The Bank Fraud Resource Page

Ross Anderson


Cards get cloned; online bank accounts get phished; bank staff embezzle money; banks rip off their customers. Both cardholders and merchants rip off banks. Bank fraud is a multibillion dollar industry, and getting more complex all the time. Most of the bad things that happen on the Internet end up with money vanishing from someone's account.

Colleagues and I have been researching bank fraud for a couple of decades. In this web page we've pulled together links to a lot of relevant research and other resources. If you are a banker, a policeman, or a customer, this page is for you. (If you're a fraudster, you may well know it all already.)

This page provides links to a number of key papers, home pages of active researchers, and other resources. Complementary pages include our security economics resource page and our security psychology resource page. There is also an interview I did with Marc Tobias of security.org.

Key Papers

Community - Home Pages of People with Relevant Interests

Resources for Victims in the UK

If you are the victim of fraud against your online bank account, your bank will often tell you that you are liable because of the terms and conditions on the account. Most banks' contracts state that you are liable for any debits made using your password, regardless of whether or not you made them (see survey here).

It's even worse if you are the vicitim of a fraud against an EMV (‘chip-and-PIN’) card; banks will routinely claim that as their system is secure, you must be mistaken or lying. They will suggest that you complain to the Financial Ombudsman Service; but the ombudsman routinely finds against cardholders, regardless of the law and the evidence (see here).

If you complain to the police, they will tell you to report it to the bank first. This is designed to shrink the fraud statistics. But if the bank refuses to refund your money, then you are the victim not the bank, and you're entitled to have the crime recorded under section 53C of the Home Office Counting Rules For Recorded Crime April 2008 (see also here). The police unit dealing with card fraud is funded largely by the banks, a practice frowned on elsewhere.

The history of victims who've sued banks is not good; in the Alain Job case, for example, Alain failed to recover £2000 and was ordered to pay £15,000 of the bank's costs; in another case I know a complainant retained a solicitor to recover £10,000, and the solicitor charged her another £10,000 without making any useful progress, leading her to abandon the case. On the other hand, where banks have accused customers of defrauding them, the customer often wins: see the Badger case, for example. If you get wrongfully prosecuted over a card transaction, or if you're thinking of suing to get your money back, best read this submission to the Treasury select committee. Keep any solicitor on a tight rein: ‘Your budget to get the case to stage X is £Y’. If you're well-organised and articulate, you might manage to bring a small claims case in person but for that you'd need to know your facts, research the law, and be careful not to end up liable for the bank's costs. (The bank will apply to have your case moved from the small claims track, where each side pays its own costs, to the fast track, where the loser pays the winner's costs. If the judge agrees, walk away!) You should also study the papers in the Eve Russell case to see up close how banks and the ombudsman work. Finally, there is a very useful paper on evidence in chip and pin cases which you should read closely if you're bringing a case yourself, and get your lawyer to read if you hire one.

In short, we have a regulatory failure in Britain. Many more people suffer frauds such as card cloning, phishing and dodgy online auctions than suffer traditional acquisitive crimes such as burglary and car theft. However the police don't want to know and the banks get away with dumping most of the fraud risk on cardholders and merchants. As a victim, you'll have a hard time getting your money back unless you can get your story in the press, or you can threaten to take away enough business from your banker that he cares. Britain is not honouring its oligation under Chapter 5 of the EU Payment Services Directive. We need a change in the law.

Other Resources

Here are some suggestions for further reading: