Thursday, 22 February 2018

Direct Debit fraud

We had an interesting case this week where someone set up a Direct Debit on one of our accounts for Hastings Insurance.

Obviously I spotted it, and the bank have refunded the payment (they were oddly less argumentative this time, which is good).

What is interesting is someone on twitter thinks they know the cause of this, apparently someone is paying commission on new signups so a fraudster is signing up loads of bogus new insurance accounts to get commission.

This seems odd - it clearly cannot last as the insurance companies will get Direct Debit reclaims from the bank, and soon realise it is happened. If they don't already have a means to claw back their commission, they soon will, and ultimately it is going to be easy enough to "follow the money" and for the fraudster to be caught.

So really this explanation makes no sense. The person on twitter seemed to have a lot of these as regular monthly payments and says it has been going on for years. Even so, he simply gets a refund for all of them from the bank and is not out of pocket as a result.

I would not be surprised to find someone, somewhere, is confused about their own bank account number, or mixes up numbers, and so has simply set up DDs on the wrong account a few times. Clearly the guy on twitter does not notice for many months at least from the transaction he posted. Easy mistake, and not necessarily fraud.

What was interesting is that he then went on about how Direct Debits are a huge security hole as the bank just accept them with no checking.

Do banks just accepts Direct Debits with no checks?

Basically, yes - there is not really anything they can check. All they get is sort code, and account number (both of which they can check for validity), and a name. However, the chance of names matching is slim to none as people simply don't know their exact 18 character bank account name, so adding a check there would not help. Even if added, that is just one more bit of data a fraudster needs, it does not stop fraud.

So are Direct Debits hugely insecure?

Basically, no. The key security comes from the fact that they can simply be reversed, with no time limit, and guaranteed by the bank (not the originator).

However, how is this security really - do lots of people "not notice" and hence a fraudster not get noticed? Well, not really - refunding a DD is flagged up, and the sponsoring bank do notice them.

At the end of the day, the end user that has had money taken can simply get it back, so not really losing out, just hassle. The fact the end user cannot lose out makes it just a nuisance.

However, what really makes the system more secure if that this means a fraudster cannot gain from it. This is what stops Direct Debits being widely abused. Fraud is rare for this reason, as there is simply no point in doing DDs fraudulently.

The real hassle, and loss, comes for the merchant, who, on the basis of bogus bank details, has supplied services or goods and may struggle to get them back. This makes a good incentive for merchants to be very careful about how they use Direct Debits.

Can anything be improved?

Definitely. Merchants can try and do more checks, but that is just as hard as the banks to be honest. Clearly if someone is paying commission on sign ups they need to allow enough time to ensure the signup is valid and DDs are not being refunded.

One thing I did not realise is that my bank, for example, can mark an account not to accept Direct Debit instructions. This is important if you have a "paying in" account, like we do, and never set up DDs on it.

Obviously banks with more interactive phone apps and the like help massively, alerting when a new DD is set up before money is even taken, and making it easy to cancel and get a refund.

1 comment:

  1. Could it be someone getting insurance for their not so legal car to avoid the police pulling them over? Police nowdays use ANPR to scan for cars with no insurance and seize them. The criminal underworld may have found a new way to make their pool cars more undetectable by getting genuine insurance but defrauding the payment side?