Banks fail customers on easy anti-fraud checks

THE BBC reported over the weekend that UK banks might deny refunds for online phishing frauds.

The BBC report, here, said that the Association for Payment Clearing Services (APACS) is warning that online customers defrauded by phishing scams could find themselves on their own. UK banks have refunded £4.5 million to 2,000 victims of online phishing, said APACS, quoted by the BBC.

Phishing is a technique by which users are deceived into thinking emails from banks and other organisations are legitimately requesting additional security information. When someone clicks on such a site, they are taken to a spoof site, where they're enticed into passing across user name, passwords and other information.

A "safety net" protecting customers from such online frauds could be withdrawn if customers don't take sufficient care, an APACS spokesperson is quoted as saying.

However, reliable sources close to bank systems here in the UK say that the responsibility for losing this staggering amount of money is actually down to the banks themselves.

If the UK banks got their security right, they'd be able to prevent the scourge called phishing completely. Banks could easily use SPF (sender policy framework) to prevent such frauds, with major email services such as Hotmail and AOL checking the records on incoming mails.

SPF allows security staff to check whether the sending IP is authorised to send mail on behalf of the domain, but senior staff at some banks don't want to block any mail, in case they lose business.

SPF only requires one DNS entry, so protecting both AOL and Hotmail users, and the other ISPs could easily roll out such checking to protect users and banks. µ