September 2019 ~ ‘Strong Customer Authentication’ ~ move to reduce credit card fraud . . . but not quite yet!
Banks and larger retail outlets will be asking customers to input a one-time passcode in order to complete online transactions. This is all part of a strategy introduced by lenders and credit card companies in a move to reduce card fraud. Due to the hike in payment card fraud across the continent, extra forms of verification, known as Strong Customer Authentication (SCA), will be required. The EU directive comes into force on 14 September, when the law will officially change.
Under SCA, online payments of around £28 will require extra verification; perhaps a one-time password texted from the bank to a mobile phone. Alternatives could include a thumbprint on a smartphone or voice recognition. And in shops, pin numbers will need to be added to contactless payment.
Yet despite an estimated £671m lost to fraud on UK payment cards in 2018, [a 19% increase on the previous year], the Financial Conduct Authority has delayed it, bowing to pressure from banks and retailers who were not ready for the measures. The FCA will not enforce the law until March 2021.
August 2019 ~ UK fraud . . . is it any wonder?
The rise in fraud in the UK continues at an alarming rate and cannot fail to be linked to the lack of priority afforded by law enforcement. In the year up to March 2019, 3.8m fraud incidents were reported in England and Wales, according to the latest official figures published by Crime Survey. That’s up 17% over the year; but still accounts for only those crimes reported. It is an accepted fact that the public has so little faith in ‘Action Fraud’, which has recently received such a slating in the media, that most fraud incidents go unreported.
Meanwhile, UK Finance reported 2.8m cases of fraud involving UK-issued payment cards, remote banking and cheques – up 39% from the previous year.
July 2019 ~ ‘Authorised Push Payment’ fraud . . . . when your bank says ‘no’ . . . keep fighting!
Recent UK figures suggest that £145m was lost to APP fraud during the first six months of 2018 and the phenomenon continues to grow at an alarming rate. ‘Authorised Push Payment’ fraud occurs where the victim is tricked into transferring money from their own accounts into those accounts controlled by the scammers.
Such has been the concern of the FCA, that this year they introduced a voluntary code which should demonstrate a desire by these institutions to help tackle the problem. ‘Payment providers’, (banks, building societies etc), ought now to be giving consumers stronger redress with the recipient bank used by the scammers.
However, when Mrs R was tricked out of £17,000 . . . using a variation on the ‘TV Licensing Authority’ scam . . . her High Street bank’s response was to ignore this voluntary code. She was told that the recipient bank was not a mainstream one, but one which operated a ‘prepay’ facility; ideal for this type of fraud, and as she had transferred the funds herself, they accepted no responsibility. Naturally, the police did not want to know . . . they are no longer equipped to deal with fraud.
Her bank account had clearly been hacked as someone had transferred all the money from her savings account into her current account without her authorisation. This convinced her that the ‘nice man from the bank’ who was helping her on the phone get through this trauma was genuine; not least as he was also able to quote the details of her latest two transactions.
Mrs R came to IPFGB and we produced a forensic analysis of her phone and laptop which proved her version of events. Threatening the bank with litigation based on this report, plus interest from the Daily Mail and her MP, eventually persuaded the bank to repatriate her funds, despite their insistence that they were in no way culpable.
For the full article, published on the ABI website, click here.
July 2019 ~ GDPR and WHOIS . . . . “Told you so!”
On this very blog, (see February 2018), we warned that the introduction of the imminent and draconian GDPR laws would benefit two schools . . . the Treasury and the scammers. The ICO was employing extra staff to help enforce massive fines for breaches, whilst the withdrawal of the public database of domain names, such as WHOIS, would be a godsend to crooks who produce false websites.
It should not be a surprise then that an additional benefactor has been terrorism, according to Gregory Mounier, head of Outreach and Internet Governance at Europol’s Cybercrime Centre. “The internet has become less safe because of an overly conservative interpretation of the GDPR by the ICANN community,” he said; (source Bloomberg.)
Not long ago, US, European and Canadian law enforcement officials claimed success in eradicating the militant group Islamic State’s online propaganda network, partly by the use of public domain names databases; cracking down on websites, blogs, and Twitter accounts relaying IS propaganda whenever there was an attack. 400 such IS supporting domains were identified and arrests made. Because both technical and personal data of registrants have been redacted, this type of work is now much more difficult. Mounier admitted that “More and more investigations are just dropped or severely delayed because we can’t have direct access to WHOIS registration data information.”
July 2019 ~ “The entire system is broken!” . . . a lawyer speaks out
Addressing a gathering of private investigators in Bristol, a respected criminal defence lawyer admitted that these days, hardly anyone was being prosecuted unless it involved domestic violence or a sex offence, or literally being caught in the act either on CCTV or in person. “Even when there are prosecutions, the clearly deliberate undercharging by CPS neither serves the alleged victim, nor the defendant who seeks a jury trial,” he added. “There are insufficient police and insufficient CPS staff. The courts are similarly understaffed now; everything is automated, and it is impossible to speak to a real person. The entire system is broken! Respected defence lawyers are slowly being replaced by rookies, employed by the bigger firms who need to rely on turnover; so there goes another layer of conviction safety. I won’t miss it at all when I can afford to retire!” he concluded.
More often than not, commercial businesses will turn to the civil courts to pursue a larcenous employee or fraudulent entity; either by bringing the case to a specialist law-firm or by calling in a competent private investigator to collect and analyse the evidence. On this theme, Dick Smith of IPFGB added, “Crimes involving theft or fraud are amongst those which have been de-prioritised to the point of blank refusal to act. We continue to witness, particularly in the case of companies, finding themselves victims of dishonesty, now viewing contact with the police to be an unnecessary distraction; or even a detrimental move. It is sad to report that officers in general have been de-skilled, whilst their social media-conscious decision-makers, seemingly driven by a desire to take action only on what looks politically ‘on-message’, will find every excuse imaginable to de-crime a crime.”
July 2019 ~ US and Europe suffering the Chinese counterfeiters
In the same month as Europol and the EU Intellectual Property Office confirmed China’s continued dominance of the counterfeit product market, the US has issued a stark warning on state-sponsored IP theft from American research institutes.
Europol reported that second in the league was Hong Kong (still measured separately), followed by Turkey and Vietnam. Typical transit countries* were Albania, Morocco and Ukraine. Social media markets make life much simpler for advertising, selling and distributing pirated goods. Nearly every product sector imaginable is being counterfeited. “Most of the distribution is linked to organised crime,” the report concluded “and the only option to counter is by police operations.” Sadly, we rarely see that occurring in the UK.
In the US, Senator Mark Warner, (the Vice-Chair of the Senate Intelligence Committee), whilst addressing the Council on Foreign Relations on homeland security and counterterrorism, made his comments in respect of Chinese students in the US, “If your son or daughter does not come back with intellectual property, your family will be put in jeopardy.”
By now we should all be aware of China’s Thousand Talents programme and how their citizens are rewarded if they return to China with intellectual property stolen from the West. Warner continued, “There are 360,000 Chinese students in America, many in cutting-edge research. Each is a revenue source that universities have become addicted to. But US companies are losing $400-500 billion worth of intellectual property each year; [a figure which continues to rise]. The overwhelming majority of counter-intelligence cases in our country right now involves Chinese nationals.”
It used to be that the majority of foreign students in the US, (and for that matter the UK), arrived in the country with an intention to stay on after completing their studies. That has changed in respect of the Chinese; whose home economy has boomed. It was here that Warner remarked, “The Chinese spy services are literally threatening Chinese families to say: If your son or daughter does not come back, and come back with intellectual property, your family will be put in jeopardy.”
The US is addressing the problem; by getting their research colleges to remove some of the ‘Confucius Institutes’ that are nothing but agents of Chinese services, holding their students accountable.
*In respect of transit countries for counterfeit product, IPFGB has had first-hand experience of the UK’s borders being considered the weak access area into Europe. “Assisting City of London Police in a raid on a prolific UK counterfeit distributor,” says Dick Smith, “we encountered counterfeit product destined for Germany addressed initially to the UK; the senders in China calculating there would be more chance of the regular shipments getting through. They were right. What they had not realised was that the European hub for the courier they used was actually in Munich and the massive consignments were first sent there. Police there picked up on the operation and alerted their counterparts in the UK.
“In a further demonstration of ineffective UK borders, in another case, which on this occasion UK law-enforcement failed to bring to book, thousands of counterfeit software DVDs, described on the manifesto as ‘frisbees’, were actually intercepted by UK Border Force. However, having been held up for four weeks, the consignment was inexplicably released for onward transmission. It was purely the vigilance of the shipping hub staff which picked up on the case and alerted us. Had the consignment been genuine, the product was valued in hundreds of thousands of pounds and our thorough investigation, in cooperation with the courier, provided evidence of an ongoing criminal operation running into millions. A valiant attempt by Trading Standards to bring the crooks to justice eventually failed due to ‘lack of resources.’ The delay in delivery, created by Border Force, had effectively tipped off the gang, which naturally switched to another method of despatch.”
June 2019 ~ Acknowledgement in latest best-seller
At the Association of British Investigators (ABI) AGM in Anglesey, Dick Smith handed over the Presidency to Ron Harrison, a friend and former Met Police detective and whose business also centres on intellectual property fraud. Best-selling crime author and ABI patron, Peter James, was unable to attend the accompanying banquet due to a heavy schedule surrounding the launch of his latest blockbuster, “Dead at First Sight”. The novel was written at the behest of Sussex Police; a stark warning about victims of ‘romance fraud’, a crime costing UK victims millions of pounds per year. Dick was invited to the official book-launch on Brighton Pier, where he was pictured here with Peter. Dick has written a review of the book, in which he received an acknowledgement of help; the full published article may be found on the ABI website: https://www.theabi.org.uk/news/not-everyone-is-looking-for-love
June 2019 ~ ICO admits breach of GDPR
May 2019 ~ Police fail to protect Process Servers
“Under US Federal Law there is a specific offence to cater for assaults on Process Servers. I have come to the conclusion that in England and Wales, an assault on a Process Server is considered by Police to be a crime unworthy of prosecuting. Is it because training is so poor that police officers in general have no understanding of the occupation?”
Dick Smith is shortly to complete his tenure as President of the Association of British Investigators, but will continue his role as the Law Enforcement Liaison Officer. And it is in this capacity that he has made a study of a series of recent assaults on fellow-members who carry out this very necessary occupation without which, civil court procedure would grind to a halt.
In every case of which the ABI has been notified, the attack has been reported to the Police. Not once, however, has there been action taken against the assailant! What is witheringly worse, the boys in blue have treated the victim as the cause of incident; threatening or actually arresting the Process Server.
“It is vital that the matter is addressed . . . and quickly. Police training should include a basic knowledge of the purpose of serving process. Perhaps they would then realise that it is not in the interests of a Process Server to create a combative situation. My objective is to get the results of my research read in the right circles.”
Read this article . . . you will be both horrified and vastly disappointed.
May 2019 ~ “Still in business . . . despite GDPR!”
“A year into GDPR; yet the private investigation industry still exists.” Addressing the Association of British Investigators AGM in Anglesey on completion of his year as President, Dick Smith scorned the doom-and-gloom merchants who had forecast the demise of lawful professional investigation following the introduction of strict data protection legislation. “Yet one reason that ABI members ought particularly to be compliant with the new Act is that the necessary legal requirements have all been meticulously yet simply explained to us. Preparations by the ABI began the moment GDPR was announced in 2016. Careful study of the proposed legislation, coupled with consultation with various interested bodies, enabled the Association to provide a sensible and stress-free approach through one-day GDPR courses, of which a substantial number of members took advantage. Clients can be sure, therefore, that the legal obligations required in processing personal data will be a prime consideration at each stage of every investigation.”
April 2019 ~ “Police fighting losing battle against fraud” HMIC
Which? magazine has highlighted the HM Inspectorate of Constabulary confession that the police have too few resources to adequately investigate fraud. One force was found to ignore the overwhelming majority of cases without further investigation. With cybercrime now ten times more common than burglary, we at IPFGB are regularly contacted by victims who have lost life-changing sums of money. They have been left to feel abandoned and confused as ‘investigations’ stall. “We are in the midst of a fraud epidemic and the need to tackle it is urgent,” quotes Which? “The government, police and banking industry must establish a more coordinated approach and make fraud a top priority,” the magazine concludes.
March 2019 ~ “Rob, replicate, replace” ~ the Chinese philosophy!
The pattern continues! Following last month’s reports of Chinese state-sponsored IP theft from western firms, Coca-Cola now admits that it is one of two companies which suffered trade-secrets thefts amounting to $120m. According to US prosecutors, an employee stole technology, including the composition of the inside coating of drinks cans, which she sold to a state-backed company in China which also rewarded her with part-ownership of the firm. Sending a message to the Chinese, Assistant Attorney General John Demers said, “The conduct alleged in today’s indictment exemplifies the rob, replicate and replace approach to technological development.” He continued by saying that the Chinese Government “solicits and rewards such theft.”
February 2019 ~ ‘When will they ever learn?’
. . . sang Pete Seeger. Following on from last month’s blog about a UK case of valuable IP being spirited away to China, Apple has just admitted that an employee has breached their autonomous vehicle self-drive system which is under development amid ‘top-security’. He was arrested by the FBI as he planned to board a flight to China, on the very same day that the US Government accused the Chinese tech-giant, Huawei, of stealing trade secrets.
The Huawei warning came as a belated response to the 2017 National Intelligence Law passed in China that dictates organisations must “support, co-operate and collaborate with” the country’s spy agencies.
Based in Shenzhen, the ‘counterfeit capital of the world’, the ever-expanding Huawei was founded by a former military officer. His daughter, the chief financial officer, was recently arrested in the West when it was alleged that she lied to US banks about the company’s sanction-breaking links with Iran. Despite the head of MI6 admitting that Huawei’s forthcoming 5G networks will make monitoring security more difficult, the UK has failed to fall into line with the US, Australia and New Zealand, who have all blocked local firms from using the tech-giant to provide the technology for their 5G networks.
Returning to the Apple story, this is the second major case in the past six months relating to a Chinese employee waltzing off with their secrets. This time it involves a new-recruit to the electrical engineering team. According to the criminal complaint filed by the FBI, he had full access to a subset of the databases related to his job function on the project and was seemingly allowed to take his personal mobile phone into the restricted area. He had duly attended the in-house induction secrecy-training course last June, yet within a week, a photo of an assembly drawing was on his phone. It came to light just last month, when another employee spotted him taking photos. The drawing was subsequently found to be one of 100 taken in the restricted area. The photos were deleted in his presence . . . . and the phone returned to him!
A fuller investigation, however, revealed that the employee had downloaded over 2000 files containing “confidential and proprietary Apple material, including manuals, schematics, and diagrams.” All had been backed up to his personal hard-drive. Prosecutors have also revealed that the employee failed to tell Apple he had applied for a job with a China-based autonomous vehicle company.
Every company which values its IP is most at threat from within . . . from the employee who, for whatever reason, wants to steal vital trade secrets. But the best monitoring audit system (MAS) in the world won’t detect the worker who has been allowed to take a phone-camera or similar onto a restricted site. So where have all the secrets gone? When will they ever learn?
January 2019 ~ Justice . . . if you can afford it!
If you are the victim of fraud in the UK, the probability is that Law Enforcement will find every excuse under the sun to do nothing. If you are a UK hedge fund company that has a “Zero Tolerance” approach to the theft of its IP, coupled with the funds to take out a private prosecution, then justice is achievable. Here’s a tale where the police did, at least, try to help.
In 2012, a maths prodigy is employed by the UK hedge fund. It seems that two years later, being dissatisfied with his £400k bonus, he chooses to move on, but not without allegedly leaving with some of his employers’ trade secrets by way of documents and electronic devices. The employers act fast, immediately getting a court order demanding the return of their property. The court orders the miscreant to return his passport, however, he is already on a flight to Hong Kong. A Hong Kong court bans his travel, but he goes to the Chinese border and hands over a desktop computer and three laptops to his wife’s parents. Investigators find him at his wife’s law firm in Hong Kong, but he denies having any devices except his iPhone. Meantime, back in London, the employer files a complaint with UK police who search the absconder’s flat, but find nothing. Nevertheless, they notify the Hong Kong authorities and the man is arrested. Extradition is requested and he man returns to face the courts. A judge orders the man to give up the confidential information and to reveal to whom the information was passed. He refuses and is sentenced to 13 months imprisonment. It’s as far as the authorities will go, so the “private prosecution” option kicks in.
If the Crown chooses not to devote public resources to a case, the victim can ‘Privately Prosecute” the case. With the help of private investigators, lawyers, and IT specialists, the employers put the case together and, a month prior to release, the man is charged with five counts relating to the stolen data. In remote testimony from China, the parents claim they have dumped the hardware in a river. Unbeknown to them, they have been under surveillance by the investigators for 11 months. The mother’s evidence is discredited and the man is convicted on two counts of failing to disclose where the trade secrets have gone. He is sentenced to 18 months.
This is not the end of the tale. Towards the end of the prison sentence, the employer starts further legal action against the man for breaching his confidentiality agreement, filing an action requiring him to stay in the UK. Lawyers make the additional argument that his continued failure to reveal what he’s done with the trade secrets is a contempt. He is sentenced to a further 13 months in prison. He is still there!
The message is clear . . . the resolve of this victim company was matched with their ability to bear the expense of a thorough private investigation and resultant litigation.