There is a report in the London Times that says UK banks are likely to start getting tough on customers who fall for phishing attacks. New rules to the Banking Code (these cover how banks must treat their customers) that came into effect last month state that “victims of online fraud must have up-to-date antivirus and antispyware software installed, plus a personal firewall, to claim redress from their banks,” the Times story says.
If a person fails to have the required safeguards in place, the banks can refuse any claim for a refund.
The onus is on the individual to prove that they have these safeguards in place at the time of the hack. I see a small boon to an enterprising company that develops a software program to keep a log of the total state of the security profile of a person's computer. The company could even suggest, for a small additional fee, to keep the log on its central system to prove to the banks that the profile wasn't tampered with in any way.
There is a problem, of course, in that a person's personal information may have been hacked months before it was used in an attack, but that is another story.
At least one of my banks has a similar "redress" policy. This bank makes it very clear every time you sign on that protection of the information that allows access to my accounts through its website is my responsibility, and that the bank will not be liable in any way if that information is used by an unauthorized third party due to my negligence.
How I can prove that some future unauthorized access wasn’t due to my negligence is not spelled out in any way (What, do I have to get the hackers to tell the bank where and how they got my information?), so I have started to stay away accessing my bank account information through this bank’s website. I suspect some bank customers in the UK faced with a similar dilemma may decide to do the same.
UK banks, like those in the US, want their customers to do more on-line banking to reduce their personnel and other overhead costs - I am going to be interested in seeing what happens if the banks start refusing to pay refund claims from hacked (off) customers.
Comments (10)
Thankfully, the U.S. Federal Reserve has Regulation E, which requires banks to refund all disputed transactions unless they can prove fraud by the customer. [12 CFR 205.6]
Posted by William | May 6, 2008 2:55 PM
Posted on May 6, 2008 14:55
British banking continues to put as much burden on the customer as possible. These banks have had little or no incentive to implement any protection of the customer, because they could just say, "Tough luck!" or since they're Brits, "Hard cheese, old chap!" and walk away with no liability regardless of the lack of security in their practices. These new regulations sound like the same old approach disguised as something new.
Posted by Bill Courtney | May 8, 2008 5:32 PM
Posted on May 8, 2008 17:32
I would hope it would be sufficient to show that you are running Linux or Mac OS X.
Posted by Martin | May 8, 2008 8:30 PM
Posted on May 8, 2008 20:30
I believe the banks are right in expecting the user to use the services in a legitimate manner. You might want to change your browsing habits, not just to protect your bank accounts, but also to protect your PC from other attacks. Even non Internet issues such as "not sharing your passwords with anybody" is important. People will have to be aware of knowledge on digital certificates, SSL connections, and be wary of suspicious emails.
People lose money in phishing attacks because of their own carelessness, not because of banks.
Posted by RD | May 9, 2008 2:43 AM
Posted on May 9, 2008 02:43
Having a requirement of high safety measures taken by the customers is understandable on the bank's part, however, at times any service provider has to somewhere compromise these requirements to believe in customers and to gain the customer's trust in things like redresals.
Posted by Rohit Pandharkar | May 9, 2008 3:37 AM
Posted on May 9, 2008 03:37
Well how does one provide evidence for this when using a linux desktop? There are little standardized commercial tools to show that appropriate measures were taken.
Posted by Konstantin Agouros | May 9, 2008 9:14 AM
Posted on May 9, 2008 09:14
The only cure for this problem is to require that the banks provide a special software program for communications with their web site to handle all encryption and take total control of the computer in question. The software would have to run without using the resident operating system in such as way that all other programs (such as spyware, keyloggers, etc) are prevented from running when the bank's program is in use.
It is absurd for the banks to push easy access, without taking responsibility for the cost of easy fraud.
Posted by Terry Walker | May 9, 2008 11:53 AM
Posted on May 9, 2008 11:53
Konstantin Agouros has the right answer to this problem in my opinion. Why don't the banks invest in producing a standardized CD/DVD-based secure web browser that boots from the CD into a known high security configuration that doesn't interact with the underlying O/S or attached storage devices and, therefore, can't be tampered with or changed in any way? The secure browser could also be URL constrained so that it could not be used to browse to any website other than those banks that belong to the secure browser program, and it could surf to a bank website with high encryption on at all times. When a transaction was completed, the user would simply eject the CD and reboot their computer. (As an added feature, each CD could be optionally encoded with a unique identifying ID that each bank could associate with a particular banking customer and utilize to verify identity via an email, instant message and/or callback for large or questionable financial transactions.) Now that would raise the bar on online financial transaction security!
Posted by Alan McRae | May 11, 2008 12:11 PM
Posted on May 11, 2008 12:11
Opps! I should have credited Terry Walker with the best security solution, not Konstantin Agouros. Great idea Terry!
Posted by Alan McRae | May 11, 2008 12:14 PM
Posted on May 11, 2008 12:14
I like Terry's idea too. But it can get messy from the user's perspective.
You download a live cd iso image from the bank's website or you pick up the media directly from the bank agency, or they send it to you through the mail. That's not automatic for most people who can handle a computer, but it looks practical, except for sometimes it gets hard to configure your connection from a linux live-cd (specially if it's wireless access).
The problem is, what if the crooks lead you into downloading a corrupted version of the live cd image (at least the victim will have a few minutes to figure it out if it's a slow connection)? It seems to me that phishing will always find security breaches when it comes to the user behaviour. This live CD would need constant upgrade to keep it protected from hackers, meaning the bank would have to send new medias regularly. And if the users were allowed to download an image instead, that looks like a tempting hook for phishing.
I already have to carry a card with several passwords for safe online banking. Replacing it with a live cd the size of a business card wouldn't make such a big difference. Someone must have thought of it before, has this ever been done?
Posted by lustosa | May 12, 2008 4:00 PM
Posted on May 12, 2008 16:00