Banks to wash their hands of customer card fraud

By Graeme Burton
14 Nov 2012 View Comments
Santander bank

"If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip... Just like most vulnerabilities we find these days, some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us, for which we had until recently no explanation," wrote University of Cambridge security researcher Mike Bond in a recent blog posting.

Further reading

Indeed, despite the introduction of chip and pin – which was supposed to make card payments more secure – fraud has continued rising, increasing by nine per cent to £185m in the first half of the year.

The banking industry, though, has defended itself, claiming that the changes are justified due to the increasingly pervasive nature of mobile banking.

In a statement, Santander told Computing: "In line with other providers, we believe that by having security details unique to the accounts they hold with us, customers can help protect themselves further against fraud risks. Due to the increasing use of mobile banking and password memory software we are updating our terms and conditions and suggesting a number of additional measures our customers can take to help protect themselves.

"Unless a customer is involved in fraud, any instance of fraud is against the bank, not the customer, and so innocent victims will not lose out financially. We look at every fraud case on an individual basis. If a customer has been a victim of fraud and they have taken reasonable steps to protect their personal financial security then we will refund within 24 hours."

Santander has also recently been at the centre of claims regarding the security of its personal online banking accounts, published on the Full Disclosure list.

An online security researcher in October claimed that Santander had been storing users' credit card and other personally identifiable information in cookies on users' PCs – where they are stored in plain text, easily uncoverable by an attacker. "Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online banking the user visits this information may include the following: Full name, credit card number, bank account number and sort code, alias and user ID."

The bank, however, claims that it has now addressed these security issues. In a statement to Computing, it said: "Santander takes the security of our customer data very seriously and we continually review our Cookie Policy and all other relevant systems to ensure we maintain the highest standards. Concerns around the three main elements relating to the storage of customer data in cookies have been addressed fully and further enhancements are planned." 

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
16 %
7 %
19 %
3 %