Identity fraud levels in
the UK remained stable in 2010 compared with the previous year, but
it is striking that this type of fraud now accounts for almost
one-half of all frauds recorded. Andy Thomas, managing director of
identity theft prevention specialists, Garlik, argues that banks
need to do more.
In the past, the
trust relationship between a customer and their bank was
straightforward – I will keep my banking details secret and you
(the bank) will reimburse me if I suffer any loss. If I share my
PIN numbers or bank log-ons with anyone then you might hold me
liable for any subsequent losses.
This relationship is now at
significant risk. Customers are being encouraged to share more and
more about themselves online with every service they use, including
social networking sites and online stores.
This means that the security
of their identity and vital personal information, including banking
log-ons, has in effect been handed over to numerous third parties.
A customer’s personal data is now only as secure as that of the
least secure person or service they have shared personal
A simple illustration of this
is a coffee shop loyalty card. When you sign up online you are
asked for to provide your name, address, phone, date of birth among
other details – information that most of the human race will
happily share for a free coffee.
Once registered, as happened
to me, you receive a plain text e-mail containing both your
username and the password you had set up for the
Immediately, my personal data
security is but at risk. Someone could easily be ‘watching’ or just
have access to my email and use the login credentials I have been
sent to find out a lot more about me.
So, the basic information
needed to commit identity fraud, account takeover, etc, is widely
available because we are all encouraged to spread it around daily
basic trust relationship between customer and bank is weakened,
even invalid, because whilst the consumer might keep their PIN
secret, they have given 20 different organisations all the vital
information needed to try and commit fraud against them.
This problem is complicated
even further by the fact that most customers use the same e-mail
addresses and password for most of the online services they use.
This is a serious risk for customers and banks, but the genie is
out of the bottle and there is no way to put it back – we cannot
change overnight the way information is secured and shared on the
The only viable thing that
can be done is to step up our efforts to educate consumers about
protecting their identity.
Banks have long realised that
helping customers improve their security is mutually beneficial,
reinforces the trust relationship, and protects them against fraud,
as well as the consumer.
For many years all banks have
done this through free antivirus software, secure browsers, even
the more recent addition of two-factor authentication.
But the situation has
changed, the information that needs to be secured is everywhere and
not under the control of either party – the risks are much larger.
Using antivirus to protect against malware offers some protection,
but in today’s environment is like being given paracetamol for a
fractured leg – it offers some pain relief, but won’t fix the
For banks there
has to be a change of message and action, a move beyond “do not
disclose your PIN to anyone” to “tell us if you think anyone might
have got their hands on your vital personal data”.
To support this request banks
have an obligation to give customers the tools to help them detect
this disclosure and stay safe.
The onus is then on the
customer to act if they become aware that such a loss has happened
and to guard their vital data as they would their PIN.
Banks also need to do much more to help their customers
look after their personal information in the real world.