‘No more cybertheft compensation’
NCB’s inhouse fraud specialist, Dane Nicholson, wants banks and financial houses to get tough on customers as a teaching moment for those who carelessly fall into the trap of cybercriminals. He is also urging companies to end their love affair with QR codes, saying the technology is highly vulnerable to hackers.
At the latest anti-fraud seminar staged annually by bankers, Nicholson said it was time to stop reimbursing customers who fall victim to smishing and phishing “because we have been advising them for years not to click on links, yet, on average, every week, at least 15 people fall victim,” he said.
Smishing uses fake mobile text messages to trick persons into downloading malware, sharing sensitive information with cybercriminals or sending funds to them. Phishing uses fake websites to trick persons into revealing bank and credit card information and passwords in order to access and siphon money or for identity theft.
As for the proliferation of QR codes, Nicholson referred to the technology as a hotbed for malware and its use as a “recipe for disaster” that should be discontinued.
Nicholson, who is both the manager of special investigations in the Fraud Prevention Unit, National Commercial Bank Jamaica, and head of the anti-fraud committee of the Jamaica Bankers Association, said annually, $60 million is lost to clicking on illicit weblinks and that the responsibility to reduce fraud belonged both to the financial institutions and customers.
“They should not be reimbursed,” he asserted.
“All financial institutions should follow NCB, which has a ‘no click-no link’ policy … cyber criminals will infect links with malware. I staunchly recommend that if you have an appetite for cybersecurity, move into the direction of the no click-no link policy,” he urged financial participants in the annual JBA/JIFS Anti-Fraud Seminar on Thursday.
“QR codes are, technically, links. It is not recommended that any financial institution use it. It is a recipe for disaster, embedding information. It is just like juice jacking. You may also collect malware,” the fraud expert said.
Juice jacking, he explained, is a process in which cellphones are infected with malware to capture names and passwords.
Jamaica’s Data Protection Act, DPA, which is expected to come into force by year end, will require financial and other companies to better handle customer data, but it “will not solve or eliminate fraud”, he said. “In Europe, their data-protection act is much more far-reaching than ours, and fraud is still very pervasive.” The EU law is known as GDPR – the General Data Protection Regulation – which was implemented five years ago.
The Jamaican law is likely to solve the issue of dumpster diving and getting information from supermarkets and other retail establishments, but the DPA requires all businesses to take certain actions when they fall victim to cybertheft and other fraud.
But Nicholson also noted that long before the act, banks were already taking steps to notify regulators and cardholders whenever a breach occurred.
So while there might be some mitigation as it relates to fraudsters accessing bank customers’ information, the law covers areas in which banks are already regulated, the fraud specialist said.
He added that mobile wallets and digital banking would likely mitigate against SIM-card swapping as the wallets generally tokenise credit cards, which limits the ability of cybertheives to hack the card.
As a consumer guide, Nicholson said individuals should not conduct sensitive transactions on public Wi-Fi or use ABMs that do not protect use of their PIN codes. They should desist from submitting information for a raffle at retail establishments, and should not post their location on social media.
Nicholson said that at a personal level, he has stopped composing passwords and now uses phrases instead, which he finds less likely to be duplicated.
Fraudsters create false social media accounts in order to replicate genuine pages, the sole purpose of which is to capture information before conducting fraudulent activity, he advised. As such, customers should never communicate with financial institutions over social media, he said.
He also reaffirmed the longstanding advice for consumers to use separate passwords for different accounts and applications.