News Old

A recent report by Citizens Advice said that around 4 million people in the UK fall victim to scams every year. These are usually targeted at the most vulnerable people in society, and can therefore be extremely upsetting and harmful.

Cross-generational issue

Unfortunately, it’s not just “the usual suspects” who fall for online and telephone scams, and neither are the type of people who carry them out. The point of a scam is that it seems plausible, which is why so many people fall for them; this includes younger, IT literate generations who can’t imagine themselves being duped.

The rise of online dating is an example of the ways in which online scammers can catch out the unsuspecting victim. Individual loneliness in the modern world leads people of all adult generations and sexes to look online for company; by definition, these people are vulnerable, at least from a scammer’s point of view.

The point is that anyone using online dating services is unlikely to be thinking about being stolen from; their minds are, literally, on other things. The promise of a future life with a new love has led thousands of men and women every year to give away their life savings.

Suspicion is a virtue

Another common online scam is for someone to receive a call, email or other means of contact (via Facebook, for instance), which is unexpected and brings good news. Long lost relatives that people didn’t know they had, for instance, can sometimes prompt otherwise cautious people into acting irrationally. The popularity of ancestry websites and TV programmes continues to stir up this longing for connections, which is viewed by fraudsters as a way into a complete stranger’s personal life.

A good rule of thumb when avoiding online scams is: if something seems too good to be true, it is. From this starting point, it is easier to spot give-away signs which the scammer will always exhibit. As soon as they ask for confirmation of anything, for instance, this means they don’t know; if not, why not? Never confirm any details over the phone; not even postal address.

Practical checks

Senders’ email addresses, meanwhile, are very easy to check out. The easiest way is to hover over the sender’s name. Whatever name has been entered, the computer will display the actual email address; any discrepancy between the two will be obvious. Common tricks by scammers are to replace details of familiar contacts with others; for instance, replacing “m” with “rn”, or “l” with “1”.

Similarly, any contact from a website can be verified quickly and easily. Google is a good way to start; enter the website’s details and see what results come back. Any legitimate site will have at least some previous hits and reviews. It’s also best to click on the URL itself, and see how easily and securely a connection is made. Bad English and too much advertising are also giveaways.

Stay alert

By staying alert, any online scam should be easy to spot. At the end of the day, a scam is the product of human beings, who have weaknesses. While the scammer may be trying to use yours, by the same token you can look out for theirs.

Banks and other financial institutions (FIs) are rightly concerned about fraud. Becoming a victim of fraud is bad news for individuals, but trusted organisations like banks suffer in a number of ways. As well as suffering direct financial losses, they are liable to fines and legal action. Plus, there is the biggest hit of all; reputational damage.

New account vulnerability

While FIs must be vigilant at all times, it is the setting up of new accounts which presents the greatest time of danger. A recent worldwide report showed that 57% of fraud hits businesses more at the time of account opening or takeover than at any other time. These figures are from those who have reported being victims of fraud, and so are particularly relevant.

This statistic points to the fact that generating a new account, or changing its owners, are times of maximum vulnerability to fraud. This being the case, verifying the identity of any new account’s owners is fast becoming a necessity for financial organisations; anyone who can provide foolproof ways of doing this will be very popular indeed.

Financial regulators’ concern

In many countries, financial regulators are aware of the problem of new account fraud, and have taken steps to try to counter it. For example, in the UK, the Financial Conduct Authority (FCA) has brought in a law whereby any FI setting up a new account for a customer must ensure they produce two separate documents; one proving identification and another a valid address.

In wider terms, fraud regulators have identified an impressive 15 “red flag” factors, any of which should be a warning to a FI when approving a new account holder. In an age of hackers and identity theft, the number 15 is perhaps not surprising, although a reminder of how many ways fraudsters have devised to gain access to other people’s money.

Ways of identifying fraudsters

Many FIs, or the companies they hire to carry out ID verification for them, are now insisting on multiple levels of checks. Any individual should have some form of documentation issued by a state institution, be it a passport, driving licence or some other form of official ID. On top of this, verifiers are asking for the applicant to provide a recent selfie, to compare with the photo on the ID card.

Verification of address is the other main way to spot fraudsters. Firstly, an address can be checked for its actual existence; then, whether the applicant actually lives there, or has done recently. Even mis-matched addresses can point to a potential fraud; someone has tried to copy out an address, but (because they’re not familiar with it), makes a typo or inserts a town where a street should be.

Small mistakes like these are one of the 15 red flags which verifiers look out for; any one of them can be a sign that a new account holder is not who they say they are. Spotting fraudsters early can save institutions and individuals a whole lot of time, trouble and money.

Online identity verification is a hot subject for an increasing number of businesses, as the web becomes ever more important in people’s everyday lives. Also, for any business, the opening of an account is its most vulnerable time in terms of exposure to fraudsters. While there are already many types of identity verification accepted by businesses, the humble selfie is now adding a new level of safety.

The importance of biometrics

It is already accepted that useful ID verification should rely on two out of three of the following; something the applicant knows, something they have, and something they are. The first level is the oldest; knowledge of a password, date of birth, first job, etc. is a long-established means of verification. The second, in today’s world, means a smartphone; something a person has which can help with checking their identity.

The third – something you are – is becoming ever more important in the online world. Biometric identification is thought of as access by thumbprint, or retinal scan. In fact, the oldest form of biometric ID is the photograph. Unfortunately, photos can be faked, which is where the selfie comes in.

Extra level of security

Applicants for new accounts can scan in their official documents, some of which will include a photograph. In fact, all this proves is that the person who sent the application has a copy of the document. What a business really needs to check is that the person doing the applying or registration is the same person as the one on the ID card.

Taking a selfie is a quick, reliable way to check this. Also, as the ID form will already be in the hands of the verifier, completion by taking a selfie can be carried out very quickly. The days of standing in a queue with a passport, proof of address and other verification are, thankfully, over. Natwest, one of the UK’s main banks, took up selfie ID verification in 2019, and is very likely to be followed by other major institutions.

Selfies’ fit with risk management

Risk is at the heart of ID verification, in the online environment more than anywhere else. For web-based businesses, this means risk of losing custom as much as allowing in fraudsters. The fact is that many of today’s potential customers don’t want to waste time verifying their identity if they can help it; a business which offers a quick, intuitive way of doing so will convert more customers than one that doesn’t.

In many ways, the selfie is the perfect form of ID authentication; it is instant, and very human on a number of levels. There is no way, for instance, that someone under duress from a third party would be able to manage a cheerful smile for a real-time selfie.

Some companies are taking this a step further and asking for short videos from applicants; just a quick clip to say hello, I’m [whoever] and I’d like to open an account. Recording such a clip is very easy, and also an intuitive way for the verifier to be sure the applicant is who they say they are.

In many ways, there is no theft more frightening than identity theft. This modern day version of stealing can affect a person’s life more profoundly than old fashioned theft, like having your car stolen. At the end of the day, you can always get another car, or even use public transport; but how can you get your identity back?

Online problem

Of course, the identity in question is the online version; those personal details we all give up to private companies and other agencies, in order to buy goods and services, or, indeed, verify our identity. The thing is, without facial recognition or some other “fool proof” way of checking, anyone who enters the right letters and numbers into an account passes for “you”.

With the right details, the thief can then commit identity fraud; that is, obtaining access to lines of credit or other goods and services by pretending to be another person. Identity fraud allows the fraudster to open bank accounts, receive state benefits, credit cards, loans, goods, mobile phone contracts and documents such as a driving licence or passport, all under a false identity.

For victims of identity theft, the only sign something is wrong is when they notice something unexpected, such as going to the ATM and not being able to withdraw cash. By the time this happens, the thief could potentially have committed a whole range of other frauds; this is a terrifying situation for any victim to find themselves in.

Common vulnerability

The term “hacking” is often used when thinking about ways in which identity is stolen; this conjures up images of some IT genius in a darkened room trawling the internet for unwary citizens’ personal details. In fact, your identity can be “hacked” while you’re sitting in a restaurant, paying for your meal.

Many retail outlets, bars, and other spending environments now provide a free Wi-Fi service. As soon as this is logged into, personal details are vulnerable to anyone who knows how to look, and who is also using the same Wi-Fi. As this could be anyone within range, this could be literally hundreds of people.

For this reason, it’s important to keep all personal details private. Online banking, for example, should never be done over a non-secure Wi-Fi service; as this will require at least a password, and possibly some memorable information, anyone hacking into your account might as well be looking over your shoulder while you type in the details.

Offline solutions

Not all identity theft is carried out online, however. A much more old-fashioned method is for thieves to go through your bins. As people receive “junk” mail all the time, they tend to throw it straight out; this may be a big mistake. Mail with an offer of a pre-approved credit card, for example, will give the potential thief some useful information with which to get started.

The best way of avoiding the horrors of identity theft is to stay alert. In today’s connected world, the fact is that someone is always looking over your shoulder, even if they’re not there physically. Most of those doing the looking will be harmless, but it only takes one who isn’t to ruin your life by stealing your identity.

For some years now, financial commentators have expressed their opinions about the fall of cash circulating in British society. Some of these commentators see this is as inevitable and natural, while others sound a word of caution.

While a cashless world may have its advantages, these necessarily depend on having the means to live without cash. With the coronavirus crisis adding to the downward pressure on ATM use and cash spending in general, these issues are thrown into sharper focus.

Is going cashless inevitable?

According to a recent report, cash was used for 6 in 10 transactions before the financial crisis of 2008. Projections from financial institutions say that this figure is likely to drop to as low as 1 in 10 by the early 2030s.

Certainly, the reasons cash is becoming used less are likely to remain valid. Many people don’t like carrying cash because they think it makes them vulnerable to crime; either that, they forget to take it with them, or they can’t be bothered with / can’t find a nearby ATM.

Meanwhile, the ways of making cashless purchases continue to proliferate. Contactless cards mean people don’t have to remember their PIN; cash is no longer accepted in some shops; you can now pay with your phone, or wearable device; and more of the country is getting broadband and wifi. Then, of course, there is the unstoppable rise of online shopping.

Who needs cash?

Unfortunately, not everyone in the UK is able to take advantage of these cashless modes of payment; not by a long way. The Financial Conduct Authority reports that 1.3 million British citizens don’t have a bank account; plus, 4.1 million adults are in severe financial difficulty. Both of these statistics are a stark reminder that the digital world does not yet work for everyone, even in the world’s 6th-richest economy.

There are other important obstacles to going cashless; one of them is geography. People living in rural areas are much less likely to have access to broadband, or even a mobile signal. As many of these people are elderly and isolated, not having access to cash or somewhere to spend it can mean a fundamental lack of basic needs.

What happens next?

While the overall pressure on cash use has been consistently downward, there are factors which promote its use and value in the public eye. Repeated system failures are one of these; another is understandable fear of online fraud and identity theft.

Persistently low interest rates (which the UK has seen for more than a decade) also promote cash use, because people don’t see the point of saving; they’d rather spend their money on something they like.

Finally, one sure way of making cash more popular is in a severe financial crisis; people like to feel actual money in their hands. With the UK set to follow the world into another long-term recession, the demand for cash may see an upturn.

For all of these reasons, the onset of the UK’s cashless society is probably further away than many commentators thought.

Identity is a very valuable commodity today; possibly more so now than ever before. That’s because an interconnected world has led to a boom in fraud, committed by people who pretend to be someone or something they are not. Although proving your own identity may be time consuming and take some effort, there are some reasons why verifying who you are is essential; these are the top five:

1. Passport

The most obvious, and for many citizens the most important document an individual will ever own. The fact that it takes a lot of effort to obtain a passport makes it a valuable form of identification in itself; this is true whether or not the holder is trying to travel to another country. One of the passport’s stand out means of verification is the counter signatory; this is written testimony that the applicant is who they say they are.

The counter signatory themselves must have a certain standing; Members of Parliament, Justices of the Peace, and Ministers of Religion, for instance. Having someone of importance to vouch for you is possibly the most important part of a passport application, and therefore still stands for something, even in the digital world.

2. Bank Account

Before allowing an individual to become a customer with them, a bank or other financial institution must verify that person’s identity. Failure to do so leaves the bank open to fraud; a person may have a history of financial crime, and be using a false identity to avoid detection. As well as the possibility that such a customer might defraud the bank, it is also liable to very large fines incurred for lack of due diligence.

3. Paying Tax

Verification of identity is essential when registering with tax authorities; this is particularly true when doing so online. Although Her Majesty’s Revenue and Customs, along with other national tax authorities, offer online tax return submissions, this internet-based service means they are themselves vulnerable to identity theft. If the tax authority is misled, this could mean it does not receive the right amount of tax, or sends out demand to innocent third parties, which could end in their prosecution.

4. Credit

Credit history is a very important part of a person’s identity. When applying for a credit card or mortgage, the provider will firstly refer to a recognised credit ratings organisation; the lower a person’s score, the less choice they have in terms of being offered credit. Much like a bank, however, if the credit history belongs to someone else, any potential lender leaves themselves open to fraud; therefore, identity verification is crucial when obtaining credit.

5. State benefits

Most countries in the developed world have some kind of welfare system, whereby citizens in certain circumstances are entitled to financial help. In order to qualify for any such benefit, however, it is essential to verify your identity. This will entail National Insurance Number, plus a number of other particulars; some of these will determine what type or level of benefit is applicable, others how it is paid out. Identity verification in these situations is, therefore, absolutely crucial.

Crime thrives in a time of crisis; one of the few things Al Capone would have testified to. The coronavirus pandemic gripping the world is in many ways a perfect opportunity for fraudsters and online thieves to make new inroads and bigger profits. This current crisis comes on top of the prevailing, long term fraud problems which blight online business and communications.

Worst possible timing

Just prior to the international spread of the virus, online fraud was causing the authorities to worry; in 2019, the FBI detected a 31% rise in phishing fraud, resulting in a $1.7 billion loss to the US economy. This kind of vulnerability was evident when conditions were normal, and online users going about their daily lives and business. Not surprisingly, relevant agencies are deeply concerned that this rise could be the start of something much worse.

The arms race between online fraudsters and methods to stop them is always a fast-moving affair. At the moment, conditions favour the fraudsters, because their prey is vulnerable. Tens of millions of “office workers” have been cut off from that office, and are expected to carry on from home. Not only are they trying to do their day jobs, they might have children to teach at the same time.

Adaptability urgently needed

In the current environment, the online security industry needs to step up, and quickly. The double challenges of fraud protection and good customer experience are heightened at the moment, and the verification process needs to reflect this.

Perhaps counterintuitively, it may be that initial checks are loosened for new customers; many people are finding themselves using new technology, or facing a bewildering series of hurdles when trying to access services for the first time. The risk of abandonment, therefore, is very high at the moment; the onboarding process may consequently have to be made easier rather than harder.

Of course, this exposes businesses to more risk. In this case, the ability to carry out enhanced checks on some customers also needs to improve, in terms of speed and accuracy. The risk of potential loss from fraud or abandonment is always a delicate balance; the pandemic is bringing this equation into even sharper focus.

Lessons to be learned

Like the effects of the virus itself, the effects of the pandemic on fraud activity will no doubt take many months – if not years – to become fully evident. Unfortunately, online businesses and the security professionals they employ do not have the luxury of waiting to see the results of their efforts to counter fraud; the time to act is right now.

It is likely that new verification systems will be flexible, simple and intuitive for the user, while at the same time improving their performance behind the scenes. Back end processes will be developed (probably using AI) to quickly interrogate the right databases in the right way, so that checks are robust and fit for purpose.

Necessity, as the saying goes, is the mother of invention; the coronavirus crisis necessitates some quick thinking which will, hopefully, carry benefits for online verification into the future.

As well as the right to withdraw consent at any time regarding how our data is held and what is done with it, the Data Protection Act 2018 gives us quite considerable power over internet companies and other organisations which use the web as a portal.

Subject access requests

It has been possible to request exactly what data an organisation holds about you since the Data Protection Act of 1998; this is done by submitting a subject access request (SAR). In this case, you as the user are the subject, and are requesting access to your own information. The main improvements of the 2018 Act were to speed up the process and make it free of charge in most cases.

By law, a company has to respond to a legitimate SAR within a month of receiving it. If your request is deemed excessive or unfounded, the holder of your data may refuse, delay or charge for this process; if so, they have to inform you of their decision within the same time period.

Legitimate reasons for using data

Once a SAR is answered, the subject (you) will be able to see if your data is being used for legitimate reasons. Under the terms of the Act, there are six of these; most of these are common sense (such as consent, which has been given in all cases), and all are there to protect you as a user.

Importantly, the organisation receiving the SAR must disclose all aspects of the data they hold, and reply in plain language, rather than disguise it in legal terminology. From this starting point, it should be easy to determine whether the business or other organisation is holding and using your data for legitimate reasons.

Erasing or correcting your data

One of the most powerful rights enshrined in the Act is the right to demand your data be erased; this is also known as the right to be forgotten. Legitimate reasons for having your data erased are that you don’t require a service any longer, you object to your data being used for marketing, or you haven’t given consent.

Also, if a company has data which is inaccurate, you can inform them and demand that they amend it. This is often in the interests of the business, so is likely to be carried out without delay. Again, the organisation has one month to comply, or reply with their reasons for not doing so.

Fines and compensation

Complying with GDPR is within service providers interests for many reasons; not the least of which are the fines which they can incur for breaking the law. The maximum is set at 20 million euros, or 4% of global annual income, whichever is the higher.

Also, you as the subject have a number of routes by which to claim compensation; job holders employed in the use of data can be sued separately, and for a wide range of reasons. This is another way GDPR encourages compliance by the holder of data.

Check out the 2018 Data Protection Act now; it really is more than a source of inconvenient popups.

Data protection is a subject many people think has nothing to do with them; if so, they are wrong. Specifically, anyone who uses the internet should be aware of what data protection is, and why it is important. Unfortunately, the speed of online transactions, the number of clicks we all make to get where we want, means that most web users see data protection as a bit of a pain.

Data protection and other interruptions

When logging into an online service, or even just browsing something like a news site, we are bombarded with interruptions. Boxes pop up, literally to block the view of the desired site; this is so we have to do something to get rid of them. In most cases, we click whatever is highlighted, or even press the enter key, and away the interruption goes.

Many of these boxes are related to advertising, especially on certain types of website. However, since 2018, some of these interruptions are to do with data protection; they are asking how we want data about ourselves to be used. The issue is one of consent, as much of a pain this may be for the average internet user.

What is GDPR legislation?

Wording of the questions which appear in these pop up boxes differs; often today, by clicking the X in the corner, the text says we agree to certain terms and conditions. Quite often, the first conditions we agree to relate to data protection.

The Data Protection Act came into law in the UK in 2018. This codified what is generally referred to as GDPR; that is to say, General Data Protection Rules. Data protection had always been in place, but the 2018 enshrined EU-wide GDPR legislation on the UK’s statute books.

Before the Act, it was possible to find out what companies knew about us; but gaining access to this data required time, effort and money. Since 2018, companies have to give out this information free of charge in most cases, and have to do so within a month, rather than the previous 40 days.

Should I worry?

So, when we click the X, agree to emails or cookies, we are often saying that we’re ok with the online business gathering and holding our personal details. The fact is that, if we didn’t, we wouldn’t be able to access most of the sites we visit. That does not mean that personal data is harmful, or that it can be used for anything we don’t want it to be.

In fact, GDPR law is there to protect the consumer; while having to give consent might be slightly inconvenient, it’s actually a good thing. This is because consent can be withdrawn at any point, without incurring penalties, be they financial or otherwise. We should think of clicking our consent as a temporary measure, rather than one which ties us to lifetime agreements.

What are my rights?

As well as being revocable, GDPR legislation is empowering for the individual, as both customer and citizen. In the next article, we’ll see exactly what rights we have under GDPR and the 2018 Act.

For many decades now, accessing a private online environment has meant entering a recognised user name, corroborated by a valid password. The combination of these two items of knowledge keeps at least the opportunist snoop or fraudster out of a website or user account. Unfortunately, repeated breaches of this security continue to expose the weakness of the username + password verification method.

Doubly unfortunately, this exposure has come at the expense of the private information of millions of people, whose personal details have been available for the world to see. In one case, the head of a healthcare provider allowed their username and password to be witnessed while logging on to its “secure” system.

Vulnerable environment

Gaining access to online services requires security; this seemingly obvious fact emanates from the nature of remote system use. Basically, any user logging onto an online portal is using a computer they cannot physically see or touch.

In business terms, this is the “customer-not-present” environment; identity validation cannot be carried out by one human being looking at and talking to another. While this is very convenient in many ways (and, indeed, drives the entire web-based universe), in others, not being present is the internet’s biggest weakness.

Hackers of various hat colours use automated methods to generate both usernames and passwords; however, as the healthcare chief’s case shows, this isn’t always necessary. Human mistakes or oversights mean that the tried and trusted combination of username + password is only as secure as the person using it.

Adding layers of verification

Knowledge based access methods (which username/password is) have been gradually losing their importance over recent years. Partly this is because usernames and passwords are hard to remember; people tend to write them down, or use words easily associated with themselves.

Two extra layers of verification have come to enhance / replace this knowledge based approach; devices and personal attributes. Rather than just a keyboard, smartphones, tablets and wearables now have many other ways to interact with their user; this allows them to take selfies, or maybe even scan eyeballs and thumbprints.

In combination with private knowledge (what you know), what you have and what you are can now be used to verify your identity. A combination of all three is certainly much more secure than the username-password method.

Security and seamless user experience

Taking the time to remember and correctly enter usernames and passwords is a clunky, tedious experience for many modern online customers. The rise of technological and biometric layers to remote verification has added advantages for these users; by extracting valuable biometric details, for example, serious security checks can be started as quickly as possible.

For low-risk customers, access can be very quick indeed. However, an advantage of the newest checking methods means that even higher-risk users can be verified without them feeling like they’ve been pulled out of the queue and taken to one side.

This seamless customer experience is as vital as the need for ever-more effective security measures; the demise of username + password may well, then, be a good thing all round.