UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 618-vi

HOUSE OF COMMONS

ORAL EVIDENCE

TAKEN BEFORE THE

Home Affairs Committee

E-Crime

Tuesday 16 April 2013

David Livingstone, Professor Sadie Creese and Dr Ian BROWN

Anthony Browne, Matthew AllEn and Katy Worobec

Evidence heard in Public Questions 221 - 308

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 16 April 2013

Members present:

Keith Vaz (Chair)

Mr James Clappison

Michael Ellis

Dr Julian Huppert

Steve McCabe

Mark Reckless

Chris Ruane

Mr David Winnick

________________

Examination of Witnesses

Witnesses: David Livingstone, Associate Fellow, International Security Research Directorate, Chatham House, Professor Sadie Creese, Professor of Cyber Security at the University of Oxford and Director of Oxford University’s Cyber Security Centre, and Dr Ian Brown, Associate Director of Oxford University’s Cyber Security Centre and Senior Research Fellow at the Oxford Internet Institute, gave evidence.

Q221 Chair: I call the Committee to order and ask our witnesses to excuse us if there is a Division in the middle of your evidence session. We think that is likely because there are a number of pieces of legislation going through today. What will happen is that I will adjourn the Committee for a certain period of time. However, we will come back, so don’t feel that you are being abandoned.

Can I welcome everyone here to the Committee’s continuing inquiry into e-crime, and could I ask Members to state if they have any interests that go beyond the Register of Members’ Interests? I will start with a question to all our three witnesses concerning the statement made to this Committee by the head of the City of London Police, Adrian Leppard, on 11 December. He told the Committee that he felt that the war against internet crime was being lost. Mr Livingstone, do you agree with that?

David Livingstone: The first point is about defining "the war" in that context. This is obviously going to be an ongoing issue the more that the internet becomes integral to our lives. Whether it is being lost-and therefore what is the definition of a victory or a loss-I would call into question. There are certainly issues with the amount of crime that is being committed, and whether it is increasing proportionately or whether we are now on a track where we can start taking positive steps-

Q222 Chair: You pose a lot of questions back at the Committee, but you are not giving us any answers. What do you think? Do you think that it is being lost?

David Livingstone: It is serious. It is getting worse, but I think with the strategies that this Government are putting in place, there is a possibility of closing that gap, especially if we can work with pace and agility to match how the bad guys operate inside the internet.

Q223 Chair: Thank you. Professor Creese?

Professor Creese: With the issues of definition aside, I suspect it is not currently being lost. If it were currently being lost then we would see people withdrawing from cyberspace in many areas, and we are not. However, we are continuing to witness losses and we are continuing to witness concerns. Personally, I think that the losses and the level of threat are going to increase dramatically, as we continue to expand our dependency on cyberspace, and that we are in this operational environment where we will continue to have to fight that war on an ongoing sense. So there will be times when we are ahead and times when we are behind. We are never going to win it.

Q224 Chair: Dr Brown?

Dr Brown: I would agree with my two colleagues’ comments and say that all crime is a continuing arms race between the perpetrators and the defenders. Trying to win this war needs a broad spectrum response from a number of areas of government. I think the UK Government are on the right lines in developing law enforcement, so the UK is going in the right direction. Persuading other countries to take some of the same kind of actions will be important, as the UK Government are trying to do.

Q225 Chair: The other point that he made to us-in very powerful evidence to this Committee-was that Britain was being targeted by gangs, specifically from countries such as Russia and eastern Europe, in the cyber-wars. Do you agree with that?

David Livingstone: That probably reflects the fact that we have quite a mature digital economy and the fact that we use the internet for many things. The amount of valuable and attractive goods and items that can be found on UK-based IT systems is probably a relatively rich hunting ground for organised criminal gangs, so they are attracted here.

Chair: I am going to stop you there because the bells indicate a vote. I am going to adjourn the Committee until we are quorate, which I hope will be at three o’clock. Thank you.

Sitting suspended for Divisions in the House.

Q226 Chair: We are quorate, so we will resume our proceedings.

Mr Livingstone, I had asked you about the evidence given by Adrian Leppard, namely that gangs have been targeting the United Kingdom, especially from Russia and eastern Europe. Is there evidence of that, Dr Brown?

Dr Brown: I think we have seen quite a bit of evidence that organised criminal gangs have moved into cybercrime and are specialising in the different aspects, whether that is writing the software that will target systems, transferring the money or paying the money mules to take the cash out of the system. I agree with my colleague’s comment that, of course, the UK is targeted because it is a rich country where there are a lot of resources worth targeting. I would not go so far as to say we have crystal clear evidence that the UK is top of the list, but I think in general, yes, it is a target.

Q227 Chair: Professor Creese, what is a better way of ensuring co-operation between different countries in dealing with internet crime? One of the aspects of this whole issue that interests the Committee is that countries seem to be doing things on their own and not necessarily seeking to share information. Are organisations such as Europol and Interpol an effective vehicle to bring together the good guys in dealing with those who are seeking to break into systems?

Professor Creese: They are a vehicle-one of many. In fact, there are already numerous initiatives on the international stage seeking to increase knowledge, so the UN, UNESCO and ITU. There are lots of international organisations working in this space. Also, if you look at some of the single organisations and bodies, they are working more closely together within their own communities. One of the key issues, as we see the levels of cybercrime rising-which they will inevitably even as they ebb and fall-is how we scale up our response. You will have seen in the various written evidence submissions that you have received that we are certainly making a huge investment in the UK to do that, but in truth we are probably going to have to invest more over the next 10 to 20 years.

Q228 Chair: Because it is the framework, isn’t it? I visited Interpol last week. It recognises the fact that we are in a new game dealing with the power of the internet, but it seemed that countries were not willing to share that information.

Professor Creese: It will be variable from country to country. The challenge that we have is that the special relationships you can establish between any two countries will be unique and will require their own processes. What we need to do is to generalise these processes, standardise them and speed them, so that when we need to seek evidence in the face of crime we can do so at speed. The challenge we have at the moment is we are limited in our ability to do that.

Q229 Dr Huppert: It is good to see you all and, Professor Creese, we had some interesting discussions in another context before. I would like to ask about some of the issues involving consumer use of technology, so the prevalence now of social media, Facebook, Twitter and so forth-I am guilty in that respect myself-but also the widespread use of Google and things like that. People are sharing far more information. How effective do you think these various tech bodies are at trying to manage both the safety of the information and privacy, which is a related issue? I am happy for any of you to start.

Dr Brown: The two companies you have mentioned have absolutely invested a lot in protecting their own infrastructure, especially-

Q230 Dr Huppert: I think I mentioned more than two. Which two were you referring to?

Dr Brown: Sorry, I was thinking of Google and Facebook in particular. They certainly have invested a lot in protecting their own infrastructure. Clearly they are targets themselves. We have seen that especially with Google. Some of the initiatives it has taken with things like two-fact authentication, where Google will now increasingly send a passcode to your mobile phone, for example, if you log on from somewhere new, are exactly the kind of things we need. On the privacy side, as the Home Office said in evidence to you, looking at things like privacy by design, which the European Commission has proposed in the European framework, is very important. If we are going to see systems that will potentially have gigantic amounts of information about individuals, make sure that only relevant and pertinent information is collected in the first place, and is kept only for the amount of time it is needed, rather than just taking the approach of throwing everything into the pot. No matter how good your information security is, even companies like Google-real-world experts in doing it-are not going to be able to defend against every attack, as we saw with allegations of Chinese hackers breaking into its system.

Q231 Dr Huppert: You are focusing on the defences against attack but, as I understand it, with Google+ the account settings are set to "public". Facebook allows a whole range of third-party apps with very little safeguard. People may not be able to attack through some routes, but it seems to me there is a whole series of holes there that do allow a lot of information that could perhaps be used for other purposes to make attacks on other systems easier.

Dr Brown: I think those default settings are absolutely critical. That is the other part of what the European Commission is doing-talking about privacy by design and by default-so that the settings are protective and if people choose to open up, that is fine as long as they are aware of the consequences.

Q232 Dr Huppert: Very quickly, just to finish on that. If all that the European Commission is doing in this space and these areas happened, would that solve the problem?

Dr Brown: I think it will take us a long way. I don’t think it will solve it.

Professor Creese: Thank you for the brilliant comments. I will address another issue-the related issue that you were just getting on to-which is: if people choose to put it out there, that is their business. One of the challenges that we face is that, in general, people do not have a good understanding of the risk. There is something very unique about cyberspace and the data you put into it, in that it is persistent: it does not get forgotten; it can be mined. Often people find years later that they have forgotten about data they have put out there. Yet in the meantime, people are able to aggregate and mine that data, and very often learn stuff about you and the choices you are likely to make, which you are probably not even conscious of yourself. That is perhaps the issue. Focusing on the privacy risks associated with big data, social networking and the like is the question of how we enable people to make good and safe decisions so that, in effect, they are managing the risks.

Some of the research we have been involved in has been looking very specifically at the bleed between domestic lives and work lives. If people are engaged in these kinds of technologies in their domestic lives, could that be used to introduce vulnerability into the enterprise through more enhanced targeting? In truth, probably, yes, we are in a situation where that could be the case.

Chair: We will explore that further with Mr Winnick when he comes to ask his questions.

David Livingstone: I think there are a couple of other questions here. Where does the data end up? Under what legislative arrangements is that retained? For example, much of the data that users in the UK put on Facebook may end up in California, where privacy laws are quite liberal. The data accumulated by Facebook on many individuals from a lot of countries may be shared quite freely-more freely than it would be if it was UK-based data. The other thing is that there are 1 billion users now on Facebook. This is a very, very big organisation with a lot of data held. I am not sure if we know the figures about how many times it has been hacked successfully-perhaps they do not even know themselves-and I do not think we know too much about how its security arrangements work, so there is that risk that more data are leaking away than one would want. That is not just Facebook; that is any large social networking organisation.

I agree with Ian and Sadie here that people are putting data on there that in the long term they might regret. As part of Chatham House’s research in the last paper we were writing with directors of a major UK high street bank, the comment was, "People are giving away information on social networks quite freely, and giving away information that we want them to keep private," such as dates of birth and all those kinds of things that are there to establish identity for financial safety.

Q233 Dr Huppert: That is exactly what I was getting on to, because Andy Smith from the Cabinet Office recently advised at a publishers’ internet conference, just around the corner from here, that people should use fake names and fake dates of birth wherever possible. This caused a bit of a storm, but is it something that you would all endorse? I see nods-just for the record, which does not always capture nods very well. Professor Creese?

Professor Creese: Yes, although in truth some of that data are obtainable through other routes. Not putting it on Facebook does not necessarily remove it from the hands of those you would prefer to remove it from. If I may just extend this debate into something that we all-

Chair: Can I just say not too wide, because we have a lot of questions.

Professor Creese: Not too far, but it is important not to see this just through the lens of social networking. You will all be carrying smartphones, no doubt, and you will all be downloading apps from unknown creators, and the location-based services and functions that almost all of us engage with day to day-and will increasingly do so-are enabling a whole range of data to be collected and shared. That is not managed in the same way as you might do in a social networking environment, and that too poses an element of risk. One of the things I would like to see happen is a much more enriched understanding of how we manage consents around the sharing of personal data, and to encourage people to see that as a lifecycle and not a one-off blanket "I accept these terms and conditions", when five years later I have forgotten what I accepted. That is very important to maturing our society in this space as we move forward in the 21st century.

Q234 Mr Winnick: I am afraid that modern technology has had no effect on our going up and down the stairs and voting, but that is part of parliamentary life I think.

Can I follow up, Professor Creese, and your two colleagues? To a large extent, you have dealt with or touched on the question of public awareness. I don’t know if would you share it, but I get the feeling that ordinary members of the public-including ourselves around the table, for that matter-do not realise, to the extent that they should, the dangers involved in e-crime and the illegal practices of gangsters in the various gangs. Do you feel the Government or some public authority, or a new public authority for that matter, could do more? Who wishes to answer-as the Chair would say, briefly?

Dr Brown: I think the Get Safe Online programme that the UK runs is a good example of how you can get information out to people, but I don’t think it goes far enough. As you say, it is not something that the broader population is as aware of as it should be. To some extent that needs some social learning. Unfortunately, it takes people to know someone who has suffered a loss really to understand the potential, in-depth. Just reading about it or seeing it on TV is not perhaps getting through to people quite strongly enough yet.

Q235 Mr Winnick: You have answered the question. May I ask another question that your two colleagues could answer? What about an advertising campaign? The advertising people claim that they do all kinds of wonders. Perhaps I have missed it, but I have not seen any sort of advertising campaign warning people about what could likely happen. Do you think any purpose would be served, Mr Livingstone?

David Livingstone: I think there are many routes that you could take to make the public more aware of the vulnerabilities of cyberspace and how to use it with less risk. There are a few points I would like to make. One is the amount of money being spent at the moment by central Government on cyber-security public awareness. The NAO’s recent report put that at £4 million out of the £260 million that has been spent so far out of the national-

Q236 Mr Winnick: But £4 million is a drop in the ocean, isn’t it?

David Livingstone: That £4 million represents 2% compared with some other figures that were quoted in that report. So, for the high-end threats, it is £157 million. We have a dissonance here with the director of GCHQ saying that 80% of the problems could be fixed just by getting the basics right. However, generally it may be said that the population do not know what those basics might be, for example automatic patching, making proper use of anti-virus and knowing where the risky parts are on the internet. Perhaps there is a little bit of an imbalance there about the resources being deployed to create better public awareness. Although, then, it is not an easy issue. You have all sorts of segments of society: you have old and young; you have business and private; and you have communities and so on.

Then there is the method-not only the messages, but how you get the messages across. There are some interesting things that one could take from best practice in other areas, such as the messaging from the Department of Health on health matters that is focused on individual groups to send out very different messages-perhaps sexual health for 16 to 25-year-olds.

Q237 Mr Winnick: What about smoking?

David Livingstone: Also for flu jabs, to focus more on the elderly population. The modes of delivery and what you say on all those are vastly different, and perhaps some of those mechanics of communication can be taken forward into the cyber world.

At the moment, I am helping the Scottish Government with their cyber-security statute, which is in the context of the devolved Administration. We are putting the public communications responsibility for developing that strategy as not a Government thing, but a business, commerce and law enforcement thing, where they are developing the means of communicating about cyber-security risk rather than the central Government. They are almost appealing on behalf of the people that they are-

Q238 Mr Winnick: You are doing this at the moment with the Scottish Government?

David Livingstone: Yes, we are.

Q239 Mr Winnick: How long have you been doing this?

David Livingstone: About a year.

Q240 Mr Winnick: Thank you. Any comments, Professor Creese?

Professor Creese: You have had lots of excellent input. I completely concur that different demographics require different messaging, some of them primetime telly and some of them viral YouTube videos or music videos, no doubt. A point worth making is that Get Safe Online and other Government initiatives have been fantastic, and I would imagine that, historically, what we have done is under-resourced in the communication element. We have the expertise; we understand the messages that we need to transmit. The 10 steps for board members that was launched last September is another good example. I know that 10 steps for SMEs is being looked at. Yes, I agree that we need to invest in getting the message out there and that it will require diversity in delivery, and I believe that is already on the agenda.

Q241 Mr Winnick: I like what your colleague has just said about the way in which the Health Department has spotlighted, be it on sexual health, smoking or indeed excessive drinking.

Professor Creese: Public health campaigns are an excellent example. You can have a look at some of the successes that they have had, using fun but scientific programming around public health and body awareness among the younger population. Embarrassing Bodies was one series, and there was a hugely successful campaign on the internet alongside that programming. There are experts out there and I know these kinds of things are already on the agenda, certainly with the e-Crime Reduction Partnership that the Government set up. I feel positive that people are embracing this.

Mr Winnick: I am sure the Committee will take that very much into account. Thank you.

Q242 Steve McCabe: I think the Government have arrived at a statistic that says that cybercrime is costing the UK £27 billion per year. I notice you laugh. How accurate do you think that figure is, and do you have any suggestions on how we could get an accurate measure on this?

Professor Creese: I have not seen the working out that arrived at the £27 billion number, so I can’t critique it from a scientific viewpoint. The fact that we have not seen good evidence behind it would say that perhaps we can’t give too much weight to it as a particular number.

Dr Brown: I have a very good paper here that critiques it-I am sure you have seen it-that Ross Anderson and colleagues wrote. I think, as he says, that there is not good evidence for the £20 billion component of that £27 billion that Detica had attributed to business costs. Ross and colleagues produced much more detailed evidence. Some of it is on the much smaller side, so hundreds of millions of dollars, looking at things particularly like patent-infringing pharmaceuticals, for which they estimated $40 million in loss. Some is potentially very significant in the longer term, like the welfare and tax fraud that they thought could cost many billions as those systems move online, as the Government are doing to save costs. As Sadie said, showing the working out and having peer-reviewed scientific papers that can be looked at year after year, which Parliament can look at and which other scientific experts can comment on, and keeping those figures up to date, is the way to do that.

David Livingstone: Trying to put a figure on it holds you hostage to fortune, but I think we can easily say that the losses are very large. Of course there may be losses that we do not know about because we have not yet detected the intrusion into servers that, for example, might hold critical and very valuable intellectual property. However, it is interesting to note that it has been a long time since the Government have actually mentioned £27 billion as this figure. Indeed, I note that when Mr Maude was launching the Cyber Security Information Sharing Partnership just a short while ago, he quoted "numbers of billions". So I think he has veered away from trying to put a precise figure on the scale of loss or harm to a more generic figure, which I think is probably appropriate.

Q243 Steve McCabe: Dr Brown, if I could ask you something in particular. I think this report you have been working on with the UN said that two thirds of the states involved did not think their own crime reporting systems were adequate to deal with this problem. Do you have any suggestions about how people could develop more adequate crime reporting systems?

Dr Brown: The least controversial recommendation that the UN made in the report you are referring to was that there are many countries-not just in the developing world-that need a lot of help on capacity building, with advice from states that have more experience in Europe and North America. Obviously, there is a wealth of expertise in industry and academia to help them to do that. The recommendations that became more geopolitically controversial were how far states should be treaty making and taking things like the Budapest convention, and trying to broaden that out to cover some of these states so that they weren’t just improving the evidence, but updating their legal framework and making it possible to co-operate with law enforcement agencies from the UK and elsewhere in dealing with these crimes.

Q244 Chris Ruane: Turning to the role of the police in combatting digital crime, given that digital evidence is now a factor in so many crimes, what strategy do you think the police need to adopt to increase their capacity to process it? Do you think there would be any merit in outsourcing digital forensics?

Professor Creese: We have seen written evidence to this Committee on strategies that have already been taken, which from a personal stance I think are very good. In terms of the outsourcing of the gathering of forensics, I think one needs to understand that in the context of how you would maintain quality. There are always costs associated with how you regulate the sectors that are going to be working on your behalf, and what kind of standards you will require them to comply with in terms of their behaviours, how they train their staff and the processes they engage in, so that you can be sure that this evidence maintains an adequate standard. Of course we are lucky enough in the UK that we understand these things very well, but I would encourage you to look very hard at those kinds of costs in the round. We obviously need to scale up. I can see why we might well consider outsourcing simply to reach the scale, but we would need to think very hard about how one ensured that we maintained quality in the face of that.

David Livingstone: There is an issue here about calling on capabilities that already exist-for example within the financial services industry, where they do a lot of network analysis of where the current attacks are coming from-to establish almost the public and private partnership relationship with law enforcement laying down criteria, which would then make useful evidence. The thing that I think is most important is how quickly this information, intelligence or evidence can be made available to law enforcement as well, without the necessary use of production orders and so on, which can take quite a long time before evidence can be made available for a criminal pursuit. Forensic analysis is very expensive indeed, and one has to be very careful before you commit to doing it in house. There is a compelling case that some element of the forensic pursuit of criminals needs to be performed outside the law enforcement estate. How those relationships are actually developed I think we will have to see over time. The speed at which this information can be made available, without going through cumbersome processes of production orders and so on, I think is a key point here.

Q245 Chris Ruane: How do you rate the current digital forensic capabilities across the UK police forces?

David Livingstone: I would probably say that they are starved of resource. They are very good, but they can’t cope with the volume of crime that is occurring.

Professor Creese: That is going to be true for any type of crime, not just cybercrime. From my personal experience, I have always been very impressed by the professionalism, but clearly they could always benefit from more resource.

Just to reflect on your question on outsourcing, I wonder if in part that might ease the international dimension of gathering of evidence. At the moment it is very challenging to gather evidence across national boundaries, but if we were outsourcing internationally, that might help to overcome some of the latency in that system.

Dr Brown: At the same time, some of the reasons why production orders can take some time is that you have to make sure that you are being proportionate in the information you are asking for. We don’t want to wave a wand and say, "We will just hand over all this data and completely trust the law enforcement intelligence agencies," in a way that we have not in traditional justice systems.

Chair: Thank you very much. This is fascinating stuff. We may well write to you with further information and to ask for further facts about this area. We are most grateful. Apologies again for having to interrupt your evidence for the votes, but I am afraid democracy has to march on even for the Home Affairs Committee.

Mr Winnick: They helped to educate us about this.

Chair: Indeed. Thank you very much. We are most grateful.

Examination of Witnesses

Witnesses: Anthony Browne, Chief Executive, British Bankers’ Association, Matthew Allen, Director, Financial Crime, British Bankers’ Association, and Katy Worobec, Head of Fraud, Financial Fraud Action UK, gave evidence.

Q246 Chair: Mr Browne, Ms Worobec and Mr Allen, thank you for coming. We are coming to the end of our inquiry into e-crime and we are most grateful to you for coming here. Apologies for keeping you waiting beyond the time listed on the Order Paper.

Can I start with you, Mr Browne? What kind of figure do you put on the cost to the banking sector of online fraud every year?

Anthony Browne: It is actually the FSA that is responsible for collecting the figures, but in 2012 they are £475.3 million for online banking, plastic cards, cheque and telephone banking fraud, which was in fact less than 1% of total fraud in the UK. That is against a sector that is about 8% of GDP. So it is about 8% of GDP and 1% of fraud. Specifically online banking fraud-against people’s online accounts and so on-was £39 million, which is down about 25%.

Q247 Chair: It sounds like a large amount that is being taken from people’s accounts.

Anthony Browne: It is. One pound of fraud is-

Q248 Chair: You said it is going down. Is it on the increase in fact overall?

Anthony Browne: Again, it is quoting from FSA figures.

Chair: This is not individual. It is not The X Factor, so feel free to chip in whenever you want to.

Anthony Browne: It is still at a high level. The general story is going down over the last 10 years, although it has tipped up a bit in the last year. You say it is a lot of money. Clearly it is, although as a whole the banking sector has a good story to tell, given the size of the sector and 26 million online accounts. That is a result of the amazing amount of work that the industry puts into this. It does take it very, very seriously. It puts huge amounts of resources and technology into combatting it and the FSA is the front line of that co-ordinating industry response.

Q249 Chair: In terms of those figures, are there any other figures that you think the Committee might be interested in, Ms Worobec?

Katy Worobec: Yes. To drill down a little bit to the online fraud, in the figures that we collect, there are two aspects I think you will be particularly interested in. One is online banking itself, which is the figure that Anthony mentioned of £39.6 million in 2012. The other aspect is online card fraud, which cost the industry £140.2 million in 2012. If I look back, we saw peaks in both those types of fraud. The peak for e-commerce fraud on cards reached just over £181 million in 2008, so we have seen it drop around 23% since then. At the same time, we have seen online card spending increase from £41 billion in 2008 to £68 billion in 2012.

Q250 Chair: So what does that tell us?

Katy Worobec: I think it says that we have been reasonably successful in reducing online fraud in that space, at the same time as spending in that channel has been increasing rapidly. In a similar vein, if I look at the online banking figures, the peak of the losses that we have been recording saw it reach just over £59 million in 2009. As we said, it dropped to £39.6 million last year. At the same time, users of online banking have increased from 22.4 million in 2009 to 26.8 million in 2011, which are the most recent figures that we have in that space. Again, users have gone up 20% while we have been able to see the fraud dropping over that period.

Q251 Chair: Mr Allen, is this done by organised groups? Are there people in a room somewhere in Europe, or even in the United Kingdom, who are saying, "We are going to use our skills? We are going to pool our skills in order to break into people’s bank accounts and steal money"? Is this organised, or is it just-

Matthew Allen: Yes. Feedback from our members, as well as evidence from Europol and other international bodies, demonstrates there is an international element to cyber-offending and that there is a degree of organisation within the crime networks that operate in this area. I think it is important not to generalise. There are different aspects of cyber-offending that will be perpetrated by different groups and in different ways. Generally speaking, our assessment and that of international bodies is that there is an international and organised element to this.

Q252 Chair: Would you have a league table of the countries where this is coming from or groups of people, or is this just impossible to pinpoint in the way that I suggest?

Matthew Allen: No, we don’t have a league table within the British Bankers’ Association. We have contributed to a number of Government exercises to provide our expertise of the nature of some of these threats. I would also add that the international nature of the threat is not solely a cyber element-fraud, money laundering, and other types of financial crime often have an international element as well.

Q253 Chair: Do you think we ever get to find out who is responsible, or is it just a case of satisfying the customer? I give the example of my PayPal account that was hacked into. Attempts to get to PayPal to find out whether it had caught the people responsible were impossible. Once you had pressed all the numbers and listened to all the music and got to customer service, nobody would ever tell you who was responsible. It satisfied me because it put the money back into my account, but is there a feeling that people are just satisfied in that way and there is no attempt to get to the bottom of who is responsible?

Matthew Allen: In the United Kingdom, the National Fraud Intelligence Bureau has been established and housed within the City of London Police. That provides a central body to bring together intelligence from a range of sectors.

Q254 Chair: Yes, but give us your intelligence. You must know about these things. For example, how many people were prosecuted last year?

Matthew Allen: I don’t have the figures to hand.

Q255 Chair: Does the prosecution system work? Are you pleased with it? Do you think they get to the end of the tunnel, or is it just a case of people getting the money back into their account, so everyone is happy-the bank is happy; the customer is happy-but we never get to really find the criminals?

Anthony Browne: Anyone who breaks the law should face the full force of the law and we want-

Q256 Chair: Yes. Do you have figures for us, Mr Browne, of how many prosecutions?

Anthony Browne: We don’t collect those figures. It would be a question for the police or the Crown Prosecution Service.

Q257 Chair: Do you have those figures?

Katy Worobec: Not the prosecution figures, no. However, as part of this context, I think it is worth noting that under the FFA UK we receive intelligence from all the banks in relation to the fraud that they are seeing. That is passed through our fraud intelligence sharing system to the National Fraud Intelligence Bureau. I think that is the best way in which it can then look at the whole picture and try to identify organised criminal networks and try to work through that. Unfortunately, the nature of this type of fraud tends to be high volume and low value. It can be very difficult to investigate every single case and be able to get a resolution, but what the National Fraud Intelligence Bureau can do is to look at the intelligence that comes in from our sector and from others, match it together and see what that shows in terms of organised criminal networks. I think that then gives the police at least some fighting chance of being able to go out and hit them where it hurts.

Q258 Mr Clappison: I am very interested in the question that the Chairman has just raised with you. In a way, you are the victim and the customer of the bank is a victim. Although the customer may be compensated or repaid, he or she will go through some anxiety, no doubt, and you do not like to see your systems being comprised. The figure you have given us for penetration of online accounts was £39 million. Is that right?

Katy Worobec: £39.6 million, yes.

Q259 Mr Clappison: I am curious that you seem to have so little knowledge of what happens to the people who have been carrying out this crime, because you are a victim. Has anybody been prosecuted to your knowledge?

Katy Worobec: Yes, certainly. It is worth mentioning also we have our own dedicated cheque and plastic crime unit, which is sponsored by the banking industry. Although e-crime is not its particular specialism, it is dealing all the time with these types of frauds, so it is constantly bringing-

Q260 Mr Clappison: On the penetration of people’s online accounts-many people obviously have online banking accounts-are you aware of anybody at all who has been prosecuted for that offence in this country?

Katy Worobec: Yes, there have been prosecutions. What we don’t have is a set of figures that I can give you. For example, the PC crime unit has done a sterling job in terms of dealing with this type of fraud.

Q261 Mr Clappison: Were the people who were prosecuted in this country or somewhere else?

Katy Worobec: A mixture, I think it would be fair to say.

Q262 Chris Ruane: My question leads directly on from that. Could we have the statistics on the balance of cybercrimes committed from within the UK and outside the UK?

Chair: Who would give us those figures?

Katy Worobec: I can tell you approximately how much fraud we see on UK cards. For example, if I look at the split for e-commerce-so fraud on UK cards spent online-it is about 70% in the UK and 30% overseas. That is where we see the spend going.

Q263 Chris Ruane: For that 30% overseas, we heard of Russia and eastern Europe before. Is that the case or is it just not the case?

Katy Worobec: Just to be clear, this is where the card details are used fraudulently. So the card details may be compromised in any number of ways and then used to purchase goods from overseas. For example, airline tickets is a fairly standard area where card fraud is spent overseas.

Q264 Chris Ruane: If it is eastern Europe and Russia or wherever, is there co-operation, or is there a league table of co-operation from those authorities? Do those Governments view it as serious, or do they think that it is just happening in the UK so it is not a concern of theirs? How much concern and co-operation is there abroad?

Katy Worobec: From the work that we do with law enforcement-we work very closely with our own police unit and other forces and the emerging National Crime Agency-I think it is fair to say it is patchy.

Q265 Chris Ruane: Patchy where.

Katy Worobec: In other words, there isn’t a consistent approach in terms of response from other countries in dealing with fraud. Our own DCPCU has just set up, with funding from the EU, a joint team with authorities in Romania, because there have been some specific concerns around fraud in that area. It is trying to build some good relations with that country, as an example, but it does seem to be rather hit and miss in terms of the co-operation that you get from other countries in Europe and beyond.

Anthony Browne: One of the things we said in our submission to you is that we would like the highest international co-operation possible on this issue because it is an international issue, both at the EU level and globally.

Q266 Chair: Your main international organisation is Europol, is it?

Anthony Browne: That we deal with.

Katy Worobec: Yes, from the law enforcement perspective, but we look at it also from our perspective through the international card schemes-so Visa and MasterCard-because they obviously have an international footprint.

Q267 Chair: Of course. However, with the main policing unit, would you have a direct link to Rob Wainwright or his colleagues in Europol, or do you go through the Metropolitan Police and they then go through Europol?

Katy Worobec: I think we have to go through the Serious Organised Crime Agency at the moment.

Q268 Chair: So you go through what will become the National Crime Agency.

Katy Worobec: Indeed.

Q269 Chair: Are those structures okay? Is it working, or could it be a little bit more streamlined?

Katy Worobec: I think it could be more streamlined. What I mean by that is that I think we should look at ways in which intelligence can be better shared between law enforcement and the private sector-the banking industry. If we can get two-way information sharing-I think someone spoke earlier about trying to get better data sharing between countries-I think we could improve the situation a lot.

Q270 Chair: On a practical basis, if this happens at 5 pm on a Friday and you have uncovered some great fraud being committed and you pick up a phone, is there somebody there or have they gone home? Is this a 24/7 operation that you can deal with?

Katy Worobec: In terms of the banking industry, we would find that most banks often have footprints in other countries anyway.

Q271 Chair: No, not the banks. I am talking about the policing.

Katy Worobec: Right, okay. In terms of our own police unit, obviously we have a link into that. As far as more general policing is concerned, we would tend to go through our DCPC unit.

Q272 Chair: No, I understand that. Is it 24/7 or at 5 pm on a Friday does it all close down? Your system obviously carries on.

Katy Worobec: Are you talking about the banking side?

Chair: Not the banking side. When you ring up the police, or whoever you ring up, and you say, "Somebody is now emptying all these bank accounts," or, "This card has been fraudulently used and we want to stop it," is there somebody at the other end of the phone at 5.05 pm on a Friday?

Katy Worobec: There certainly would be in the DCPCU, yes.

Q273 Chair: What does DCPCU mean, for the purposes of the record?

Katy Worobec: Dedicated cheque and plastic crime unit.

Q274 Chair: Where is it based?

Katy Worobec: It is based in London. It is fully sponsored by the banking industry. It is a mix of City and Met officers working with banking industry investigators and support officers.

Q275 Chair: Good. We had not heard of that before, I think, so it is always nice to hear about new organisations. So they are there at 5.05 pm on a Friday?

Katy Worobec: They certainly are.

Q276 Chair: What about 10.00 am on a Sunday?

Katy Worobec: There will certainly be somebody available at 10.00 am on a Sunday, or me on my mobile, so yes.

Q277 Mr Winnick: That is reassuring.

Ms Worobec, you sent a letter to us, I think in February this year, and you cited a customer survey by Which? as demonstrating that the vast majority of customers are refunded quickly-within one week. However, it does appear to be the case that 29% of customers surveyed had to wait longer, in some instances as long as six months. What is your comment on that?

Katy Worobec: Our statistics show that 98% of fraud claims are refunded. We have done some work since that Which? survey-talking to our members-and 96% to 98% are actually refunded either the same day or the following day.

Q278 Mr Winnick: Sorry, I am getting confused. Which? says that 29% of customers had to wait longer, some up to six months. Are you disputing this? Leave aside the 2% for the moment.

Katy Worobec: Yes. Our members are telling us that between 96% and 98% are actually refunded the same day or the following day.

Q279 Mr Winnick: Who is telling you?

Katy Worobec: These are our members, which will be the retail banks and card issuers in the UK.

Q280 Mr Winnick: Should we have more confidence in them or in Which?

Katy Worobec: You have to look at the fact that Which? has done a survey asking people who have experienced fraud over the last five years what their experience is. There could be all sorts of reasons behind the apparent delays, and it would be interesting to understand a bit more about what the details behind the survey show us. I am not convinced that it necessarily conveys the accuracy of the situation, whereas our members have told us that these are the figures that they are seeing.

Q281 Mr Winnick: For the sake of argument, say the situation has changed or Which? could have been wrong in the beginning, what percentage of customers would you say have to wait if not for six months, certainly, then beyond three months? Do you want to give a figure?

Katy Worobec: I think it is a very small number. It is in between 4% and 2% really and I think it will be at the lower end of the scale, so most will be resolved in a few weeks. Where lengthy and complex investigations are required, it may take some more time to get that sorted. However, they are few and far between, quite honestly.

Q282 Mr Winnick: I have great hesitation in challenging any witness, and I do not have any evidence to do so. Without in any way questioning your integrity, do you think it is possible to send some documentation-if the Chair agrees-to back up what you have just said?

Katy Worobec: I am happy to put these figures in writing to you, certainly.

Q283 Mr Winnick: With some evidence of what they are based on.

Katy Worobec: Yes.

Q284 Mr Winnick: It said that 98%-in fact you have just mentioned it-of those surveyed had their claims repaid in the end. Let us consider these 2%. On the basis that it is said that 94% of the UK adult population now own a credit or debit card, if the maths are right, this works out at somewhere in the region of 380,000 people a year. It is quite a large number of people, isn’t it, that 2%?

Katy Worobec: I am not disputing your maths at all. I think it is worth bearing in mind that 9.9 billion card transactions take place every year, so we should look at this in the context of that. There will always be a small number of cases where things need further investigation. These cases can be quite complex and do take some time to resolve and, frankly, there are fraudulent claims made as well. So first-party fraud does play into the mix of the 2% that are not refunded as well. We must remember that.

Q285 Mr Winnick: Recognising that fraud needs to be investigated, we would be very simplistic and naive not to recognise that there are people who are not genuine, to say the least. Nevertheless, you would accept that people who have genuinely been the subject of such fraud should not be in a position where they lose out.

Katy Worobec: Absolutely. There will always be cases when unfortunately things are perhaps not handled as well as they should be. I am not saying there is 100% success in that space, but I do think the figures stand for themselves in terms of the overall approach to that particular issue of refunds.

Q286 Mr Winnick: Yes, and you are going to send us the documentation. Mr Browne, of course, you are the chief executive of the British Bankers’ Association. Is the status of bankers high?

Anthony Browne: No. One of the joys of this job is I get sent all the information when the pollsters ask the public what they think about banks, and it is-

Q287 Mr Winnick: Are they lower than MPs and estate agents?

Anthony Browne: I don’t know quite where they stand compared with MPs or estate agents, but they are about as low as you can get.

Q288 Mr Winnick: Before I ask you anything else, I come from a generation in which, despite my politics, and whatever may have happened in some other countries-certainly in the 1930s banks collapsed very rapidly in the United States, and there was depression and all the rest of it, not confined to the United States-in the main, in the immediate post-war period, one did have a feeling that nothing could be safer than to have your money in the bank. I am referring to British banks. That feeling of security and confidence has changed, hasn’t it?

Anthony Browne: I can provide you with third-party polling data on this. If you look at the confidence that people have in the banking system, it certainly took a big hit after 2007-this might be slightly different from the angle you are taking-after the run on Northern Rock, but that confidence has largely returned. People do believe now that their banks are safe. I know this is not the subject of this session, but there have been a huge number of reforms in place to make sure that banks do not fail again.

Q289 Mr Winnick: So why the feeling that the surveys show, as you readily admit-

Anthony Browne: They are not generally to do with the safety of banks; it is the disquiet that the public have. In fact YouGov has a very big poll about this out tomorrow, which I think will be in tomorrow’s papers. It is not the safety of banks that people are worried about. It is more concerns about mis-selling, the behaviour of bankers and remuneration-all the things that you debate regularly in Parliament.

In the polling evidence-and I urge you to look at this YouGov thing-concern about being victims of fraud really does not register in terms of people’s concerns about banks. There are a lot of other issues that-

Q290 Mr Winnick: There is a lot for the banks to worry about.

Anthony Browne: There is, but actually fraud is not one of them. As you have been saying, 98% of people who are defrauded get refunded. I didn’t quite understand the maths you set out earlier, but certainly the number of people who don’t get a refund is going to be comparatively small.

Q291 Mr Winnick: Mr Browne, in this survey of Which? to which I referred, Halifax and Barclays were found to have the worst performances, with 34% and 39% of customers experiencing delays. Do you have any comments on that?

Anthony Browne: Unfortunately, I can’t talk about individual members. One of the problems banks have had, and one of the reasons why the opinion of the banks is low, is because, in the words of Stephen Hester, they lost sight of the customer. The banks are determined to make sure that customers are treated properly, and fraud is an example of that. They have spent a huge amount of time and effort making sure that customers are treated well. Any complaint and any dissatisfaction is a complaint too many, but the overwhelming majority of people do get their money back promptly. That is not being complacent. They clearly need to raise their game when there is dissatisfaction.

Q292 Mr Winnick: In your role as chief executive of the British Bankers’ Association, do you take these matters up with individual banks? Which? obviously has high standing.

Anthony Browne: It does. I have a great regard for Which? and it does a lot of very good work representing the views of customers. In fact, one of the things I have done at the BBA is to set up a consumer panel to make sure we get full input from consumer groups into our policy-making work to make sure we can properly address their concerns. To answer your direct question, I have taken up individual matters of concern with individual banks.

Q293 Mr Winnick: Of course this is related to the direct inquiry we are having into e-crime. If people who feel that they have been the subject of fraud have sufficient confidence in the banks they are dealing with, it certainly helps the customer to have the feeling that the matter will be dealt with pretty swiftly and in a competent manner.

Anthony Browne: The banks are obliged to deal with it quickly. Under the payment services regulations, they have to give an immediate refund when there is an unauthorised transaction. There is a lot of detailed FSA guidance about exactly what that means, which we can talk about if you want. That is certainly the standard to which the banks work. If people are not satisfied, they can take their complaint to the Financial Services Ombudsman. I know you had a previous witness who gave evidence about this, and there are something like 70 complaints a week.

Q294 Chair: Mr Winnick has rightly raised this point and he has rightly raised the Which? report. There is a big difference, is there not, Mr Browne, between a bank like First Direct, where 83% of customers were reimbursed immediately, and Halifax which has a figure of 64%, and Barclays where only 59% were reimbursed? You have seen this survey, presumably.

Anthony Browne: I have, yes.

Q295 Chair: How do you account for the difference between this? It is a very large figure, isn’t it? I should declare my interest: First Direct is my bank.

Anthony Browne: It has a good reputation. Exactly what the banks should do, as I say, is set down in legislation and there is guidance behind it.

Q296 Chair: Yes, but they are not doing it, are they?

Anthony Browne: The point is then that each individual bank has different protocols about how they precisely deal with it. Katy would be far closer to the detail of that than I am.

Q297 Chair: What do we do about this huge difference that Mr Winnick has highlighted: 83% for First Direct; 59% for Barclays?

Katy Worobec: I think the difficulty is with the survey that Which? has run. It is looking at people who have been claiming fraud refunds over the last five years, and the impact of the payment services regulations has really bitten in the last few years. It may be that some of these have perhaps experienced a fraud in the first part of that. So we may have seen an improvement in performance, and I think we probably would do in the recent past. As I say, I think it is very difficult if I experienced fraud five years ago to remember exactly what time scale it took to get my money back. There is an element of not really being able to get behind the figures and see exactly how the questions were asked and so forth. For example, it may be that some of the respondents did not confirm the fraud immediately it happened on their account. It may have started as an unauthorised transaction or a dispute, and then been confirmed as fraud later. That may have been part of the delay, for example. So I think there are lots of reasons behind that.

Q298 Chris Ruane: What are banks and card providers proactively doing to raise customer awareness about keeping their financial details secure online?

Katy Worobec: At Financial Fraud Action UK, we have done a fair bit of work in the last 12 months in this space. It is something that we are very much concerned with. We have been working with the National Fraud Authority as well. In the earlier panel you were talking about targeted customer education and focusing on particular at-risk groups. We have been working the National Fraud Authority, and I can give several examples. One was a campaign called "The Devil’s in your Details" that had two aspects to it. One was targeting young people, and it did make use of a viral campaign on YouTube to get the messages through to that section of the public about looking after their details and how important it was. A second aspect of the campaign was targeted at middle-aged ladies using the internet.

At the other end of the scale, we have also done some work with elderly and vulnerable people in Durham-as a pilot initially-where we went out and interacted with their network. So, going to coffee mornings, citizens advice bureaux and libraries-those sorts of things-and getting information out in a face-to-face way, which resonates with that particular group of people. There was a range of different activities. "The Devil’s in your Details" campaign that we ran was a collaboration between the National Fraud Authority, the banking industry and the telecoms industry, so it was getting a joint and consistent message out about protecting personal information, jointly funded by those three sectors.

Q299 Dr Huppert: A question for Katy Worobec. There has been an interesting exchange of letters. I think you know of my constituents, Steven Murdoch and Ross Anderson, who have done some very interesting work on how chip and PIN cards can be compromised without actually knowing the PIN.

Mr Winnick: A bit of name calling.

Dr Huppert: There have been some fairly strong words. Professor Anderson has given evidence to this Committee, which I think led to your letters. First, do you accept that it is possible for somebody to have their chip and PIN used, and it looks like there was a PIN even though they did not divulge that PIN?

Katy Worobec: We are aware of Ross Anderson’s research and Ross and his team do a lot of good work in that space. On the demonstration that they made in terms of that particular vulnerability in chip and PIN, we are not saying it is not possible to do that. What we are asserting is that it is quite a complex and difficult way of committing fraud, and we are aware that there are much easier ways, unfortunately, for the fraudster to commit fraud. The type of attack that Professor Anderson was talking about relies on the fact that you need to have a physical card from the cardholder. If the cardholder reports that card lost or stolen, the fraud is blocked. That is quite different, for example, from the skimming of mag stripes, which is the problem that we have countered by introducing chip and PIN, where they would have been able to copy the magnetic stripe of a card and then create a large number of cards that cloned that original card without even taking it away from the cardholder. So that had much more potential for the fraudster being able to commit fraud on an industrial scale. As I say, we are not saying chip and PIN is 100% secure, but it does offer a much more secure platform on which to work than the old magnetic stripe cards did.

Q300 Dr Huppert: Nonetheless, it means that there is a possibility that people who claim that money was taken from them fraudulently-they claim they did not divulge their PIN, yet the suggestion is made that they must have done so-are right. Indeed, in 2012, there were 64,000 complaints to the Financial Ombudsman Service about banking and credit, and 54% of those for credit cards were found against the bank. There are various similar figures. Do you think that the number of disputed chip and PIN cases that have been referred to the Ombudsman suggest that there may well be genuine cases where it is falsely suggested that people may have colluded or been insufficiently secure with their PIN?

Katy Worobec: I really don’t believe that the cases where the use of a PIN cited are down to the sorts of attack that Professor Anderson was talking about in his research. I think there are easier ways to defraud the system, as I have said. I would assert that it is unlikely, in fact, that the bank will simply reject a claim for a refund just because the legitimate PIN was used. They will look at a number of factors and criteria before making a decision about whether a claim is refunded or not.

Q301 Dr Huppert: Professor Anderson has given some specific examples, but if you say it is not really likely to be used because there are easier ways of fraud, why did you ask Computer Labs to remove the paper that it published from the internet?

Katy Worobec: We were concerned that some of the information there might be giving information away to potential fraudsters. By describing it in the level of detail that they did in the paper, it might have encouraged people to try doing that. So we were concerned that it was not a particularly good way of talking about that particular type of fraud. What we would have preferred is for Professor Anderson to come and talk to us about it and then we could have seen whether there are things that need to be done. However, to publish a lot of detail on the internet does tend to encourage people to try that type of fraud.

Q302 Dr Huppert: It was circulated among a number of the banking community and he highlighted it well before it was published. Surely the correct thing to do is try to fix the problem rather than asking people not to reveal the fact that it exists. A question for Mr Allen: what work is being done to try to fix the chip and PIN technology problem? From reading the paper, it is clear that it is entirely fixable. You could update the protocol so that this particular hole does not exist any more.

Anthony Browne: Can I highlight some points here? One, and it comes back to several of the questions here, is that the banks have immense financial interest to reduce fraud. With 98% of fraud victims being refunded, it is a direct cost to their bottom line, which is why they spend a huge amount of money on combatting fraud and on various publicity campaigns-

Q303 Dr Huppert: Unless you can insist that it is the cardholder’s fault, in which case you do not have to reimburse them.

Anthony Browne: There are a lot of new technologies coming in the whole time, and Katy has a lot of the details, which have been very successful in reducing the amount of fraud. The reason why fraud went down to a 10-year low, despite a massive increase in cyber online accounts and everything else, is because of all these new technological investments that have made it far more difficult to commit fraud. Obviously it is not perfect. It is questionable whether any system is ever capable of being perfect, but the banks are spending huge amounts of effort to combat it. Sorry, you asked a question of Matt and I interrupted.

Matthew Allen: In response to the question, banks are constantly updating their systems and controls, and this is a constant challenge. We outlined in our submission to the Committee that this is a highly mobile threat. It is rapidly evolving, so banks are very vigilant.

I would also add that there is significant action at the firm level. At the industry level, we are constantly working with our members-both at the BBA and in partnership with FFA UK, to make sure that we can provide the best possible service to our members in terms of highlighting new emerging trends. I can give some examples of the work we have done in this area. You mentioned Europol earlier. We have been engaging with Europol. I took a delegation of five banks to Europol in October. Europol has recently visited the BBA. That is entirely to try to find ways to promote a stronger dialogue between law enforcement, at the international level, with the banking sector. We have knowledge in the banking sector of emerging crime techniques and so do law enforcement, so we are certainly very keen to promote that dialogue. There is significant work by individual firms, but there is also quite a lot of work at the industry level as well.

Q304 Steve McCabe: I think my question follows on from this. I do not think anyone disputes that there is a huge effort and a significant amount of investment in trying to counter online fraud. Despite that, it does seem to be on the rise and there is a huge amount of money being stolen each year. Is that because this is the sort of crime where the number of criminals and victims are just expanding, or is it because some of the security systems are pretty poor and inefficient?

Anthony Browne: Can I just come back to the point, Mr McCabe, that there is a huge amount of money and any fraud is too much fraud? However, banking is 8% of GDP and it is 1% of fraud in the UK, so it has a far better record than the rest of the economy. That is not to be complacent but there is-

Q305 Steve McCabe: Most people would regard this as a relatively new form of crime, so we may still be in the early stages.

Anthony Browne: Yes.

Katy Worobec: I would like to talk about something that we have seen recently. In terms of the types of attacks that we are seeing from fraudsters, it does tend to be focusing on the customer and trying to dupe them into giving away personal details and security details. There is a particular type of insidious fraud that we have been seeing in the last year. We refer to it as "courier fraud". Essentially, particularly elderly and vulnerable customers are targeted by someone who phones up claiming to be from their bank or from the police and says, "There has been fraud on your account. We need your PIN number, we need your card, and we need evidence of what you bought. Please give it to the person who comes to the door," and they give their details away.

In a similar vein, there is a constant attack from fraudsters to try to get people to give their personal details away. That seems to be where the attacks are coming from at the moment. In a way, it is less about the security of the systems, particularly the online banking system-it is robust-and what it is is that, unfortunately, the customer is being duped into giving their details away.

Q306 Steve McCabe: Banks do phone customers and invite them to give personal details over the phone. That is not unusual, is it?

Katy Worobec: The sorts of details that you would be asked as part of the "know your customer" details. Banks are required to identify a customer when they phone them up for whatever reason. Unfortunately, they are asking what look like personal details, but they are very limited. We are talking about a situation where people are being asked to give their PINs and their cards away.

Q307 Steve McCabe: I do not want to interrupt you, but if the message to the elderly person or the vulnerable person is, "You should not be duped and you shouldn’t give over this personal information to these people who are fishing for your details," the very fact that the bank itself asks for personal details is likely to lead to a degree of confusion in the mind of that person, surely.

Katy Worobec: I do understand what you are saying. Unfortunately, the bank is required to do that in order to identify the customer. It is one of these vicious circles. What we do say in terms of advice to customers is if they are at all concerned about who they think they are speaking to, they should put the phone down and dial the phone number that is on the statement or on the website and speak to somebody. So they go back into the system if they are at all concerned about anybody they are speaking to, which I think is the best piece of advice that we can give.

Anthony Browne: It is obviously different if you are phoning a bank, in terms of telephone banking, and they ask you to prove your identity when you are phoning them, as opposed to the bank phoning individuals, which is far rarer.

Q308 Steve McCabe: Should I deduce from what you said that you are satisfied that these security systems you have are adequate and that no criticism can be made against them, or would that be a wrong assumption? I just wondered, because you dealt with only the second part.

Katy Worobec: I wanted to give an example because I think it demonstrates in a way that the bank systems are robust. That is what is forcing the criminals to target the consumer as the weakest point, and that is really where I was coming from.

Chair: Excellent. Thank you very much for your evidence. It has been most helpful and we will be no doubt writing to you. I know you have promised us some documentation. We would be most grateful if it could be sent as soon as possible, because we are about to conclude our report.

Prepared 23rd April 2013