The Dutch Banking Association (NVB) in the Netherlands provides numbers of internet banking fraud, I think twice a year (see also my last post on this). Yesterday the announced new numbers, together with a new awareness campaign for the public. The numbers they announced yesterday about the first half of 2011: amount of incidents is 2400 and the damage is €11.2M.
I extrapolated these numbers for the whole of 2011 by simply multiplying them by two (which is probably optimistic) and compared them to the 2009 and 2010 numbers. The bottom-line is is that internet banking fraud still increases a lot with more than twice the damage in 2011 than in 2010. The relative increase is however less dramatic than from 2009 to 2010, when it increased with a factor of five. The amount of incidents increased with a factor of about 3.5, and thus there is also good news: the amount of damage per incident decreased (to an average of ~€4.500 per incident). I guess this is because the Dutch banks improved their detection of internet fraud, and are more effective in quickly stopping money mules.
Non-technical countermeasures such as continuing awareness campaigns and the Electronic Crimes Taskforce (which hunts cybercrimes) are needed, but really preventing internet banking fraud also depends on better authentication means and other more technical measures. What I found somewhat remarkable is that the NVB press release and also e.g. the article in the Volkskrant (a Dutch national newspaper) talked about ‘old fashioned’ phishing emails a being a big part of the problem, while I’m personally more worried about malware on the consumers devices (laptop, smartphone, tablet etc). An anecdote is a colleague of mine that was very recently the subject of an attack involving advanced malware that infected his PC irrespective of up-to-date patches and virus scanners. The malware then waited till my colleague made a transfer, and added a transfer to empty his acoount to a money mule in Portugal. Such malware is undetectable for ‘normal people’, including the browser indicating a valid website certificate. He however noticed this right after the transfer because the browser was acting strangely, and was able to stop the transfer by calling his bank. I’, however sure that for someone less ‘nerdy’ the browser’s strange behavior would have been too suble to notice.
The below graphs show the fraud numbers for 2009, 2010 and (extrapolated for) 2011.