House of Lords - Science and Technology

Hansard

Archives

Research

HOC Publications

HOL Publications

Committees

Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 100 - 119)

WEDNESDAY 13 DECEMBER 2006

MR COLIN WHITTAKER, MS SANDRA QUINN, MR MATTHEW PEMBLE, MS SANDRA ALZETTA AND MR ROBERT LITTAS

Q100 Lord O'Neill of Clackmannan: Can you give us some hard figures?

Mr Whittaker: If I remember rightly, in September we were approaching about 35,000 emails a month.

Ms Quinn: We had a fraud initiative at the beginning of November where we specifically went out to the population to encourage people to protect their PINs, their passwords and the personal information that we all have, and at the same time we were releasing the up-to-date fraud figures to give some level of assessment so that people could understand what the risks were. We highlighted in particular the website that we have there and the other website that we have, which is the Cardwatch website, and the number of hits that got increased by 300 per cent in that month.

Q101 Chairman: Have the banks informed people about the website?

Mr Whittaker: Yes, they do. They do on their own web pages. It is interesting that when some of the banks notice that there are what we call phishing email lines going out for their brand they put a notice on their website which links to our website and we can see and track which people are referring to our banks' websites and we can draw direct correlations between when brands are under attack and when they put a notice on the websites and hit rates from that bank or that bank's customers.

Q102 Earl of Erroll: Banks have set a great deal of store by their customers having to authenticate themselves properly on the website, and there is a lot of talk about bringing in further authentication. Forgetting about that, what about websites authenticating themselves to the customers and the users, surely would get rid of a lot of the phishing problems if people could be certain they were visiting the right website.

Mr Whittaker: I think there are a lot of initiatives coming on shortly technically that will help in the future and we will have to examine their impact. Microsoft's recent announcement of the extended validation certificates that they are issuing to certain institutions may go a long way to helping that when IE7 and Vista are jointly launched together in the future. When it comes down to it all banks rely on using the current method of authenticating sites, which is using secure web sessions and so on, and those can provide a measure of confidence that you are at the right site.

Q103 Earl of Erroll: Am I allowed to name banks? For instance, the one I was going to mention, Alliance & Leicester, I know uses a picture chosen by someone, so when someone goes on to their website when they log in as a user the website is effectively authenticating itself back to the user. I know that is not perfect but there are some simple techniques which seem to be being ignored by other banks.

Ms Alzetta: I would just like to explain Visa first of all and the silence until now from both Robert and myself. We are a membership association of banks who look after online shopping, so our responses will be very much with regard to online shopping as opposed to online banking, which is not our area. It is from an online shopping perspective that we know from the consumer's perspective there are some huge benefits to be gained from online shopping. This is very much an area that we are looking at just now. We have done a lot of work in this area and we know that there are some concerns about security. There are consumer concerns about security and there are issues with security. We are doing a number of things about this now and one of them is to do with authentication. We have introduced a new system called Verified by Visa. The idea is very similar to what is happening on the high street. On the high street the banks and the retailers have now invested in Chip and PIN. I am sure everybody here has a card, you will have a chip on the card, and when you go to buy something at a retailer you will now be asked to put in your four digit PIN number. That confirms you are who you say you are, as nobody else could know your PIN number, so you are confirming your identity, you are authenticating yourself. Until now that has not been the case online, so as a consumer I do not know who the merchant is and the merchant does not know who the consumer is. By introducing Verified by Visa, we are trying to replicate online what is happening on the high street. Participating merchants in Verified by Visa will have this logo on their site. This means as a cardholder I will go through the normal checkout procedure and when I get to the final page asking me to input my card details, I will put them in and the next thing I will see will be a page from my bank who has given me my card. The reason I will know that page has come from my bank is because there will be something on that page which will be my personal security message which I chose, so it is obviously not a phishing page because I chose that message. My cat's name is "Moochie", for example, so it could be that. I know it has come from the bank. It will ask me to put in my password, a pass code that I have chosen. I will put it in and it will go to the issuing bank who has given me the card and they will confirm that the two match. If they match there will be a positive response back. If they do not match there will be a negative response back. That is the first step in introducing authentication online. What that does from a consumer perspective is make the consumer feel much more comfortable that it is possible to shop safely online and from a retailer's perspective it means that retailers can have much more confidence in accepting cards online.

Q104 Earl of Erroll: Do you have a high percentage of take-up from retailers and banks on this?

Ms Alzetta: We have been working on this for a couple of years and what we have learned from Chip and PIN is when you are talking about infrastructure it takes time. Just now we have around about 15 per cent penetration. We think this is going to be an important year for Verified by Visa, the reason being that quite recently some of the very large retailers have joined. British Airways has been a participant for some time. We have lastminute.com, John Lewis, Next, Tesco joined a couple of weeks ago, and in the forthcoming year we expect to see Ryanair and many other large retailers. In total we have got many thousands but what really matters is the big names who give the big volume. We are working with the banks and the retailers to introduce this.

Q105 Chairman: You describe a lot of this very well in your paper and you are also advocating that the Government should take up some of these initiatives as well.

Ms Alzetta: Yes. I think anything that encourages further security has got to be good news. The research that we carried out with our consumers told us that there is a concern amongst consumers about shopping online, the number one concern is security. There are various other things but that is still the number one concern. 30 per cent of the people we asked said security was a concern for them. The reality is that whilst it is our job collectively here to look continually at what is happening to make sure that we stay one step ahead of fraudsters, fraud is still is very small portion of what is happening in the Internet world. A lot of consumers are not shopping on-line because they still have some concerns, which is a real pity for them in that there are lots of advantages to be gained from shopping on-line.

Q106 Lord Harris of Haringey: Is there not a problem that what happens is you are now requiring individual members of the public to acquire yet another password and yet another security code, and people are now faced with such a plethora of passwords and security codes that the natural thing to do is you write them down, or you place them on your own computer somewhere where you can find them but of course anyone who might have access to that could find them. Is there not a problem that you are creating systems—and there are a whole series of different systems being replicated—which are in fact going to make it more difficult for the public who will then take simplistic measures by perhaps using the same password for absolutely everything? Are you not increasing vulnerability rather than reducing it?

Ms Alzetta: That is certainly not our intention and it is something that we are looking at for the reasons you have said. I think everybody here will be familiar with the fact that everything you want to do on-line will require some sort of password. The idea obviously is to add security, not to take it away. So first of all we would say to people the usual things, choose your password carefully and so on. The next step for Verified by Visa is to introduce what should be a more simple way for people to authenticate themselves and it is using Chip and PIN technology, and that was referred to earlier. The idea there will be that cardholders will use their standard Chip and PIN card, put it into a portable reader and they will put into this reader their PIN number, the PIN number that they use on the high street that they are very familiar with, so there is no need to remember separate pass codes. By putting in the PIN number, you are confirming that you are the valid cardholder. A unique one-off number will be generated and that is the number that you will then put into the on-line shopping site. So it does two things. It will increase the level of security because instead of having the same password each time, you are putting in a one-off number which once it has been used it cannot be used again. It is confirming that you are who you are because nobody else has your PIN number but also, most importantly as a consumer, all you have to remember is your PIN number which is the number you use every day on the high street. We will start seeing that rolled out by some of the UK banks in the summer of next year.

Chairman: This is well described in your memorandum. It would be useful for us to have data about the take-up of these ideas. I think we are going to have to move on. Lord Paul?

Q107 Lord Paul: Can you provide for us a detailed breakdown of the £23 million of fraud. What kinds of fraud are involved?

Ms Alzetta: I think that is the APACS figure for on-line banking fraud.

Mr Whittaker: As I was saying earlier on, those £23.5 million frauds (£25 million worth of losses) is down to on-line banking fraud, and it is wholly down to people making fraudulent transactions on people's accounts across a range and variety of sorts of accounts that the banks allow Internet access to. There is no evidence yet to believe that any of the compromise of Trojan or phishing against on-line bank accounts has led to anything in the sense of identity theft in the sense of the taking of people's identities. It has been solely down to making fraudulent transactions from the victim's account to a middle account which we call a "mule" account.

Mr Pemble: There are essentially three main fraud methodologies involved in these sorts of figures: phishing, which is the one that has already been described, where you get sent essentially a spam e-mail which has a link in it to a fraudulent bank site which will then ask you (as your bank never will) for your full authentification details; and malicious code Trojans have already been mentioned. We know that there are a lot of computer viruses out there and there are different definitions of exactly what they are. If you have an infected machine there are a number of different payloads, key stroke loggers, things that can recognise when you are on a banking site, and all this was already mentioned. If you have stored sensitive personal details on your machine they can potentially search through your machine hard disk and see what they can find of potential interest to the fraudsters. There is also a third type, which is a lot rarer in the UK, which has the unfortunate name of "pharming" and that involves making alterations to the Internet infrastructure, particularly the domain name service system, to misdirect people who are attempting to go to their legitimate bank site.

Q108 Lord Paul: We have been told that one bank dominates the statistics. Is this true and, if so, which bank? We have also heard that the number of accounts compromised, and hence the amount of money at risk, is soaring. Do you have figures on this? Should we conclude that things could very rapidly get much worse?

Ms Quinn: As I was saying to my Lord Chairman at the beginning of our evidence, in fact there is no evidence to suggest that the figures that we will be publishing at the end of 2006 will be statistically in percentage terms much higher than the figures in 2005. That is not to say that we are in the least way complacent about this because fraud is still rising, but it is not rising at the level it had been rising. We do hold confidential data but we are not in a position to share that in open session. I may be prepared to share that if that would go no further through the Committee.

Mr Pemble: The Anti-Phishing Working Group statistics show that the primary targets worldwide for phishing still are eBay and PayPal, although there has been a general move towards attacking financial institutions, presumably because the fraudsters are able to get real money out of those. The other thing that has been seen is a quite significant rise in the number of different organisations being targeted. It is difficult to be precise but we are talking about, I think, 180 different organisations in a month. That is not evidence but it indicates that when the fraudsters start attacking an organisation, that organisation will quite quickly get up to speed with dealing with it, and certainly you are seeing attacks in America, which is still dominating the statistics, against smaller and smaller banking organisations. Obviously the UK banking community is not as fragmented as the American banking community.

Q109 Lord Howie of Troon: We have been told according to a survey that consumers feel more endangered by eCrime than by being burgled or mugged. First of all, is that true and secondly, if it is true, how are you responding to it?

Ms Quinn: I think the key is that it depends on the question you ask. We all get concerned about where we are talking about our own personal financial details. If we do bank on-line it is something we do regularly so it is very front of mind. If you are asked about the risk you might think in terms of the number of times I use my on-line banking service and therefore it is slightly more risky as I walk around very safe streets at night and I do not anticipate being mugged. I think if you asked people what they would prefer to happen to them that would be a different answer obviously.

Q110 Lord Howie of Troon: So you are not sure if it is true?

Ms Quinn: I think it very much depends on the kind of questions you ask. There is a level of fear that depends on the level of usage and the level of awareness.

Mr Whittaker: There are some very rich paradoxes out there. Sandra is absolutely right, it depends on the question you ask. If you go to the same people in one breath and ask them are they worried about security, they will quite clearly and reasonably have fears that they will wish to express. If you ask them in the following question how many people shop on-line, buy their groceries from an Internet merchant like Tesco, Sainsbury's or Asda, and have them delivered at home for ease and convenience, the same people will put their hand up and say yes. If you then ask them who banks on-line or has done a transaction on-line, they will put their hand up and say yes. It depends on what questions you ask and in what frame of reference you ask them.

Q111 Lord Howie of Troon: That is quite true but it is true of all surveys. Some people might ask, "Do you approve of Gordon Brown?" or, "Do you approve of that dreadful Scotsman Gordon Brown", and the answer might be quite different.

Ms Quinn: Absolutely.

Q112 Lord Howie of Troon: Do you believe it is true?

Ms Quinn: I think it is quite difficult from an organisational point of view to say one way or the other. The easiest way is to express it in personal terms. I do not feel as I bank on-line that this is the highest risk. I live in a very safe area and I take the normal personal security precautions that we all do. I think I would weigh up the fear of personal attack much higher than eCrime.

Lord Howie of Troon: So you are very sceptical about this conclusion and therefore you do not respond to it at all really? I do not blame you, by the way. Can I go on a bit. I am told that there is a system called universal two-factor authentication. I think Lord Errol mentioned it earlier on.

Chairman: Visa were just talking about the same thing.

Q113 Lord Howie of Troon: I must have missed that, Chairman. For the record, will you tell us what it is and, secondly, if this is a good thing, why has the industry in general not adopted it?

Mr Littas: We are adopting it. That is what Sandra explained a few minutes ago. "Two-factor" means something you have and something you know so you have a card and you know your PIN number. As Sandra explained, you put that PIN number in and get a unique, dynamic number used only once, which you put in the Internet transaction. Why has it not happened before? It is only fairly recent and the UK was one of the first countries in Europe to implement this technology because it is based on chip technology, so that is a condition for using this particular application.

Ms Alzetta: Just to add to that, we have just implemented Chip and PIN. The whole idea of using the dual-factor authentication is that we are using common specifications that have been developed, so that I can use my Visa card or indeed my card from another payment scheme and the reader will work for all the cards. That is really important because what that means is the clever bit sits in the chip on the card. The reader is just a device which anyone can use. If I forget it and I do not have it with me I can borrow yours or anyone else's. What it means is that it is much more convenient because we now have common specifications which are industry-wide specifications. We are not trying to compete in this area. It is an area of mutual interest to everyone.

Q114 Lord Howie of Troon: I think that was probably a very helpful answer as far as I am concerned. So I can take it that it is a good thing and that you are introducing it?

Mr Littas: Absolutely.

Lord Howie of Troon: Thank you, Chairman.

Q115 Chairman: That question was answered really by Visa. What are the banks doing? Are the banks going to provide the same sort of service?

Mr Whittaker: We developed, based on the MasterCard and Visa specs, a technical specification to allow the level of inter-operability that Sandra was describing to be achieved. We are discussing with our members who and which banks might wish to be adopting it and in what sort of timeframe. In the end it is for individual banks to make their own risk management decisions about what technology they employ. Some banks which may not be suffering very many losses at all might find the cost of the machines and the readers and that sort of solution as prohibitively expensive, bearing in mind the level of losses that they and their customers are suffering. It is an on-going debate at them moment within the industry. You have seen some press announcements from an institution in the UK saying they will be introducing them starting from next year and it will be interesting to see how many follow suit. As Sandra described, we do not regulate the industry and we cannot prescribe the solution. It is up to individual institutions to make their own risk management type decisions about what technologies they deploy to their customers and to decide what level of usability and cost-benefit they are going to get from a certain technology. We had the discussion earlier on about the technology that Alliance & Leicester have deployed. That was their response to their cost-benefit investment decisions for their requirements for their customers. Over time individual institutions will make their own decisions and those decisions will evolve as and when the cost-benefit case changes over time.

Ms Quinn: What is clear is that there is a great commitment within the industry to stronger authentication and different banks may adopt different approaches. What we want to make sure is that that operates for the convenience of customers and for the usability of customers because what you are going to be doing if you are giving devices out to individuals is asking people to have something else in addition to what they have got with them. When we introduced chip and PIN we were substituting a signature for a PIN so we were actually saying you do not need to do that any more, you need to do something else. What we are doing here is an additional layer of protection, and you will have a device, as Visa have demonstrated, and we need to make sure that customers will be able to use that and find it easy and accessible.

Q116 Chairman: APACS is a bank organisation; is that correct? So you represent the banks, you do not represent the customers. Is that why you are not prepared to tell us which are the bad banks and which are the good banks?

Mr Whittaker: I do not think there are any bad or good banks in this case.

Q117 Lord O'Neill of Clackmannan: Why do you not provide the information then? Why do you not make it public? You say it is commercial in confidence. Is there a legal obligation on you to stop you doing that or is it just that the people who own your organisation refuse to have the information made available?

Ms Quinn: We collate management information and statistics on fraud and have done for a long time for members and we do that and publish it on an industry basis.

Q118 Lord O'Neill of Clackmannan: That is not what I mean. If I am a customer and I am worried about going to one bank or another for on-line services, surely I am entitled to know which of them is the safest or safer than the other one in my high street?

Ms Quinn: The general point I would make is, exactly as Colin has said, there are no safe or unsafe banks.

Q119 Lord O'Neill of Clackmannan: But you would not tell us, that is what you are saying, you refuse to make public this information?

Mr Whittaker: We would therefore be forced to make a value judgment.