STAY SAFE FROM DIGITAL DANGER Is it REALLY safe to do banking YOUR online?
From creating unbreakable passwords to identifying fraudulent emails ...
THE rise of online banking means it’s never been quicker to check your balance or pay bills. But all this convenience comes with some big risks.
For example, what if an IT meltdown freezes you out of your account?
Or what if a cyber-criminal hacks into your account and raids your savings?
Those of a younger generation tend to take a gung-ho attitude to these risks.
But many of those who did not grow up with computers remain reluctant to join the online banking revolution.
Perhaps that’s no surprise when you consider that online, telephone and card banking fraud cost victims nearly £1billion last year, according to figures from trade body UK Finance.
Over the past few years, Money Mail has detailed numerous cases of customers being duped out of hundreds of thousands of pounds. If they hadn’t used internet banking, this wouldn’t have been possible.
So how safe is it to use your home computer or smartphone to manage your money?
Banks take security extremely seriously and invest millions in trying to keep you safe.
Normally, they will ask you to key in several different passwords containing both letters and numbers when you log into your account online.
They may also ask you to recall memorable information that you’ve previously supplied.
But security experts warn that passwords alone are not enough to protect your cash because they can be stolen or guessed.
It’s particularly risky if you use the same log-in details for several websites; if one gets hacked, fraudsters might be able to obtain enough security details to raid your account.
Earlier this year, the Mail revealed that personal financial information is being bought and sold daily on hacking websites.
The answers to common security questions, such as your mother’s maiden name, can also be gleaned from social media or even ancestry websites. Some banks, such as First Direct and HSBC, have added a second layer of security to help.
This second layer usually takes the form of a code which is generated either on your mobile phone or a small digital device or a card-reader that is given to you by your bank.
HSBC’s device looks a bit like a small calculator. Every time you log into your account online, you need to generate a code on this device and type it into the website. In theory, this should make it very difficult for a cyber crook to hack in and steal your savings.
Barclays and Nationwide offer a small, pocket-sized card-reader. To make a payment, you insert your debit card into the gadget to generate a code. This can then be entered online to approve the transaction.
This extra layer of security is known in the jargon as ‘twofactor authentication’ — and it’s extremely important. Experts say this type of two-step process is the bare minimum level of security banks should be using to verify who is really logging in.
Two- step authentication cuts the risk of fraud by around 80 pc, according to Cliff Moyce, global head of finance practice at technology consultancy DataArt.
The first step is normally defined as something you know, such as your password or other key facts about yourself. The second step is something you have in your possession, such as a gadget that generates a code.
Many banks are using, or developing, so-called biometrics technology to take this second step of security to an even higher level. Biometrics mean something unique to your own body that can be scanned, such as your fingerprint, face or your iris.
But, incredibly, not all banks have this crucial second stage of identity checking when you log in. Last year, consumer group Which? named and shamed five High Street banks that do not require two-factor authentication when customers sign in — despite having the technology to do so.
Lloyds Banking Group, which includes Halifax, Lloyds and Bank of Scotland; Santander; TSB; NatWest and the Co- Operative Bank, have still not brought in two-factor authentication when customers log in.
In fact, they use the extra security checks only if customers try to pay someone they have never sent money to before.
Yet, as Which? has warned, if fraudsters managed to get hold of a customer’s passwords and make it past the first stage of security, they could find details of recent transactions and a goldmine of personal information they can use to carry out scams.
Money Mail has heard from scores of people who have lost their savings to sophisticated ploys like this. Criminals, typically posing as bank staff, cold- call their victims claiming they have spotted suspicious activity on the person’s account.
The crooks explain that to verify the customer’s identity or freeze outgoing payments a code will be sent to their mobile. The bank customer is then encouraged to read this out over the phone.
Once in possession of the code, the fraudster is able to log in and make payments to siphon money out of their account. When thousands of TSB customers were locked out of their accounts in the bank’s IT meltdown earlier this year, opportunistic thieves used this type of ruse to scam victims.
Posing as bank staff, they claimed customers needed to hand over codes as part of the security procedure or to get money back for trouble caused.
MrMOYCE warns there are even weaknesses in mobile phone networks that allow hackers to intercept messages sent to your phone.
He says: ‘Criminals can get into your online account using information gained from another type of data breach, and then intercept messages to your phone and carry out transactions as though they were you.’
Banks including First Direct, Metro and NatWest have introduced thumbprint or face scans when customers log in via their smartphone apps. But Mr Moyes says even this technology is not completely failsafe.
Lloyds Banking Group, NatWest, Santander, TSB and Co-Operative Bank all say their security is in line with industry standards, but they are always looking at new ways to protect customers.
All say they require two-factor authentication for payments to new payees and other higher risk transactions.
A spokesman from UK Finance says the industry is constantly investing in security systems to keep customers safe, as well as providing free security software.
A spokeswoman for the Financial Conduct Authority says that from September 2019, all banks will have to comply with stricter measures for verifying a customer’s identity.
BANKING fraud and scams aren’t new. But the internet has given wily crooks a whole new world of opportunities to steal money from your account.
While we’ve benefited from technology that allows us to shop online and transfer money with the push of a button, cyber- criminals have developed sophisticated techniques to exploit it.
One of the major problems is that the police do not have the time or the resources to respond to these crimes, says Suzanne Raftery, a former Metropolitan Police detective who is now head of investigations at Requite Solutions, a fraud consultancy.
‘Warnings of scams seem to reach people too late,’ she says.
‘You are never 100 pc safe, but there are things you can do to reduce your chances of falling victim and losing your hardearned money.’
So if you bank online, follow our essential guide to keeping your cash — and your personal details — safe . . .
DON’T RESPOND TO FISHY EMAILS
FRAUDSTERS are constantly finding new ways to flood your inbox with emails designed to steal your personal details. these so- called ‘ phishing’ messages might appear to come from trusted authorities such as your bank, government organisations such as HMRC, or a well- known retailer such as Argos or Amazon. Some may warn you that your account has been compromised and you need to click on a link to verify your personal details. Others may claim you are due a refund, such as a tax rebate, or that you have won a prize. they typically ask you to click through to a fake website and enter your info in order to be paid. By doing so you will be giving the fraudsters all they need to steal your identity or money.
Some emails might also request you download a coupon or form. In reality, this is a virus that will infect your computer or smartphone, and steal information stored on it, or lock up your device, so the fraudsters can blackmail you to restore it.
Make sure your spam filter is on — this should be an option in settings for your account. If you do receive suspicious- looking emails, mark them as junk and delete them.
Never click on the links in unsolicited emails, no matter how genuine they appear. Your bank will never ask you to verify your password or personal info this way.
HMRC says it will never send an email, text or call you to tell you about a tax rebate or penalty, or ask for personal information.
Apple says it will never ask for your password to provide support. If you are unsure whether an email is genuine, do not respond. Instead, call the organisation using the number on its website.
KNOW WHO YOU ARE TALKING TO
FRAUDSTERS are prolifically active over the phone. they typically call posing as a member of staff from your bank or the police and tell you you’ve been a victim of fraud or that some suspicious transactions have been identified on your account.
they may be very convincing and already know many details about you, such as your name, address, date of birth, phone number and even your mother’s maiden name.
the number they call from may even appear to be the same as your bank. don’t be fooled — lots of your personal information may be freely available on online directories or social media, and it’s very easy to ‘spoof’ a phone number to make it look like a genuine one. the software to do this is free and available online to crooks.
You may be advised to move your money to a ‘safe account’ which the fraudster controls.
Or if the criminal is attempting to access your account or has already logged in by piecing together your information beforehand, they may ask you to verify your identity by reading out a passcode sent to your mobile.
this code is genuine and is sent to you by your bank to ensure you are approving a transaction and is what the fraudster needs to steal your money straight from your bank account.
Your bank or the police will never call and ask you to move your money to another account for fraud reasons, nor will they demand you make a transaction on the spot. they will also never ask you to purchase items such as Rolex watches in order to identify them as counterfeit — another common way of tricking victims to part with their cash.
In other cases, crooks may purport to be from your broadband provider and offer to install software on your computer remotely. If you consent, they’ll be able to take over your computer and see what you see on screen. that can allow them to access your accounts and steal thousands.
Never give cold-callers access to your computer. If you’re suspicious, hang up and call your provider using the number on its website.
AVOID PAYING BY BANK TRANSFER
MANY fraudsters will try to convince you to pay money directly into their account by bank transfer. they know, unlike with other payment methods, such as credit and debit cards, there is no protection for victims. that means there is very little chance of the bank clawing back the stolen funds from the crook — and you will be left out of pocket.
If you’ve been tricked into making a bank transfer to a criminal’s account, your bank will take the view you authorised the payment. this is a problem. Because you are deemed to have made the transaction willingly, the bank can refuse to offer you a refund.
Staff may be able contact the fraudster’s bank to see if there are any of your funds remaining in that account. If so, your bank may be able to return some money.
But in most cases, fraudsters
drain their accounts as soon as the money arrives. It is usually transferred into a number of other accounts, often abroad, and can become untraceable. It can also be used to make large online purchases or withdrawn in cash
By contrast, if you pay by card you’re protected if things go wrong. For example, if items fail to materialise and you’ve paid by debit card, you may be able to get your money back using so-called chargeback rules. Credit cards offer stronger protection under Section 75 of the Consumer Credit Act.
PayPal is also a safer way to pay than bank transfer. It promises to refund you if the item you ordered doesn’t show up or isn’t as described. there are exceptions to
this, though, such as vehicles and industrial machinery.
USE CLEVER PASSWORDS
USING the same password for all of your accounts may seem convenient — but it’s also dangerous. If your password is leaked in a data breach or is discovered by a fraudster through other means, you are in serious trouble.
for instance, crooks can run your password through free online software known as ‘credential stuffers’ to check other sites they can access with that information.
The jackpot for them would be your bank account or another service where payments can be made, such as PayPal. Chris Gough, technical director at IT consultancy Mintivo, suggests using a password manager to store and organise your passwords.
You simply enter all your different log- in details for the various websites you use, and the password manager gives you a master code to access all of them.
Mr Gough recommends lastpass and One password, which both store information securely. There are apps for both iPhones and Android devices which are free. Search ‘password manager’ in the app store you use.
The main weakness with password managers, Mr Gough says, is having ‘all your eggs in one basket’. So if a fraudster does manage to access the system, they will have all the passwords to all of your accounts.
To prevent this, he suggests choosing a long, unique and random password for the manager account and apply two-factor authentication. This means you are sent a text message when you log in, verifying that it is you — and not a fraudster — trying to access your account.
On other accounts, such as online banking, activate two-step verification where you can.
This is where an extra level of security is applied such as when you login to online banking or when you set up a new payee.
You may be sent a six-digit code by text to your mobile phone to type in online, for example.
Some banks, such as HSBC, offer customers small gadgets which also offer extra security. HSBC’s Secure Key, a device the size of a credit card, generates a code which can then be entered on its mobile banking app and online banking.
MOVING HOUSE? TELL YOUR BANK
IT’S all too easy for a fraudster to intercept your post. Worryingly, many letters include enough details for a crook to open bank accounts, phone contracts and even credit cards in your name.
So if you move house, let your bank, utility company, local authority or whoever sends you bills know as soon as possible.
That way they will stop sending statements to your old address, where they could fall into the wrong hands. Old letters can be picked up by anyone, especially if you share a building.
If you use social media, make sure you have the correct privacy settings. for example, be careful about sharing sensitive information such as your birthday on your profile page on facebook.
Don’t include your middle name and try not to post too much personal information about yourself or family members. fraudsters can glean information about you from a number of sources and piece it together to steal your identity.
When you sign up to vote, tick the box to opt out of the Electoral roll’s edited register to prevent unsolicited marketing mail.
If you start to receive statements for credit cards or contracts you didn’t sign up for, speak to your bank and the provider.
MAKE SURE CAR ON EBAY IS REAL
IT CAN be difficult to spot a fake eBay listing from a genuine one, but get it wrong and you could lose thousands of pounds.
Hundreds of fake car listings are spotted and reported each day on eBay. There are more than 5,500 members of the Ebay Vehicle Scam Alerts group on facebook, who publicly post every fraudulent listing they find to warn others. fraudsters typically list the vehicle as a classified ad on the site in order to allow buyers and sellers to communicate directly via email — away from eBay’s own payment processes. They may be selling many vehicles, but there won’t be consistency regarding the photos.
for example, the backgrounds might suggest different cities or environments, suggesting the pictures have been taken from the internet. Also, the photos might have been plucked from genuine websites where the car is being sold. You may notice the descriptive text in the listing is pasted as a photo rather than typed text. This is to stop you copying and pasting the words into Google to see if it has appeared elsewhere. The fraudster will typically make an excuse as to why you cannot see the vehicle before you pay — for example, they may say they are travelling or working away.
They will then request a payment by bank transfer away from eBay’s payment system. Once you’ve paid and agreed a delivery date, the criminal usually disappears and the vehicle never shows up.
By the time victims realise they have been conned, the money has been cleared from the fraudster’s account and cannot be traced. Vehicles do not fall under eBay’s money-back guarantee scheme, so you are not covered for mistakes.
Always demand to see the vehicle before you buy it and never pay by bank transfer. Banks will claim you authorised the payment despite being tricked and will refuse to refund you.