Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.

The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html

A Cyberwarfare Warning: Greater Manchester Police & Conficker

In the information age our Police forces increasingly relies on their IT systems to help them perform their duties, these IT systems hold citizen’s most personal sensitive information. Given the nature of “Police Business” you would think Her Majesty’s finest would be pretty good at IT Security, but apparently not. One of the largest Police forces in the UK, Greater Manchester Police (GMP), were forced to disconnect their IT systems from the national Police systems, after their IT systems had been discovered to be riddled with the Conficker WORM. This nasty piece of malware has been around since 2008, however all the anti-virus systems I know of, has been protecting IT systems against it since just after Conficker’s release.

From School Children and to Silver Surfers, most people realise and understand the importance of having Anti-Virus software installed on their PCs, and the importance of keeping their Anti-Virus up to date. Installing Anti-Virus protection onto all Windows based operating systems and keeping it up to date is a very basic of best practices. Clearly this was not being achieved by the GMP, it was reported that much of their IT systems were infected with Conficker on Friday 29 January 2010, to such an extent they had to disconnected all their systems from the national police systems for several days, rendering GMP less effective. For instance GMP officers had to request checks on names and vehicles from neighbouring policy forces.

What I find particularly concerning about this successful attack, aside from the possible breach of highly sensitive information, which is a real risk of Conficker; is just how simple it is to take out key IT Systems leading to a direct impact on a pillar stone of our society’s infrastructure.

Previously Conficker also hit IT Systems at the Houses of Parliament, Hospitals in Sheffield and cost Manchester City Council £1.5 Million, although some might say preventing Manchester City Council from issuing hundreds of motoring penalty notices in time due to Conficker knocking out it's IT systems was a bit of a blessing.

In this day and age we tend to take for granted our increasing reliance on IT systems, in terms of cyber attacks against our national infrastructure, this is a very real and increasing risk, and there has already been several examples of international cyber attacks. This latest Conficker outbreak at the GMP should serve as a real warning to the UK Government. Whether it’s our national power grid, banking infrastructure, telecoms, air traffic control, or even key online servers and websites, cyber attacks can really hurt us and our economy.

It is more than feasible that cyber terrorists could make the next "Conficker" type WORM, to specifically target key infrastructure IT systems. The damage could be done before Anti-Virus and OS vendors can respond with a solution. At the end of the day Anti-Virus is reactionary and a "stick on a plaster" approach to security, meanwhile tens of thousands of new vulnerabilities are found in Operating Systems and Applications on a yearly basis. This increasingly vulnerability trend which will continue to rise despite the usual vendor hype of "this is our most secure platform ever". We saw this just two weeks ago with the actively exploited vulnerability in the latest version of Internet Explorer, indeed this took several days to be patched, or is that plastered.

The UK Government are responsible for protecting the country's key infrastructure, however I’m afraid to say the UK Government is doing very little to address this threat at present, unlike across the pond where Barak Obama recently appointed Howard Schmidt as their Cyber Tsar, to help tackle these types of risks. Just a few months ago I was speaking with Howard about this very subject; he didn’t disagree with me when I stated that I believe it’s just a matter of time before we see a Cyber 911.

Secret Government Security Standards Heard of CoCo & IL3?

In the UK much of our digital sensitive and personal information entrusted to UK government departments and their commercial partners, are supposedly protected by sets of unpublished information security standards. These non-public accessible standards, such as the Government Code of Connection (CoCo) and the required security controls around the various “Impact Levels” classifications (IL2, IL3 etc.), have only been made available to a select few bodies, some of which decide on whether organisations comply with these standards or not, all out of the public eye.

Why the Secrecy?
Why aren’t these important security standards concerning the protection of UK sensitive citizen information made public? What exactly are the specific requirements to which UK government departments and their commercial partners are seemingly vetted against? Are these requirements up-to-date and strong to ensure to ensure the breach risk to our information is adequately low? Why can’t the public find out which organisations are currently complying with these standards, and which organisations that handle our information are not complying with these imperative security standards?

I certainly don’t have the answers to these questions, I’m afraid this is a rare blog posting of questions rather than my usual solutions and ideas. But I do believe these security standards and their specific requirements must be opened up to the public. Not only that but the process to their creation, their review process; to ensure they are kept up-to-date in the fast paced infosec-threat world, while these standards enforcement process must be completely transparent. As a result of heir currently shadowy nature, I think the public will only conclud these standards requirements are a shame, and aren’t strong enough and out of date, or are not being properly being followed across the board.

Anyone should be able Google the names of these security standards, find the standard specific requirements in black and white, understand how organisations are independently assessed in meeting the standard requirements, and then find out which organisations are currently compliant with them.

Other commercial based security standards such as the payment card industry data security standard, PCI DSS, are published, and as a result have become a stronger standard for it. The PCI DSS assessment process for companies handling payment cards is controversial to some, but it is clear to see, while the largest PCI compliant companies are publicly listed as being compliant with the standard.

The only way to ensure any security standard and its specific requirements are fit for purpose, is for it to be publically scrutinised. I would have thought it is overall principle for government to be open and transparent to its citizens. Another side of public scrutiny, it places pressure on organisations’ to actually meet standard compliance. In an information security "minimum spend required" world, there must be motivation for organisations to make the investment in meeting security standards, there is no greater motivate than public and media criticism.

Facebook Privacy Settings Change Swindle

I logged onto Facebook today and to my utter horror I was automatically forced to page to accept changes to my privacy settings. These privacy settings had defaulted to new settings to replace my existing "secure" settings, which are configured to protect my personal information from strangers.

Now I wasn't caught out by this cheap stunt, but I fear many people who had previously made the effort to configure their Facebook acccounts to only share their private information with friends they know, may of been tricked.

I only blogged about how to configure Facebook securely a couple of weeks ago, http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html  My blog posting was aimed at protecting children using Facebook, and I fear this forced privacy settings change will have caught out many children, as I find children tend to have a just click and not read properly approach when using the Internet.  Facebook are forcing this privacy change screen on all their users, a user cannot use any element of Facebook until they click the "Save Settings" button.

I just think this is an utter disgrace and crime against privacy, it's about time social networking sites are regulated to ensure they understand their responsibility in protecting their customer's personal information, rather than profiteering as much as they can out it. The simple reason why Facebook want their users to share their private information more, is to generate more traffic to their site, which in turn leads to more advertising revenue. Facebook should be doing the complete opposite and suggesting default privacy settings to share only with friends.

Make no mistake, the "Friend of a Friend" setting means "Strangers" will be accessing your personal information and your family photos, so make sure you are not deceived by Facebook's darn right reckless approach to protecting your personal information.

Child Facebook Safety

Recently I was invited to participate on Radio Five Live debate on children’s usage of social networking sites, and specifically child bullying within Facebook. Various parents were calling the radio programme and were saying their children had suffered from issues like cyber bullying and the receipt of obscene messages from perverts. Several individuals thought the answer was to prevent their children using social networking websites and even suggesting banning children from using the Internet altogether.

The main point I made was banning children from using social networking sites like Facebook, Bebo and MySpace will just not work, for one banning illegal activities like under aged smoking and drinking doesn’t work, sooner or later children will find a way to access social networking websites anyway, which isn’t illegal by the way. Furthermore preventing a child from using the home PC is a reckless approach in the information age and pretty pointless exercise, as children can access the internet and social networking from their mobile phones, on school computers, perhaps with friend’s laptop, crikey they can even access social networking sites through games console!

The clear answer I gave to this problem, cyber education. Not the usual optional Internet awareness classes give out of hours in secondary school, but mandatory classes on how to use the Internet safely in the later years of primary schools. For me this type of Information Communication Technology (ICT) education should not be just akin to the “don’t talk to strangers” and “crossing the road safely” type education, but needs to be as essential as Maths and English. School ICT lessons simply should not be just about how to do a bit of Desktop Publishing and putting together PowerPoint presentations, but be about the essential “life” skills on how to keep safe and secure when online.

While talking on Five Live about my thoughts on this subject, I went on to give an example of five things to which our primary children should be taught about social networking, and indeed what parents should be aware of too, apart of cyber bullying, social networking is the favourite tool of identity thieves. These five pieces of advice were:

1. USE GOOD FRIENDS MANAGESMENT

Child Advice: The first golden rule is to only accept friend requests from people you know, by know I mean actually have met face-to-face. Secondly only accept friend requests from people you actually like. Just because you know someone it does not necessary mean you like them. If you don’t get on with someone don’t accept them as friend, as usually this leads to no good. Remember a social networking site is not supposed to be about collecting as many friends you can. If you have 100s of friends on your friend’s list, you are just asking for trouble, as no doubt most of these “friends” will be strangers, amongst which there will always be some bad apples.

Parent advice: If your child has more than 10 to 15 friends on their social networking friends list, you should be concerned, ask your child to go through their friends list and confirm who they are. Also understand most social networking sites use all sorts of “rewards” to encourage their users to amass friends, some sites like Twitter is based on it, in the case of Twitter see point 2 and 3.

2. CHECK YOUR PRIVACY SETTINGS

Child Advice: Make sure your privacy settings is fully on, particularly ensure you are only sharing your personal postings and pictures with “Friends only”, “Friends of Friends” setting is not good, while “Public” is just asking from trouble.

Parent Advice: Periodically double child the social networking privacy settings as per child advise. Some social networking sites default new accounts with privacy fully on, but not all, for example Twitter’s privacy settings are off by default. However many applications within social networking sites tend to fool children (and adults) into switching these settings off. Leaving privacy settings off allows the world (strangers) to see your child’s comments and pictures.

3. WHAT GOES ONLINE, STAYS ONLINE!

Child Advice: Before posting a comment or picture, stop and think before you hit confirm. Remember once a comment or picture is posted it stays forever, just because you delete it seconds later doesn’t not mean it is gone from the internet. For instance most social networking sites send out an email updates containing your post, and can even post to other social networking sites, for instance Twitter integration with Facebook, so be very careful what you post. If you need to have private and sensitive conversation with your friends, it is always best stick to verbal communications, as you never know who could pickup on your posting.

Parent Advice: Periodically check your child’s posting to ensure you child is posting sensibility. The best way to do this is to add yourself as a friend of your child.

4. NEVER GIVE YOUR PASSWORD OUT

Child Advice: No one ever needs to know your password, except your parents. Emails from Facebook, Bebo, Twitter etc, and from social networking applications asking for your password are always false. Do not share your account with anyone and never give your password out to any of your friends.

Parent Advice: Cyber bullies and worst, often try to fool social networking users to provide them with their password, once they have it, they can get up to allsorts of nasty tricks, ensure your child uses a strong password and remind them never to share it with anyone accept yourself.

5. ENSURE ANTI-VIRUS & PATCHING IS UP-TO-DATE


Child and Parent advice: Make sure your PC’s Anti-virus is operating and kept up-to-date, and also ensure your PC’s Firewall is enabled, and make sure you apply the latest operating systems patches on a regular basis. This will help prevent malicious software covertly installing onto your PC, such software can steal your social networking passwords and send them on to bad guys without your knowledge.

Social Networking, like most things in life, can be fun, an extremely useful tool, and ultimately safe if used responsibly.

There are several useful website resources for this below:

Kidscape (Cyber bullying Awareness for Children)
http://www.kidscape.org.uk/cyberbullying/cyberbullyingchildrenyoungpeople.shtml

DirectGov (Cyber bullying Awareness for Adults)
http://www.nidirect.gov.uk/index/parents/your-childs-health-and-safety/internet-safety/cyberbullying-1.htm

A Guide to Facebook Security and Privacy
http://www.thetechherald.com/article.php/200938/4434?page=1

Anyone else would like to recommend further websites, please post in the comments, thanks

Gary McKinnon Extradition

Gary McKinnon is in the news again after the Home Secretary, Alan Johnson refused to block the intended extradition to the United States. I was invited to comment on Radio Five Live on Friday morning, to raise points on the security and technical specifics of the case.

It is clear Gary has plenty of public support in the UK, from people who believe he shouldn’t be extradited to the United States, mainly on human rights grounds. Gary’s lawyers stated he is happy to pled guilty to the crimes in a UK court, therefore he appears to be guilty of these crimes, but his lawyer feel justice just won’t be served if he was sent to a US court.

I have actually meet Gary a couple of years back, however my comments on Radio Five Live were made from totally impartial and an Information Security expert’s point of view. Here is a summary of what I said.

The main point to understand is, what was the motivation of Gary McKinnon’s “hacking” attack? It clearly wasn’t for fraud, as he wasn’t trying to steal any financial information, and there appears to be no accusation of Gary stealing information to sell on for profit. This is the first point to understand, as people who are motivated to hack systems to steal for personal profit, do need the book throwing at them.

The next question, did Gary set out to damage systems maliciously? Well if you listen to his lawyers, they will tell you Gary’s motive wasn’t to break and damage systems, but to acquire knowledge, mainly about UFO’s and their power source. However the US authorities say Gary’s intension was to break and damage their systems and point to messages left on their systems, such as this one below, which I understand has been verified as being left by Gary, by his lawyers.

“US foreign policy is akin to government-sponsored terrorism these days? It was not a mistake that there was a huge security stand-down on September 11 last year...I am SOLO. I will continue to disrupt at the highest levels.”

For me these are all important questions to ask and answers to understand, as there is a big difference between a fraudster using hacking techniques to steal financial information, a malicious hacker out to deliberately out to deface and break systems, and a curious hacker trying to satisfy a “What If”. Confusingly Gary is portrayed as the later, but he also tends to be branded and tarnished with same brush as these other types of hackers. I feel this is because the general media and the public do not understand the significance of the different types hacking which are occurring today.

I believe there is negligence on US system owners part. For example if I were to park a shinny new BMW in an undesirable part of town, left the car unlocked with the keys in the ignition, wouldn’t I be negligent and be at fault if the car was stolen? Would an insurance company pay out? In the same way everyone knows the Internet is a dangerous place, and for any organisation to place “sensitive” servers directly on the internet without even the basics of best practice in IT security of the day, and then has these said servers hacked, in my view that organisation has only themselves to blame. If Gary didn’t get there first someone else or perhaps even malicious application would of breached these systems eventually. The majority of Information Security professionals I know tend to share this point of view on information security, however a lawyer wouldn’t, and perhaps the people who didn’t properly secure their systems in the first place won’t exactly be blaming themselves either. But I’m definitely with the insurance company on this point.

Gary is summarised by most media as being some sort of Super Hacker, actually in my experience and knowledge of the actual “hacking” which is alleged to have occurred in this case, I have to say Gary is far from being a super hack or even an accomplished hacker. It looks like Gary didn’t really have to work very hard to access these systems, such was the alleged lack of basic security on them, and at the end of the day he got caught. Even an average grade hacker knows how to be anonymous on the internet, and how to cover their tracks properly, only the inexperienced and the not so clever hackers actually get caught. So in my view Gary is far from being a “Super Hacker".

My final point on the Radio, which will not be popular with pro-Gary campaigners, but is a word of caution. We need to give some thought to the legal precedences which could be set here. There is a problem in bringing real serious cyber criminals to justice, because hackers tend to operate across international borders. I know our US extradition treaty isn’t the best as it currently stands, but if this extradition were to be blocked, I fear the next time the we arrest a credit card fraudster operating out of the UK (which has happened recently), that the fraudster’s legal team would use this case to prevent extradition. Similar legal precedents have been used to stop the extraditon of a foreign nationals back to their country of origin, despite them committing allsorts of heinous crimes are way much more serious than breaking a few servers.

There is much more I could have said on this subject, such as looking at the way US authorities have appeared to have put in place an over the top sentencing for this crime, which doesn’t have appear reflect the actual crime. It is ridiculous that this particular type offence seems to be carrying a greater punishment than murder in terms of prison sentence time. I understand Gary's hacking at worse caused a 24 hour outage, with no member of public (or military) armed as a result, and as I said it could be argued the system owners were partially to blame as well. I don’t believe any information of value was stolen, only system “software” damage is alleged to have occurred, which is estimated to be around $700,000 by the US authorities, which many would say is kind of high for rebooting and restoring less than 100 systems. The punishment for the actual offence must fit the crime, and if it did then extradition of Gary to face justice in a US Court might not be the problem it currently is.

How Secure is your UK Online Banking?

The UK maybe still in the midst of a recession, but these times are proving anything but a recession for cybercriminals, as UK Online Banking fraud is sky rocketing at the moment. The ‘Financial Fraud Action’ showing a 55% increase for the first half of 2009, while the ‘UK Payments Administration’ figures reports a 44% year on year rise. Through my own research and underground monitoring of UK cybercriminal activity, I am seeing increasing numbers of stolen UK online bank account access details being put up for sale, and increasing numbers of keylogger malware being deployed, which are specifically targeting the theft of UK online bank access credentials covertly.

Despite these increases in criminal activity and years of warnings, UK banks still aren’t doing enough to protect their customers from the dangers of the internet. Many UK banks are still yet to provide their customers with a security best practice Two-Factor authentication access to their online banking, so are making it all too easy for cybercriminals to steal UK bank account access details. Two-Factor authentication involves using an individual hardware token which is possessed by each individual online account holder. This hardware token displays a constantly changing number on an LCD screen (see picture below), which is typed in along side the customer’s identity (name) and password to provide access to the online bank account. Using a hardware token such as this would prevent the majority of online banking theft today, as without the physical possession of the 2nd factor hardware token, you cannot gain access into the online bank account.

Many UK banks still resort to the security dated “knowledge based” authentication along side a person’s password. “Knowledge based” authentication is about asking the account holder a question which only that individual is likely to know the answer to. For example typical knowledge based questions are: What is your mother’s first name? What is the first school you attended? What is the name of your favourite pet? The problem is this type of personal information is no longer private in the information age, and can be found in all manner of places on the internet, both legitimately and illegitimately. So fraudsters who steal bank account details often do a bit of simple research to build up a knowledge profile about their target, so they can get pass the knowledge based questions as well. This information gathering can be done in just minutes from a computer keyboard, anywhere in the world, a wealth of personal details on target can be quickly found by using websites such as Google, Facebook and various public record websites like the electoral role directory 192.com. I have seen UK cyber-fraudsters selling complete profiles of UK individuals along with their online bank account username and password, including one which stated the victim’s favourite pet’s name!

Two-Factor authentication will not completely solve online banking fraud, but if deployed by UK banks, would go some distance in bringing down the number of UK online bank accounts being compromised. My own research shows the majority of UK bank theft is actually done from criminals based abroad, who generally regard the UK as easy pickings and a soft target. The slow take up of Two-Factor authentication by UK banks just goes to re-enforce the UK’s perception as being a soft target by cybercriminals around the world.

Why don’t all UK banks deploy Two-Factor authentication?

Their excuse is cost. Although the actual cost of deploying Two-Factor authentication is relatively small (£3 to £6 per customer), UK banks do not want to spend in the current climate and are more than happy taking the hit on cyber fraud, which is regarded as a more acceptable cost than shelling out on security prevention, no matter the inconvenience and stress this type of fraud places on it’s victims. There is a thought, given a choice customers would be happy to pay a one off £5 fee, paying for their hardware token to gain security benefits it provides.

Seriously, why do UK Banks continue to shoot themselves in the foot by not providing Two-Factor authentication to their customers?
Ok, here is the real food for thought on the cost argument. Most UK banks actually want their customers to use online banking for reviewing bank statements, than sending paper statements to their customers in the post. Surely the cost of having a customer use online banking and being provided with a hardware token for security is much cheaper than posting 12 statements a year. I say this as I know people who are put off by using online banking because they don’t feel confident in the security, personally I think using a hardware token would give them that a security assurance. Providing a Two-Factor token could actually turn out to be a real cost saving! And let’s not forget the carbon saving by not printing those paper bank statements and shipping them around the country too.

What can you do to protect your online bank account?
IT Security Expert advice
1. If your bank does not provide Two-Factor authentication (token/key), consider switching to a bank which does.

2. Password Protection
a. Ensure your bank account password is a unique password to you. Using the same password with other websites such as Social Networking websites, Message Boards, Webmail and Job Recruitment Websites must be avoided at all costs. The bad guys hack these types of websites to specifically lift individual username and passwords for the purpose for trying against their online banking websites.
b. Change your password at least once a year, once a quarter is what I personally recommend.
c. Ensure your password is strong. By strong I mean use upper, lower case letters, at least one number, but most of all include at least one “special character”. By “special characters” I mean @, ”, $, %. However I know of one recently taken over Yorkshire based bank which actually prevents you from using special characters in your password!

3. Email Security
a. We all know about phishing Emails now, but it’s still a major problem and a favourite attack by deployed by cybercriminals to harvest online bank details. Phishing Emails are becoming more realistic and more specifically targeted. Unfortunately this attack still works, people are still suckered in by these Emails. So no matter how genuine an Email looks, never click on the links, a bank will (should) never request your accounts details or ask for you to login for any reason via an Email. Remember a phishing Email always prays on the emotion of greed (you won something) or fear (your account has been compromised, change your details).
b. Never send your bank details by Email, no matter what legitimate company or person requests it, be strong and always resist, just say no!

4. Ensure your Operating System is patched up to date, and you have Anti-Virus and Anti-Spyware applications running at all times, and make sure they are kept up to date. The bad guys like to deploy key logging malware onto unsuspecting user PCs, who then have not idea their key strokes are being recorded and sent on to fraudsters, key strokes including those bank account access details, namely the username and password.

5. Check your bank statements regularly. UK banks are getting better at detecting bank fraud but it’s far from perfect. Therefore it’s important you take responsibility and check through your statements regularly looking for fraudulent transactions. Pay particular attention to internet transactions and transfers out.