Tuesday, November 27, 2007

Thwarting fraudsters

I have purposely avoided writing anything about the HM Revenue & Customs'(HMRC) data breach of millions of UK consumers personal and banking details, but I felt compelled to say something when I started seeing information security vendors leaping on the bandwagon.

While it may be true to say that "fraud is already firmly on the banking industry agenda," when information security vendors say that consumers should not lose sleep over the HM Revenue & Customs' debacle because banks have risk management systems in place, it does not really provide me with much comfort.

The fact remains that despite these systems, fraud and identity theft still occur on an ever increasing scale, and it is arguable whether banks' systems are adequate. Even if thieves cannot access a person's bank account directly, they could still use their name and address details to apply for a credit card or other forms of financing.

What is the most alarming thing about the HM Revenue & Customs data leak is that it reflects well entrenched practices within government departments of posting customer data on unencrypted CDs.

It strikes me as rather odd that on the one hand you have a government wanting ISP providers and banks to take more responsibility for protecting consumers' identity and personal details, but yet government departments which hold reams of information on millions of people, are not subject to the same levels of scrutiny or compliance.

According to Jeremy Smith, managing director of Jardine Lloyd Thompson’s Financial & Professional Risks division, the HMRC incident has prompted security experts to renew their request for the current law to be urgently reviewed for, unlike our American counterparts, the Data Protection Act does not currently compel companies to notify those affected by the loss of data.

Smith points to the almost £1 million fine levied by the FSA on the Nationwide Building Society for a laptop theft from an employee’s house. Yet, no such fines will be levied on government departments which do not face the same regulatory scrutiny as banks. Arguably however, as the government steps up its "Big Brother" campaign to collate as much information as possible on individuals, one has to seriously question the lack of government department accountability.

On the technology side, there has been so much focus on authenticating a customer's identity at the point of sale using chip or pin, but very little focus on securing the storage and transmission of customer data between government departments and banks that share this data and training employees to abide by the strictest codes when it comes to managing that data.

At this point, information security experts are going to proffer some kind of comment about the latest and greatest solutions that can help banks identify fraud before it occurs. One such comment in the wake of the HM Revenue & Customs' debacle was:

"By understanding customer behaviour across multiple payment channels in real time, banks will be able to identify irregular account activity that could potentially thwart fraudsters before they have even committed a crime.”

Sounds great in theory, but show me a bank that has the systems and business processes in place that they can accurately monitor and understand customer behaviour across multiple channels and product silos in real time. Even if such a bank exists I don't think they would be game to put their hand up for fear that they will be proven wrong.

The banking industry and government cannot afford to rest its laurels on the fact that banks have implemented a nice piece of software kit with bells and whistles, which is going to make everything alright. With banks, government departments and web sites collating unprecedented levels of personal information on consumers, is it any wonder that identity theft is on the rise. And no amount of banking software is going to change that.

No comments: