the way. Can I go
on a bit. I am told that there is a system called universal two-factor
authentication. I think Lord Errol mentioned it earlier on.
Chairman: Visa were just talking about
the same thing.
Q113 Lord Howie of Troon:
I must have missed that, Chairman. For the record, will you tell
us what it is and, secondly, if this is a good thing, why has
the industry in general not adopted it?
Mr Littas: We are adopting it. That is what
Sandra explained a few minutes ago. "Two-factor" means
something you have and something you know so you have a card and
you know your PIN number. As Sandra explained, you put that PIN
number in and get a unique, dynamic number used only once, which
you put in the Internet transaction. Why has it not happened before?
It is only fairly recent and the UK was one of the first countries
in Europe to implement this technology because it is based on
chip technology, so that is a condition for using this particular
Ms Alzetta: Just to add to that, we have just
implemented Chip and PIN. The whole idea of using the dual-factor
authentication is that we are using common specifications that
have been developed, so that I can use my Visa card or indeed
my card from another payment scheme and the reader will work for
all the cards. That is really important because what that means
is the clever bit sits in the chip on the card. The reader is
just a device which anyone can use. If I forget it and I do not
have it with me I can borrow yours or anyone else's. What it means
is that it is much more convenient because we now have common
specifications which are industry-wide specifications. We are
not trying to compete in this area. It is an area of mutual interest
Q114 Lord Howie of Troon:
I think that was probably a very helpful answer as far as I am
concerned. So I can take it that it is a good thing and that you
are introducing it?
Mr Littas: Absolutely.
Lord Howie of Troon: Thank you, Chairman.
That question was answered really by Visa. What are the banks
doing? Are the banks going to provide the same sort of service?
Mr Whittaker: We developed, based on the MasterCard
and Visa specs, a technical specification to allow the level of
inter-operability that Sandra was describing to be achieved. We
are discussing with our members who and which banks might wish
to be adopting it and in what sort of timeframe. In the end it
is for individual banks to make their own risk management decisions
about what technology they employ. Some banks which may not be
suffering very many losses at all might find the cost of the machines
and the readers and that sort of solution as prohibitively expensive,
bearing in mind the level of losses that they and their customers
are suffering. It is an on-going debate at them moment within
the industry. You have seen some press announcements from an institution
in the UK saying they will be introducing them starting from next
year and it will be interesting to see how many follow suit. As
Sandra described, we do not regulate the industry and we cannot
prescribe the solution. It is up to individual institutions to
make their own risk management type decisions about what technologies
they deploy to their customers and to decide what level of usability
and cost-benefit they are going to get from a certain technology.
We had the discussion earlier on about the technology that Alliance
& Leicester have deployed. That was their response to their
cost-benefit investment decisions for their requirements for their
customers. Over time individual institutions will make their own
decisions and those decisions will evolve as and when the cost-benefit
case changes over time.
Ms Quinn: What is clear is that there is a great
commitment within the industry to stronger authentication and
different banks may adopt different approaches. What we want to
make sure is that that operates for the convenience of customers
and for the usability of customers because what you are going
to be doing if you are giving devices out to individuals is asking
people to have something else in addition to what they have got
with them. When we introduced chip and PIN we were substituting
a signature for a PIN so we were actually saying you do not need
to do that any more, you need to do something else. What we are
doing here is an additional layer of protection, and you will
have a device, as Visa have demonstrated, and we need to make
sure that customers will be able to use that and find it easy
APACS is a bank organisation; is that correct? So you represent
the banks, you do not represent the customers. Is that why you
are not prepared to tell us which are the bad banks and which
are the good banks?
Mr Whittaker: I do not think there are any bad
or good banks in this case.
Q117 Lord O'Neill of Clackmannan:
Why do you not provide the information then? Why do you not make
it public? You say it is commercial in confidence. Is there a
legal obligation on you to stop you doing that or is it just that
the people who own your organisation refuse to have the information
Ms Quinn: We collate management information
and statistics on fraud and have done for a long time for members
and we do that and publish it on an industry basis.
Q118 Lord O'Neill of Clackmannan:
That is not what I mean. If I am a customer and I am worried about
going to one bank or another for on-line services, surely I am
entitled to know which of them is the safest or safer than the
other one in my high street?
Ms Quinn: The general point I would make is,
exactly as Colin has said, there are no safe or unsafe banks.
Q119 Lord O'Neill of Clackmannan:
But you would not tell us, that is what you are saying, you refuse
to make public this information?
Mr Whittaker: We would therefore be forced to
make a value judgment.