merseymouth wrote:[...] Every step the banks takes makes it worse for the likes of me! I'm a KISS kind of bloke, Keep It Simple Stupid, as suffering from numerical dyslexia I go into meltdown over the vast majority of everyday numbers.
Having made it virtually impossible to trade using cheques, even in High Street shops, we have to suffer embarrassment with my Chip & Signature Card, as all too often staff training has not covered such areas?
I'm not helped by having been actually hit by fraudsters a number of times, all re-immursed by our bank, but confidence is not good now.
Yes, Chip & Signature is too open to fraud. If you had a smartphone which supported contactless payments, it could be set to use a fingerprint instead of a PIN code and avoid any numeric problems, but then why should you have to pay to buy a more expensive phone that you don't really want anyway? And no, staff training is not all it should be, especially around both accessibility and security, let alone the combination/interaction of the two!
What troubles me most of all is the fact that internet criminals appear to be able to operate freely, even to the point of H.M. Revenue & Customs being used for fraud. Amazon, Pay Pal, Netflix et al, from such I get many e:mails over the security of my account? As I don't have any such accounts they're easy to bin, but why should they be able to continue in such crimes? Doesn't fill me with confidence.
HMRC and so on aren't being used for fraud. It's as trivial to send out an email faked to be from someone else as it is to fake their letterhead and return address. Most encryption tools come with authentication tools, but few of the authentication tools are used because:
1. the mailserver ones are a bit of a pig to set up. In short, as well as actually the sending mailservers using it and everyone installing some fiddly software, you'd need every postmaster (mailserver manager) to load the verification certificate not just for HMRC but for every other sender to be verified, which would probably be millions at least just for the UK, so you automate it and then you've just moved the problem around because then the scammers just find a way to fake the verification, plus now if HMRC start using a new mailserver but are slow in updating their certificates then loads of valid emails are rejected and people complain far more bitterly than if fake emails get through. And even once you've got all that working, scammers will simply do the current popular thing of sending from a similar address (like Amazoƞ.com not Amazon.com) which they have got verified (because they control it) and hoping some recipients don't look closely enough.
2. the message authentication tools work better (because there are fewer senders per person you want to verify than there are sending servers per postmaster) but approximately 0% of email recipients have the software set up so where's the incentive for any sender to be the first to adopt it and have to deal with "what is this signature attachment and what do I do with it?" questions from approximately 100% of potential users, as well as a few angry people whose misconfigured mailservers rejected the email?
In an ideal world, our MPs (and equivalents) would step in and act for the common good by ordering government departments to use standardised strong encryption and authentication on both servers and messages and have the public bear the cost of being an early adopter - but they don't because there would be some public backlash (see this payment security directive, which is a pretty minimal step...) and also many governments are ambivalent about strong encryption (because it would make it harder for spies to see what you type) so attempts to promote it get perverted into trying to push some sort of backdoored weaker system which is generally non-standard (because international standards bodies correctly reject it as insecure and favouring a few governments over others) and eventually gets killed off somehow.
On top of that, almost no law enforcement agencies seem interested in this sort of e-crime. We can report this stuff but it's rather like shouting into a well in that you almost never see any effect. It takes a lot of time (and so money) to report it and customers don't want to pay for stuff that makes no measurable difference.
Sorry for the long rants, but this is part of my day job and it is rather annoying that these problems are so difficult to see ways out of. I suspect part of the solution, yet again, is probably to stop low tax promises winning elections so often because low taxes do really seem to mean low service levels, especially on not-immediately-visible stuff like police investigating things like small-but-wide-reaching international fraud.
. The non-techno customer is at great risk, with each bank trying a one size fits all policy. Every step the banks takes makes it worse for the likes of me! I'm a KISS kind of bloke, Keep It Simple Stupid, as suffering from numerical dyslexia I go into meltdown over the vast majority of everyday numbers. 
MM
. Maybe we should change banks, oh no, I forgot our bank has changed names etc without our consent over the last 48 years? But why should such a long standing customer have to move just because they won't listen!