House of Lords - Science and Technology

Hansard

Archives

Research

HOC Publications

HOL Publications

Committees

Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 86 - 99)

WEDNESDAY 13 DECEMBER 2006

MR COLIN WHITTAKER, MS SANDRA QUINN, MR MATTHEW PEMBLE, MS SANDRA ALZETTA AND MR ROBERT LITTAS

Q86 Chairman: Welcome, everybody. This is the second evidence session of the Select Committee's inquiry into Personal Internet Security. We are very grateful to all of the witnesses who are coming to give evidence today. Thank you very much for coming along and giving us your time. Welcome, also, to the members of the public who are here. There is a document available—I hope you have picked it up—about the inquiry and the Members of the Committee. To start with, could you introduce yourselves and, if you so wish, make a brief opening statement. So perhaps we could start with you, Ms Quinn.

Ms Quinn: Good afternoon. My name is Sandra Quinn, I am Director of Communications at APACS. APACS represents the banks in how to co-ordinate their fight against payment fraud.

Mr Whittaker: My name is Colin Whittaker, I am Head of Security at APACS.

Mr Pemble: My name is Matthew Pemble. I am appearing as the Chairman of the Joint Special Interest Group between the Federation of Incident Response and Security Teams and the G8 Line Group in co-operation between computer emergency response teams and law enforcement, and as co-chair of the Best Practice Committee of the Anti-Phishing Working Group.

Ms Alzetta: My name is Sandra Alzetta, I am the Senior Vice President of Visa Europe responsible for consumer marketing and my responsibility is for the eCommerce channel, the Internet channel, from a business perspective.

Mr Littas: I am Robert Littas, Head of Fraud Management in Visa Europe.

Q87 Chairman: Would any of you like to make an opening statement or shall we go straight into questions?

Ms Quinn: Please go straight in.

Q88 Chairman: Okay, we will go straight into questions. I will ask the first question. In 2005 online banking fraud increased by 90 per cent to £23.2 million. Do you have any indications as to whether this rate of increase will be sustained in 2006?

Ms Quinn: If I may answer that. Those figures are APACS figures which we put together with our member banks. It was £23.2 million at the end of 2005. We have half year figures for the first half of 2006, and those stood at ...

Mr Whittaker: Those were the £23.21 million. It was £14.5 million in the first half of 2005.

Ms Quinn: For the first half of 2006 the online banking fraud figure stood at £22.5 million. That was an increase of 55 per cent in the first half of 2006 on 2005. Obviously we are not at the end of 2006 yet so we do not have the full year's figures but we expect the overall rise in this year not to be as high in percentage terms as the rise in 2005.

Q89 Chairman: But it looks as if it might be close to, you are saying?

Ms Quinn: It is certainly not going to be a non-dramatic rise, it is still of concern.

Q90 Chairman: The evidence from APACS notes that the number of phishing incidents grew by 8,000 per cent between January 2005 and September 2006. Is this phenomenal rate of growth continuing? How much are the banks now losing to phishing, and how much worse do you expect it to get?

Mr Whittaker: The rate of growth in phishing is really down to a number of factors, not least of which is they have been able to industrialise the methods by which the criminals know how to launch and sustain the attacks. Secondly, it is perhaps an indication of how well the banks have been doing at closing the sites down. The more the banks close down the people attacking us and launching the phishing sites, the more they have to launch to try and generate the attacks against us. We see no indication worldwide that the level of phishing attacks is decreasing, in fact there is some evidence that we were talking about on the way in, that the phishing incidents are increasing, again worldwide. The level of losses from phishing, the overall figures that Sandra described, include both phishing and malware based attacks. It is very difficult when you are talking to consumers to distinguish between whether they have fallen victim to a phishing or a malware attack. By and large, we believe that the sort of questions that the bank call centres are able to ask the consumers when they discuss with them the problems with a fraudulent transaction, for example, can very quickly discern whether phishing attacks have occurred because people are talked through a script about the sort of things they might have seen on their computer and the way they may have behaved when an email, for example, comes in. By and large we reckon, and it is very difficult to be totally specific about this because of the difficulties of attributing attacks, that phishing accounts for anywhere between 25 and 50 per cent of the attacks that we see that cause losses on customer accounts.

Chairman: Does anybody else want to comment on that?

Q91 Earl of Erroll: I notice you mentioned phishing attacks as the number of websites which are trying to phish.

Mr Whittaker: Yes.

Q92 Earl of Erroll: Are more people responding to these phishing attacks or fewer? In other words, is the public getting better educated about them and avoiding them regardless of the number of sites?

Mr Whittaker: It is very difficult to determine because the point of attributing these attacks when you talk to people is at best subjective. Our indications from some data that we have been able to correlate between the number of fraudulent transactions and the number of phishing attacks over the years is that it seems people are falling victim to phishing attacks less often, but that is one of the reasons why they are increasing the volume, because of the number of people they may have to capture and so on.

Q93 Lord O'Neill of Clackmannan: Are you satisfied that all of your members are equally rigorous in the way in which they seek to protect themselves from phishing? All I can say is that when I tried to open an account in one financial institution in Britain against another there seemed to be a certain number of hoops and hurdles that I had to go through with one institution but not necessarily with the other. I just get the feeling that there is an unevenness about the security considerations, some seem to be overly complicated and others might be unduly simplistic. Do you impose standards on your members?

Ms Quinn: We do not have the authority to impose standards on our members but what they all need to do is assess their own levels of risk and the levels of risk that they are able to accept in their relationship with their customer.

Q94 Lord O'Neill of Clackmannan: Do you have a name and shame process within the organisation? We know that you are very secretive as far as the general public is concerned, but as far as your members are concerned—you may not have the authority to impose something—you can surely expose the inadequacies of some of the people who bring this threat on the rest of the members.

Ms Quinn: We collect fraud figures that members report to us and each individual member will know their level of fraud as a percentage of the overall loss, so they will be able to very quickly assess themselves as to whether their fraud is a larger percentage as opposed to a lower percentage and they will know how that has happened. The other point to make is that with phishing attacks it is certain banks that are attacked in the UK more than others. Obviously fraudsters are very aware of the kind of banks that we bank with so they tend to attack the banks that are the names in the high street.

Q95 Lord O'Neill of Clackmannan: Or the ones that are easier to catch, the fat slow movers?

Ms Quinn: No.

Mr Whittaker: There is no evidence of that.

Q96 Lord O'Neill of Clackmannan: Is there no evidence because you do not try to collect it or is there just no evidence?

Mr Whittaker: There is no evidence that one bank is any worse or any better off than any others. Sandra is absolutely right, there has been a preponderance of certain banks attacked but that has changed over time. We have seen the ratio of different banks being attacked change with the decisions of the potential people who are launching those attacks. When it comes to the degree to which the industry co-operates in sharing, shall we say, best practice and good practice in the way in which they fight these things, I have been on the inside of the industry for some time now and have been very impressed with the candour and rigour with which they approach these areas and their willingness to share information about how they architect their sites, how they share information, particularly on the types of attacks, and learning from those. It is quite profound. Some of it has to be sensitively handled because we do not want to expose how well we know the type of methods of attacks they are launching with us. Sometimes those methods give us a way to be able to detect when a potential customer is falling victim although they might not realise it themselves.

Q97 Lord Mitchell: I may have missed a trick on this but I have not seen any publicity at all on phishing as such as a member of the general public. I wonder what sorts of initiatives you are taking to make people aware. I do not see advertisements, I do not see anything like that.

Ms Quinn: Perhaps I can start on that. We launched a website in October 2004 called banksafeonline.org.uk. That was about a year after these types of phishing attacks first started. That was specifically to make customers aware of the types of attacks that could happen and gave them an avenue to advise us of the types of attacks they were suffering. We get a number of individuals contacting us on a daily basis about the type of attack they have, trying to verify whether they are attacks or not. We have done a lot of work, particularly in the media, specifically to alert people to this. One of the key responsibilities is with individual banks to advise their customers and they have all done that in very active ways. Specifically, if you log on to your bank website they will all say to you, "We are aware of phishing, this is what this type of thing is" and there will be some very key core messages about "Your bank will never communicate to you in this way".

Q98 Lord Mitchell: How about the people who are less adept at using the Internet, who are doing it for the first time and they are getting this spam stuff through? It is all very well you giving me a website which, frankly, I have never heard of, and I am not na-£ve in these things, but it seems to me that there has not been much of an initiative to make the population at large aware of the problem.

Ms Quinn: What we have done is targeted those customers who use the Internet and who bank online because those are the people who are going to fall victim to this. Customers who may receive an email but do not bank online are less likely to fall prey to this type of activity. The key thing here is targeting your customer awareness where it is going to best have an effect.

Mr Whittaker: Certainly from our perspective, on the banksafeonline site which we manage and operate and provide all the content for, we monitor regularly the responses we get from consumers who are responding. The uptake and level of response certainly shows that people are reading and visiting the site quite regularly, it is one of the most well visited sites that we have in our APACS portfolio of information sites. We also get a lot of value from what the consumers report. One of the areas they can report, for example, is when they see a phishing email they are encouraged to report it to a web link that we have where we handle that sort of information.

Q99 Lord O'Neill of Clackmannan: Have the numbers increased?

Mr Whittaker: Yes, significantly.