Banks constantly tell us to do more to protect our financial details against online fraud, but we live in a world where there is often no alternative to exposing important financial information to potential misuse. The frustration is that there are some relatively simple services the banks could provide to avoid this, but for some reason, probably just their inertia, these are currently unavailable to a lot of users.
Single Use Credit Card Details
Paying for stuff online frequently involves a big act of trust – when you type in your credit card details you are effectively handing the receiving party the keys to thousands of pounds of your money. You want to hold the merchant to a very high standard of behaviour with those details, which is probably justified for a big household name, but what about other cases? A smaller organisation may be perfectly honest, but may hold your card details in a form which could be vulnerable to an unrelated attack.
Worse, the payee might not have honourable intentions for your card details. You don’t have to be doing anything very nefarious to come across potential examples: the other day I was trying to track down a manual for a second-hand watch, and the only download sites wanted me to "register a credit card" before proceeding. Possibly innocent, quite possibly not.
I really shouldn’t have to expose powerful payment credentials in such a situation. My strong preference is to use a trusted intermediary like PayPal, but that’s not always an option. The best alternative solution is the concept of a "single use credit card" – a set of virtual card details used for one specific purpose, with a short lifetime and very low "credit limit".
However while this is a well-established concept, actually getting hold of such details turns out to be very difficult. As far as I can see, no mainstream UK bank offers this service. Several of the big American banks do, but not to UK customers. Capital One have such a service built into their online support tools, and I have one of their cards, but I couldn’t access those tools with my credentials.
There are a couple of third parties offering the service in the UK, but often only with an expensive subscription. The honourable exception appears to be EntroPay. It’s a bit fiddly getting set up so that you can load their cards from your regular credit card provider, and cost me a 20 minute call to my bank, but I now have a virtual credit card with a £5 credit limit and no other uses. Ideal, but harder than it should be.
This is not rocket science. The fact that several major US banks readily offer such services confirms that this is feasible. We pay substantial fees for access to banking, so why can’t UK banks follow suit?
Payment-Only Account Numbers
In the move from cash and cheque to direct bank transfers even for small personal payments we have also adopted another behaviour which is perilously close to leaving your keys on your front doorstep. This is the practice of sharing your bank account details with anyone who offers to send you some money. This is another practice which leaves me deeply uncomfortable.
Again there is a relatively simple solution. Your account should have a second "shadow" number which can only be used for paying in money, not for withdrawals or other actions (although it might be the visible account number on payments you make). This becomes a "public key" which you are comfortable sharing, while the real account number remains a private secret shared only by yourself and your bank. That then becomes a useful piece of two-way authentication, whereas at the moment someone who knows your account details could have got them from a discarded email or similar. If someone only has the "public" number, then neither your nor your bank should take any instruction from them.
The idea of public and private keys is well established in the electronic world, and ironically the banking system has used physical versions for years – think, for example, of the "hole in the wall" deposit machines for which many people have a key allowing deposit, but only the bank has a master key for collection. However, I’m not aware of any UK banks offering this simple service.
Payee Account Verification
The next is as much about error as fraud prevention, and may be specific to certain banks, but certainly in the Lloyd’s system if you are setting up a personal payment there is zero feedback on whether you have the right account number . The system doesn’t even require you to type in the number twice for confirmation.
Any party in the chain might have made an innocent error, and if the result is a valid account and sort code combination then the funds will be misdirected. If you received payment details via some insecure mechanism such as email, it is also not impossible that a fraudster could substitute their own details, and you would be none the wiser until the real recipient complains about the missing payment.
I suppose banks might argue that showing the account payee name could allow a certain level of account number "guessing", but that sounds specious to me. The simple solution is to combine this change with the payment-only shadow number concept above.
Finally a simple prophylactic against the "your money is in danger, please put it in this account (of mine)" scam. Banks could insist on either two days’ notice or a personal phone call before any transaction which either largely empties an account, or exceeds a certain threshold. Notice could be provided via the banking application to cut down on administration. For most users, most of the time, this would be no problem, and it would require that any more significant transaction is either planned, or has a "cooling off" period in which fraud checks could be carried out. "Instant access" would still be possible, but only after a phone call or bank visit in which you could be asked "has someone told you to do this?".
Credit card companies do this all the time – mine insisted on an exchange of texts and a call to OK a payment of £5 to Entropay. Yet I know someone who emptied three accounts under a scammer’s instructions before a bank manager asked the key questions. There’s a bit of a mismatch there.
We all need to play our part in fraud prevention, but that goes double for the banks, and a few simple service enhancements along the lines above would make financial life much more secure for all.