Online shopping is set to break all records this Christmas as more and more of us opt to surf stores from the comfort of our sofa rather than face the heaving crowds of the high street. However, protecting yourself from online fraud is even more important as recent crackdowns are proving so successful that fraudsters are increasingly moving online instead.

Riten Gohil, APACS' online shopping fraud prevention expert and Richard Martin, their online banking expert, join us live online at www.webchats.tv on Tuesday 15th November at 1300hrs with their top ten tips for how you can fight online fraud this Christmas season.

For more information visit www.cardwatch.org.uk or www.banksafeonline.org.uk

Host: Murray Norton (MN)

Guests: Riten Gohil (RG) Richard Martin (RM)

MN: Hello and welcome to Webchats. Now, you remember this stuff, it's called money, and this Christmas we'll be spending quite a lot of it. However, a lot of us won't be using it, we'll be using credit cards, debit cards, we'll be shopping online, we'll be banking online. Just how safe is it? I'm delighted to say we have joining us to tell us a little bit more, from APACS shopping online fraud prevention expert, Riten Gohil, thank you very much Richard for coming along. And for banking online we have Richard Martin, thank you for coming in. We're getting lots of questions already from people who are concerned about banking online.

MN: John Davis has a question for both of you here, and that is, just how big a problem is online fraud?

RG: I think the important thing to put out in the context of this is that generally the level of fraud is very low compared to the actual level of business that takes place online, but if you look at online fraud using plastic cards, we actually saw in the last six months £58m committed on that particular channel, so that's actually quite a problem for us.

MN: That's quite a lot of money by anybody's standards. But you're battling against it and you're fighting against these fraudsters.

RG: Indeed, and as we go through this session we'll talk about some of the initiatives that we're using to try and combat fraud in this environment.

MN: As far as online banking is concerned, people are being asking more and more to bank online, I suspect by the banks, because it's easier and cheaper for them and it's more convenient for the customer as well, so it's a good thing. But there's also that worry that you're not dealing with a person, you might be banking in the middle of the night, which is great for you but what happens to your money and who else has got access to it?

RM: Sure. As you rightly say online banking has become a very popular activity, we've got 15 million people banking online which is about one in two of every internet user in the UK so clearly it's an important way that banks have to communicate and do business with their customers. Banks will do everything in their power to make sure the banking websites are as secure as possible, so from that point of view banks are quite confident of the security, but the problem is, as we see it, that the fraudsters are not trying to hack in to the banks own websites directly but trying to fool you and me as customers into giving up our usernames and passwords, and that's something we'll be talking about a bit later as well.

MN: So John, in answer to your question, yes it is a problem, a problem that gentlemen like these and many more like them are trying to solve and reduce. The good news is that chip and pin has been very good, hasn't it, I know it's not directly relevant but that's a success you'd like to emulate isn't it?

RG: Indeed, and if you look at how fraud using plastic cards historically a lot of it has been through counterfeiting, lost and stolen cards, skimming at point of sale, which chip and pin is designed to counter. The information we've put out in the last week or so shows that chip and pin has reduced the amount of fraud and that's very encouraging. But criminals are now looking at different means and the internet seems to be very inviting and it's place they're comfortable with. Hopefully now we can apply some of the strategies we've adopted in the chip and pin environment to look at how we can reduce fraud online as well.

MN: Generic question for both of you, with regard to the fraudsters obviously if we knew where they are we'd go and get them but the stories that I hear and the rumour mill you read in the tabloids say it's the Russian mafia or it's the Red Brigade, organised crime, so is it happening in far away in other countries?

RG: I think there's a bit of a mix of everything, and I think Richard would agree, we have a good understanding that a lot of it does come from other parts of the world and some of the things you've mentioned are typical in that understanding. Law enforcement is trying to assess this information on a regular basis, but we still have a lot of people in this country who are behind committing this type of fraud.

RM: That's right, and in terms of the online banking fraud it is definitely organised crime, which is behind a lot of what goes on, let's not underestimate that. This is a serious issue for law enforcement and modern governments throughout the world really, but most of the fraud we are seeing seems to arise from overseas although they'd need accomplices within the UK in order to carry out their crimes in the first place. It's distributed crime as it were.

RG: And adding to that, the internet has enabled the opportunity for committing fraud remotely, you could be located in one part of the world and commit crime in another part of the world and this is the dynamics of the issue we're dealing with and this is why all the different strategies coming together need to work in order to reduce fraud in this environment.

MN: Spencer in Edinburgh says, 'There are a lot of scare stories around the internet about scams and internet security, so is it getting worse?'

RG: I think what we're doing at this moment in time, and this is aligned with the work that is done with our organisation and other agencies, is raising the profile and the awareness to individuals about internet security generally. So in that context we're raising the awareness levels and people are becoming more aware that these issues exist and the general level of activities in the environment, as we've seen in the figures before, do dictate that this environment is becoming quite a popular way for criminals to commit their activities.

MN: Helen's got a question, she's in Manchester, she wants to know how should she protect herself when she's shopping online, when's she's banking online, because it's there on the screen, you take you're credit card out or you do your banking and you don't know who else might be watching you or noting down all you numbers at the time, so how do you protect yourself?

RG: Indeed, there are a number of ways you can do this and I think the most important thing to do is to refer to the Cardwatch website which carries our top ten tips on what consumers should be doing, but these primarily include things like making sure you know who you're dealing with, make sure you are shopping with a bona fide website, and one that you feel you can trust. Certainly the international card schemes for Visa and MasterCard have developed solutions verified by Visa and MasterCard secure code which are designed to add additional security to online transactions and there are a number of websites which offer this solution, and it's important consumers try to get more up to date with how these solutions work. They can visit their banks' websites for example to learn more about those particular solutions.

MN: On those secure code websites, in terms of how they work for the consumer, how easy are they to operate?

RG: It is very straightforward. It requires a consumer to register for the service with their card issuer, the bank which holds their credit or debit card. They can go to the bank's website and register for the service and they would assign a password which they would use when they go to a participating website. Sometimes they could be asked for this password at a website which is part of this scheme, and the customer will be asked during their normal shopping process to verify themselves with a few basic security questions and then again that password. When they go back to that website they will only need the password.

MN: It's what they call CNP, Card Not Present purchases which are the ones that we're talking a great deal about today. That's one way of doing it, by the secure code. As far as online banking is concerned, I've noticed that there are lots of different security hoops depending on which bank you're with, as to how many passwords you have and how many times you get asked it as well, but obviously banks are tightening upon this.

RM: Yes they are. It's mainly in response to the sort of threats which banks have been seeing coming up over the last couple of years or so and making sure they are ahead of the curve and trying to combat what the criminals are able to throw at them. So what you'll typically find now if you go to an online banking site, instead of just being asked to put in your user name and a password which may be guessable, you may be asked to put in a few letters or numbers from you password plus some other memorable information too which may be more difficult for fraudsters to guess. These are the sorts of solutions the banks are putting in now, obviously there are all sorts of other features which banks are putting under the skin in terms of trying to detect who it is who's logging into an online bank account and is trying to set up a transaction perhaps, so there's a lot happening which is not visible to the customer too. There are things that banks are doing to try and make online banking secure.

MN: Very interesting you say that actually because I used the card one day where I live, at home, and then the next happened to go on a holiday six thousand miles away and two days later I'm buying something and I got a phone call from the bank to say, are you really in Mexico and you just think obviously they are checking where you're using too, because alarm bells are ringing, and that's great too.

RG: Yes, and that goes back to Richard's point about the work going on behind the scenes. There's a lot of investment by banks to reduce fraud, a lot of sophistication to go into predicting unusual patterns and things of that nature as well. So yes, the banks are taking that sort of activity very seriously.

MN: The website you mentioned, www.cardwatch.org.uk can help and we'll give a few more out later on. Sarah has the next question, she was going to do a lot of her shopping online at Christmas, which seems like a perfectly reasonable thing to do, she's not so sure now, how can she protect herself and what precautions should she take?

RG: Again we would strongly encourage Sarah to continue with shopping online during Christmas, what we do find in the figures is that consumers who do shop online are still attracted by that particular channel and this will continue this Christmas as well and consumers will benefit from the interest and the availability of products. The important thing is to follow the steps that we mentioned before, those top ten tips, make sure you know who you are buying for, buy from reputable sites and if possible join schemes verified by Visa and MasterCard.

MN: Can I ask a question which is to do with a padlock I've seen? Because that must have some bearing. It says a secure site but what does that mean and how does that make us feel better?

RM: Well basically the padlock means that the connection between your computer and the website at the other end has been encrypted so that a hacker or a fraudster or someone who is sitting on a network somewhere observing the traffic between your computer and whatever website you're on, isn't able to read the information which is being passed back and forth, so that provides quite a good level of protection in that case, but it's important to understand that the padlock is not the be all and end all in terms of security because if you can read something on a screen then chances are that a hacker who has hacked into your machine may be able to do the same. So it's important to make sure that your computer is fully protected as well, by using fully up to date anti-virus software, if possible anti-spyware software as well, and certainly these days if you are using broadband it has to be said, a Firewall, and there are plenty of free ones available if your ISP hasn't provided you with one. Most of the people watching today will be using Microsoft products, Windows or Internet Explorer, so it's important to make sure those systems are being kept fully up to date and Microsoft have made it as easy as they can. It's a fully automated process so all you have to do is go to your Windows Update tool and set that to automatic and hopefully that will give you a much better level of protection against viruses and other threats that may look to infect your machine.

MN: The bottom line is that you're saying it's a shared responsibility really. The consumers have a responsibility to protect themselves as much as possible with what's available, and the banks and the credit card companies are doing the rest.

Indeed, and it goes back to how the consumer would like to be protected in the real world. You wouldn't leave your door open so someone could come in and take all your goods, and the same applies to when you are online, you want to look at all the defences possible.

MN: Peter wants to know if there are any other telltale signs that prove a site is a secure site?

RG: Websites that have the https in the address bar which indicates it's an encrypted session, so any personal information that is transacted is encrypted, especially credit card numbers.

RM: The "https" appears in the web browser address bar at the front of the website address. That will always be matched up with the padlock symbol. If you click on that padlock it will give you additional information which should match the website that you're on. If it doesn't, then there may be cause for concern. Those are the two main ways to find out if a website is a genuine one. Let's not miss the fact that the name of the website itself which appears in the address bar, that should match the understanding of the site you visited. Think back with your bank and think what the website address that they communicated to you is, and make sure the address that appears on there is the same as you remember.

RG: One other important step to look for is to try and shop on website where you can see some idea of a physical presence. Look for a telephone number, an address where you could direct any further queries to if you had any problems.

MN: So if it says Dodgy Dave at Lloyds TSB you might not be at the right site! Anthony wants to know, 'Am I at risk when shopping on such sites as EBay or Amazon?' They're popular sites, people use those a great deal.

RG: Indeed and probably your own comment on specific websites and whether one is more secure than another, I think the customer might be asking questions about auction sites generally and both those sites do have some sort of auction site facility. The important thing to add on to this is that there are a lot of implications for the buyer and the seller in auction sites and these are very clearly stipulated in the security zones for those respective sites. So it's important that when consumers engage in those auctions that they are aware of what their liabilities are and what protection they have.

MN: There are insurance covers on certain purchases with credit cards anyway aren't there?

RG: Not necessarily with transactions which are at auction sites. There are a lot of consumer protection rules for certain types of card payment, and each one would be dealt with the bank individually. So before engaging in auction type transactions with another person you should be sure who you are dealing with and that is what the security zones of those websites enable you to do.

MN: Tom wants to know, the sites you were talking about, Visa and MasterCard, secure code, does it cost anything to register with these sites?

RG: No, they're entirely free. Both those services are provided by international card schemes. It's the banks, which the cardholder has the relationship with that would have those services. So there is no cost to the consumer.

MN: Alan has a question; will verification by Visa and MasterCard become mandated on all transactions? Is that the hope?

RG: There are no plans to do that at the moment. Over time as we are developing this groundswell of activity with the Verified by Visa & MasterCard secure code solution, there may be a point of time in the future where this becomes a common way of transacting online, but we think we are still a few years away from that sort of process at the moment. It's still something that consumers should get themselves more comfortable with when they can.

MN: It's certainly a good idea though.

RG: It is, it is. It adds an additional layer for the consumer and a very simple, clear and visible way for consumers to transact.

MN: Sarah Smith wants to know, 'What would happen to my authentication credentials if they were captured via phishing or a Trojan horse?'

RM: There's a difference between the authentication credentials, which are something you would just use for logging onto your online bank or perhaps your MasterCard Secure code or verified by Visa password, and if those were ever compromised then the consumer has to get in touch with their bank as soon as possible and make sure that the details are changed to something new and secure. The bank can then look further into your case and your account to make sure that nothing untoward has happened in the mean time. Obviously there's a wider problem because there's a lot of personal information out there on the internet, not just for banking or shopping online but things people tend to put out about themselves online and that creates new opportunities for criminals in terms of what is called identity theft, which can be used to support other types of crime and Riten has done a lot of work in that area.

RG: Identity theft is a huge problem and affects the victim in a terrible way. To have your details compromised is quite a harrowing experience and we speak to victims quite a lot. Just be on top of all your financial transactions, make sure you regularly check your bank statements to make sure there aren't any activities that you don't recognise and regularly get a copy of your credit file. Your credit file will reveal quite a lot of information about whether any organisation that you don't deal with has accessed your details.

MN: We'll talk about getting hold of that in just a second. Jenny says, 'Your survey revealed that women and teenagers don't know what phishing is, I'm afraid to say I'm one of them, what on earth is it?'

RM: Phishing is an unusual term in itself; it is quite straightforward in terms of what is happening. A fraudster is casting out a fishing net into a pool of people on the internet and seeing what he can grab back. What he's trying to catch in these circumstances is usernames and passwords and other types of sensitive information like that. It's developed into something quite sinister in the last few years. It's spam email which is sent out in hundreds and thousands pretending to be from your bank or another bank, sent out entirely at random, no targeting. If you were to happen to bank with anybank.com then you are just as likely to receive a phishing e-mail email from another bank, but the message is exactly the same. This is an email pretending to be from your bank, it may have bank branding and bank logos and look very official but it's asking you to do something which a genuine bank never would, and that is to say that they have a problem with your online account and they've lost your security details, please click on this link to log on and supply them with your security information. A bank would never ask you to do that, certainly not in an unsolicited email which is headed, 'Dear customer' or 'Dear valued client' and not 'Dear Mr. Martin' for example. So at that sort of level it's an email which is trying to convince you to click on a link which will take you to a website which will look remarkably like your bank's own website login page. There will be some curious differences between that and your bank's genuine login page, for example if you look at the address bar it'll look strange, it's usually just a string of numbers. It won't be a protected site, it won't have https, and it will ask you things you never expect to be asked by your bank. For example of you're bank always asks you for two or three numbers or letters of your password and this website is asking for your entire password plus a number of other pieces of information such as your mother's maiden name or your address, just don't' do it.

MN: It seems very easy to say here, but probably quite easy to be fooled at the time, especially if you are quite busy at the time and you've got hundreds of emails. The general message is don't do it! Next question, is it safe to check your bank account if you are in an internet café?

RM: If it's a reputable café, then these days they should clear down information between clients, so any information you've viewed or any files you've downloaded from the internet should hopefully have been deleted by the time the next customer comes along. Try and use internet cafes that you know have a good security policy. It's always worth checking up on these things and asking at the reception desk. So long as the PC is reasonably secure there is no significant difference between using that and using the one at home, but because you are using it in a public place it's always worth asking yourself, 'Is it something I really need to do now and take the additional risk of someone looking over my shoulder, or can I wait until I get home and do it then?' Or perhaps you could phone your bank and try to do your banking that way.

MN: Gabby has a question here, she shops online, she's never noticed money disappearing out of her account, she'd notice it missing in it's hundreds but she doesn't check her statements and in terms of the odd £50 or maybe even £20 coming off she wouldn't notice. So could they be taking little amounts off lots of people instead of a large amount from one person?

RG: Indeed, and the evidence that we come across suggests that criminals have access to lots of different card numbers and making these smaller transactions on a large scale is one of the ways they do commit this type of crime, so it is important to regularly check your bank statement for any transactions that you don't recognise, because the problem could continue if it's not stopped.

MN: We should say don't have nightmares at this point I think! Alex has a question, he's convinced his parents that they should be shopping online but they've heard all these fraud stories, what should he do to reassure them?

RG: Well the important thing is that the level of online fraud is up, but the level of online business is growing at the same time too and many UK businesses based online are flourishing at this moment. The important thing is to be vigilant, the steps mentioned in the Cardwatch website are important too. It's also important to remember that in most cases consumers are protected in the event of fraud, so if fraud does exist on their particular card online most banks would refund the money so they wouldn't lose out.

MN: Richard in Bolton wants to know where he can get more information. There are a few websites, aren't there, and they are:

RG: The Cardwatch website which we mentioned before is an important one, www.cardwatch.org.uk; there's also a general advice site on identity theft, which is www.identitytheft.org.uk which is a collaboration between the private sector and the Home Office.

RM: For online banking we've set up a website online and it's just been re-launched, it's at www.banksafeonline.org.uk which will give you general advice about banking safely online and there's also an allied site which we also contribute to which is called Get Safe Online which is at www.getsafeonline.org

MN: Some great, useful sites that will point you in the right direction if you are concerned. We hope today that we have allayed some of your fears rather than increase them, but certainly highlighted some of the problems that there are with online shopping and online banking in order for you to be a little bit wiser to them. We'll be back with more Webchats next week but from Riten, Richard and myself, thank you very much for joining us and goodbye.

Still got a question or comment?

Name

Your question Question

Enter code