At least Barclays Bank has the gift of good timing. The news that its internet customers were likely to be accessing online another customer's account - with the apparent ability to transfer funds out of it - came just a day before the National Consumer Council reported that lack of user confidence in internet security was hampering the growth of e-commerce.
The NCC found that while 26% of the British population have access to the internet, only three per cent regularly shop online. And familiarity breeds contempt. Those who best know the internet are least likely to trust its security. With good reason.
The worst aspect of Barclays’ problem is that the bank initially ignored a customer pointing it out to them. But it is not only Barclays that has had serious difficulties.
Egg has admitted that a software glitch at least theoretically allowed customers to access others’ bank accounts. IF, the online subsidiary of Halifax, had to delay its launch because of systems difficulties. Halifax itself had to close down its online share dealing service for a while.
And even the Inland Revenue’s online software has short-circuited, threatening to overcharge by thousands of pounds those brave customers who file their tax returns online.
Which drives us in the direction of another organisation that can claim good timing, the Foundation for Information Policy Research. Reviewing the (often uncapped) liability arrangements for online transactions, the FIPR claims: ‘Banks are now trying to change the rules so that with electronic transactions it will be the customer’s bad luck if a payment from his account gets forged.’
Examining the contract terms with a variety of online banks, the FIPR found that with Smile, it is the customer’s responsibility to notify the bank of a security problem, although there is no reason why the customer should be aware of it. With the Bank of Scotland, anyone who uses the proper security codes will be regarded as operating on behalf of the customer, however they obtained those codes. The Halifax makes customers liable for fraudulent transactions until it has been notified of a problem.
And Egg makes it even clearer, ‘Until you tell us, you will be responsible for any instruction in writing or by telephone or internet which we receive and act on, even if it was not given by you.’
But the reality of the threat to internet security is greatest through the use of credit and debit cards. Last year the level of fraud through ‘card not present transactions’ – internet and phone – rose in the UK by 117%, to £29.5m, out of a total credit card fraud bill of £189.4m.
However, the extent of fraud represents something like 0.14% of card transaction values, so it is hardly going to bring capitalism down.
Card fraud is predicted to rise dramatically next year with a new trade of counterfeit card production being developed. The level of fraud is already much higher in the US, where it is alleged that the downloading of credit card details from online databases costs half a billion dollars annually.
What this points to is that those who resolutely reject the internet for transactions are a long way from being immune from internet credit card fraud. Organisations who hold your credit or debit card details on record and waiters who temporarily have access to your card receipt can buy any number of goods on your behalf, but which, alas, you never see.
So it is to be welcomed that card security issues, both online and in the real world, are being addressed. In another three years, credit and debit card transactions will be authorised by four figure PIN numbers, rather than signatures. Apparently this is a much safer system, providing you can remember the number and don’t have to write it down. One is tempted to say three cheers, if rather belated ones, for the card issuers, except that they are doing it under pressure from the government.
Visa, the leading card issuer, is set to announce technical changes to its products – involving the more widespread use of computer chips in cards – that should reduce the number of fraudulent transactions.
But why has all this taken so long? The answer, say cynics and the US government, is revealed at an anti-trust trial taking place in New York. It may not be making the same headlines as the action against Microsoft, but the suit against Visa and Mastercard is also pretty significant.
The two card issuers were allegedly acting in an anti-competitive way by failing to proceed earlier with smart cards. Mastercard refused to install them without Visa also doing so, because of the cost. And the two companies together hired a consultant to evaluate the viability of the smart card market. Visa and Mastercard have retaliated by pointing to American Express’s role in lobbying the US Justice Department for action, which could lead to a breakthrough in the market for AmEx. So much for free trade.
Perhaps the risk of transaction fraud is simply one we need to accept, recognising that the laws of probability are on our side. But it would be reassuring if the banks and their associate companies, the card issuers, seemed to be taking things more seriously.
THE RISKS CARRIED BY ONLINE BANKING
‘The security of online banking systems from a customer perspective is not very satisfactory. Although there is no doubt that the vast majority of customers will not experience problems, for the small number that find themselves victims of security failures in banking computer systems the consequences can easily be very serious.’
‘Customers who are thinking of moving to online banking should seek a bank that offers better security than that provided by PINs and passwords alone, and one that has allowed independent experts to audit and publish the results of security reviews of the computer systems it uses to provide online services. They may be in for a long search; in the meanwhile, they might do well to place limits on the amounts which can be transferred from their accounts on the basis of electronic instructions.’
Foundation for Information Policy Research: ‘Electronic Commerce: Who Carries the Risk of Fraud’.