A plea to our banks to step up security

Not only did police finally arrest a prolific money mule in Whanganui this month, but politicians have seen the light on consumer protection.

They agreed we need account name and number matching, so customers don’t get tricked into paying the wrong people. They’d also like banks to start repaying authorised fraud, in a system like the UK’s Contingent Repayment Model.

In the meantime, there’s an elephant in the safe. How long will it take? I’d be loath to bet on next Christmas. Plenty of time for all those offshore criminals and their Kiwi money mules to keep plying their trade in large-haul investment scams and many new deceptions.

There are security weaknesses all over our payment system and I believe it’s no longer fit for purpose. Here’s a plea to ANZ, ASB, BNZ, Kiwibank and Westpac.

This is what needs immediate attention:

When we enter your online banking or mobile app, reassure us it’s not cloned:

Get us to set up a unique greeting on the home screen above the pin or biometric entry. A fake app or website won’t display this information. I’m not inventing this stuff by the way. UK banking giant, Barclays, explained it when I set up a Māori greeting with a nickname on the front of their app.

When we select “payment” from the menu, warn us about scams:

The first screen could say: “Bill, invoice or tax. Could this be a scam?”. Again, an idea stolen from Barclays, who continue in quite a wordy fashion to warn me of malware intercepts, invoice scams, phone number changes on bills, and the hey-mum WhatsApp scam. I see it on repeat.

Once we’ve set up our payment, warn us about the flaw in the system:

“We are unable to check if the account number you are paying, matches the name you have input. If this is a first-time payment, or you believe you are making an investment, there is a higher risk of fraud. You should stop and call the payee bank to ensure the name and number match”.

Not warning us is currently misleading. You ask us to input an account name and that gives us a false sense of security.

Fudge it with a manual check:

In the gap between now and automated matching, all banks need to set up a Confirmation of Payee phone line in their call centre for non-customers.

Currently it’s not easy to carry out your own check. Without a customer number you get a Ferris wheel ride on the phone menu to reach a human. I confessed to BNZ I wasn’t a customer, but this left them perplexed. Should they be giving me the name of the account holder? They pondered and delayed several times, seeking authority. Eventually I succeeded, but it was me who felt like the dodgy party.

Change your culture on human friction, skill and care:

The most startling fact revealed by fraud victims is bank staff have a culture of actively avoiding intervention or help. I’m convinced this can only come from a deliberate corporate instruction to avoid liability. Injecting friction is internationally recognised as one of the most powerful layers in scam prevention.

At branch level, knowledge of fraud schemes notified by your own regulator appears to be missing, along with reasonable professional skills. Defences were mounted in the fake term deposit scam that a staff member can’t be expected to know which banks are retail deposit takers in New Zealand. It’s flabbergasting.

When we make online purchases divert us back to your app:

Two-factor-authentication (2FA) via a text message is becoming rife with fraud. Criminals install malware to intercept it or trick us into giving out the code.

We need you to start authenticating payments in-app. Monzo bank in the UK makes me open the app, adding another security layer. I approve the online purchase and go back to the retailer’s website where it’s confirmed.

Scan for cloned websites of all financial providers:

Implement software that scans the web for clones of all financial services providers. Don’t just scan for your own brand, widen the net. The comparison websites that defrauded Kiwis of millions of dollars contained images of your brands.

If your staff are being impersonated, do something:

I’ve personally asked Citibank (a shareholder in payments New Zealand) to get one of their staff to put a warning on his LinkedIn account or temporarily take it down. I gave proof he was impersonated and was being used to lure investors. Have they co-operated? No.

Scan the payment reference fields:

Recovery of funds would be vastly different if you look for fraud in the payment reference fields customers populate (screening daily for notified frauds). I know ANZ are not doing this. One of the fake term deposit victims wrote “Citi Bonds” in the reference field. Imagine how different her life would be today, if ANZ used available in-house data to keep the payment system safe.

Get some urgency into a live reporting system:

Recovery of funds is low because interbank communication appears to be a tortoise delivering a note down Lambton Quay. We need you to upgrade algorithms which spot transaction patterns of money mules. ASB, ANZ and Kiwibank have all been receiving banks in the fake term deposit cases and don’t yet acknowledge their failure. If the British system is adopted, they’ll have 50% liability, alongside the payer bank.