A decade of online banking - and online fraud

By Jeremy Scott-Joynt
Business reporter, BBC News

Ten years ago, people in the UK could be forgiven for thinking that their relationships with their bank were predominantly about one thing.

Nationwide was the first UK institution to venture onto the web

Queuing.

Whether at the branch, at the cash machine, or listening to canned music on a phone line, dealing with your bank was by definition a time-consuming, often inconvenient hassle.

Then came banking over the internet - and for those with access to the web, managing your money became a whole lot easier.

But customers are not the only ones to benefit. Crooks, too, were handed a glorious new opportunity to rip people off.

Ease of use

Initially, though, everything looked rosy, as on 27 May 1997 the Nationwide building society opened its electronic doors.

Barely a month later, the Royal Bank of Scotland became the first UK High Street bank to join the online revolution.

As the dotcom boom accelerated and internet access exploded, their competitors followed suit.

In fact, computer-based banking had been around for years. The Bank of Scotland, for instance, had allowed customers to transfer funds using the now-defunct Prestel network since the early 1980s.

But the ease of use and open access offered by the web opened up a welter of fresh opportunities.

It's so much easier to steal from a bank online than to hire a Ford Cortina and put a stocking over your head... And there's no danger of a granny clobbering you over the head with her brolly Graham Cluley, Sophos

Everyone in the banking business was discovering that not only was internet access cheap to run - but that it was a fantastic advertising opportunity for other services as well.

Nowadays, a third of Nationwide's customers use online banking.

And according to RBS, the number of online transactions, and their value, has increased sevenfold in the past five years.

Criminal opportunities

But it wasn't long before the crooks started to take advantage.

Online banking meant that for the first time, bank fraud - on an industrial scale - could be done from outside, without having to rely on bank employees to pull it off.

"It's so much easier to steal from a bank online than it is to hire a Ford Cortina and put a stocking over your head," says Graham Cluley, senior technology consultant for internet security firm Sophos.

"And there's no danger of a granny clobbering you over the head with her brolly."

By January 2000, reports were surfacing of frauds on a California bank which - unwisely - had failed to check the identities of people requesting transfers from existing accounts into new online ones.

In the UK, Egg was the first financial institution to go public later that year with news that crooks had set up accounts with fake identities for fraudulent purposes.

That same year, fake banking websites started to proliferate around the world to snare the unwary into giving away their details.

Phishing gangs try to steal confidential details

And by the start of 2004, the all-too-familiar phishing emails began to fill up email inboxes worldwide - to the extent that now more than one in 100 emails is a phish - and organised criminals began to get in on the game.

Challenge and response

As the threats have evolved, so have the responses.

More and stronger passwords came first.

Then, as trojans - bits of rogue software downloaded to people's computers without their knowledge - began to let crooks "sniff" keystrokes, banks switched to methods which needed a mouse instead.

So the trojans started to take pictures of screens instead.

Now, more and more banks are getting their customers to use tiny devices which generate apparently random numbers, in an attempt to stay a step ahead of the fraudsters.

And yet the fraud continues.

"There's been a 44% increase since 2005 in online banking fraud," says Steven Philippsohn, London lawyer and head of the Fraud Advisory Panel's cybercrime committee.

The sensitivity to risk remains, but the counter-attraction (of convenience) is very large Steven Philippsohn

"It proves the point that fraud gets committed, and then as security is put in place something else crops up."

Fraud, he argues, has tended to migrate rather than fall as a result of banks' attempts to tighten things up.

'Liability dumping'

There is also the question of who bears the risk.

Security expert Ross Anderson, professor of computing at Cambridge University, warns that some financial institutions engage in what he calls "liability dumping" - the attempt to shift the burden of dealing with online bank fraud onto someone else.

"At a recent UK conference, the government wanted citizens to take more responsibility for their own safety online, while banks blamed the government and the internet service providers, and everyone else was eager to distance themselves from the problem in other ways," he wrote in a recent paper for the US Federal Reserve.

Sandra Quinn of Apacs, which represents credit card and cheque issuers, resists this suggestion.

"The burden of proof to show a customer has been negligent is very tough," she says.

Risk versus convenience

All this has left many people extremely nervous.

In a survey of its own customers, Nationwide found that almost half still did not trust online banking.

But of the 37% of its customers who did, the vast majority - more than four out of five - thought it was safe.

"The sensitivity remains," says Steven Philippsohn, "but the counter-attraction (of convenience) is very large."

And although there are many experts who flatly refuse to go anywhere near online banking, Graham Cluley is not one of them.

"As long as you keep your computer up-to-date with antivirus software and a good firewall, and exercise the usual caution about what you do online, I don't see any reason not to use it," he says.