Forgot your password?
typodupeerror

Can Banks Shift Phishing Losses to Customers? 425

Posted by Zonk
from the gee-that'd-be-great dept.
1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?
This discussion has been archived. No new comments can be posted.

Can Banks Shift Phishing Losses to Customers?

Comments Filter:
  • by plover (150551) * on Friday September 15, 2006 @06:18PM (#16117326) Homepage Journal
    Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it. I do this even though I am not a customer of the bank in question. Some banks like Barclay's have easy-to-find "Report fraudulent e-mail here" links, while others seem to go far out of their way to hide any contact information at all.

    The banks with the helpful "report here" links also typically have helpful auto-responders, and their sites and form letters at least make it seem like they care about security. The banks who make it hard to hear from their customers usually don't reply at all. If I were shopping for a new bank, I'd definitely stay away from those that don't have an easy-to-find contact point near the front of their site. I get the impression they do not take security or phishing threats seriously at all. They'll probably be the ones that would fight their victims.

    • Re: (Score:3, Interesting)

      Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it.

      I used to do that about spam......in 1992. Seriously, where do you find the time?
      • Re: (Score:2, Insightful)

        by plover (150551) *
        I get maybe one phish every two weeks or so, it takes me about two or three minutes to report it. No skin off my nose, really. Do you like phishers, or getting their bait in your email? Do you think it's OK for them to scam people, just because you don't know the victims in advance?

        The faster anybody responds, the faster the phishing web host can be taken down, and the fewer people can be scammed. Fewer victims == fewer profits for the phishers.

        They annoy me. A lot. The least I can do is annoy the

    • by jdigriz (676802)
      Same here John. Phuk the phishers, I say.
    • by winkydink (650484) * <sv.dude@gmail.com> on Friday September 15, 2006 @07:08PM (#16117643) Homepage Journal
      Many of them now say something to the effect of the customer having take "reasonable care" to protect themselves from identity theft / being hacked. If you don't, then no money back for you.

      • by Jack Pallance (998237) on Friday September 15, 2006 @08:48PM (#16118115) Homepage Journal
        Funny story, I opened a checking account a couple of years ago and I was wondering if there was any possiblity of protecting my account by requiring all withdrawals be made at the bank or by check (No EFTs from websites, etc). Of course, this isn't possible because of the way the banking system works (banks don't send actual checks to each other, they just send the information electronicly, the same as an EFT).

        The funny part is, when I asked the branch manager what could be done, he tole me, "Just don't give your account number to anyone." Basicly, he told me to never use any checks from my account, because ALL OF THEM HAVE MY ACCOUNT NUMBER! If I write a check to someone, he can then take the check, go onto the Internets, and sign up for pron using CCBill and the account number at the bottom of my check.

        Thanks Mr. Manager!!

    • Same here (Score:3, Insightful)

      by p51d007 (656414)
      ANY suspicious mail that falls into my hotmail box (usually paypal, or ebay) I immediately go to the official sites and send them as much as I can. Usually, within an hour or so, the site in question has been taken down. If more people like us (hard core computer users) would take the lead in reporting phishers as quickly as possible, instead of deleting the junk mail, maybe it would help cut down on phishers. It only takes a minute or two to report them. Also, if we could do what we can with our relativ
  • by Anonymous Crowhead (577505) on Friday September 15, 2006 @06:19PM (#16117329)
    A little tough love. Hit 'em where it hurts and maybe they'll learn. If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.
    • Re: (Score:3, Insightful)

      by soft_guy (534437)
      It isn't clear to me that you have to do anything wrong to be the victim of fraud. The banks need to come up with a method to combat financial fraud, or they need to absorb losses as the cost of doing business. Bankrupting individuals isn't the answer.
      • Re: (Score:3, Insightful)

        by secolactico (519805)
        It isn't clear to me that you have to do anything wrong to be the victim of fraud.

        You haven't done anything wrong, neither has the bank. How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible? The customer for not being more careful? The bank for not making it more difficult for people to impersonate customers (and at the same time making it more difficult for honest people to
        • by plover (150551) * on Friday September 15, 2006 @06:44PM (#16117495) Homepage Journal
          Actually, I think the pressure to improve security will eventually come from insurance and lawsuits.

          Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.

          It's how the civil court system and capitalism are supposed to work, anyway. It may just take time (and no freakin' governmental interference by passing "tort reform" limiting the banks' liability, otherwise there will be no financial incentive at all.)

          • by vijayiyer (728590)
            And, as usual, the informed people will end up subsidizing the ignorant. This is not a security issue, so the banks can't improve it. The banks will have to pay, either directly, or through insurance premiums. This gets passed on to the consumer. Why in the world should the banks be liable for someone impersonating them? Should you get sued for a scam artist impersonating you?
            • by LordKronos (470910) on Friday September 15, 2006 @07:27PM (#16117729) Homepage
              This is not a security issue, so the banks can't improve it.

              Of course it's a security issue. All I need to do to is get your account number and the banks routing number and I can initial an ACH electronic funds transfer against your account. There is no sort of security in place where you can whitelist banks/accounts for initiating an ACH against your account.

              Now you might say it's the customers job to better protect their info. Well guess what. You're in line at the grocery store writing out your check. See me behind you in line talking on the cell phone? Guess what...I'm not actually on the phone. I just used my camera phone to snap a photo of your check, which contains ALL of the information I'd need to get the bank to do an ACH transfer out of your account.

              Now tell me...does that still not sound like a security issue?

              • Re: (Score:3, Insightful)

                by vijayiyer (728590)
                Agreed, but this article is in the context of phishing scams. I would argue that there's a difference between someone impersonating an individual to the bank (like the example you gave), and impersonating the bank to the individual (phishing). In the case of you describe, the individual, is being impersonated, and the bank is the one involved in the transaction. I would agree that they need superior authentication systems in that case. In the case of phishing, however, the bank, through no fault of theirs,
                • Re: (Score:3, Informative)

                  by d2ksla (89385)
                  the individual, rather than the bank, should be held accountable in this scenario.

                  I don't agree.

                  The online banking security is too weak if it is based just on a piece of information (username+password). There's already been cases of viruses that do keylogging to gather online banking information for criminals.

                  The security needs to be based on a combination of something that you know (username+password), plus something you have (e.g. ATM card). No virus can steal your ATM card, and if your wallet gets stol

          • Re: (Score:3, Interesting)

            by ElleyKitten (715519)

            Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.

            I think you're not understanding the concept of phishing. Phishing is where scammers pretend to be a bank or whatever so someone will give them their bank account information. It has nothing whatsoever to do with the bank's security. It doesn't

            • by terrymr (316118) * <terrymr&gmail,com> on Friday September 15, 2006 @07:46PM (#16117850)
              Huh ?

              Should it really be possible to drain somebody's account using only their account number & routing number ? Both of those pieces of information are available to anybody you give a check to for a start. Now tell me this isn't a security issue.

              • Re: (Score:3, Insightful)

                by mike2R (721965)
                TFA isn't talking about an all or nothing situation though - it's talking about banks trying to refuse to cover losses where the customer has definately been negligent.

                Take an extreme example. If I posted my online banking details here, and someone used them to drain my account, should I really be able to turn round to the bank and tell them they should refund me since it's a cost of doing business?

                Obvioulsy real cases are much more of a grey area, and to be honest I'm not to sure where I stand or wher
        • Re: (Score:3, Insightful)

          by iamacat (583406)
          How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible?

          Not much. When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India. When a bank sends an e-mail it should be digitally signed. My credit card should generate (say, with a keypad and LCD) one time use authorization numbers based on the charge amount. As long as the bank doe
        • Re: (Score:3, Insightful)

          by kilgortrout (674919)
          The bank has done plenty wrong - they've allowed an unauthorized party to access your account and withdraw funds. They've cultivated a business model where financial transactions can be conducted over and insecure network without adequate identity verification and they've done so knowing full well that the network is rife with phishing scams which capitalize on those weaknesses. If they can now shift any loses back to the customer, there will be no incentive for the banks to improve security.
    • Re: (Score:3, Funny)

      I probably wouldn't bother seeking a refund.

      Won't seek a refund for $200k loss???

      Bill, is that you?

  • by Skyshadow (508) * on Friday September 15, 2006 @06:20PM (#16117335) Homepage
    Hacking? Yes.
    ID theft? Yes.
    Fraud? Yes.

    Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.

    On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.
    • by whoever57 (658626)

      Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.

      I think the issue is actually rather gray. The questions one has to ask are: what does a genuine email fromm the bank look like? Can it be easily distinguished from a phishing email? Does the bank embed links to login

      • by Skyshadow (508) *
        It's a simple sophistication issue.

        Most people (with the obvious exception of Grampa Simpson) know not to give out their credit card number to someone who calls them on the phone and asks for it, regardless of where they say they're calling from. The lesson that needs to be imparted here is along those same lines -- never click on a link embedded in an email that takes you to a web site that asks for personal information, no matter where that site seems to be.
        • by pluther (647209)

          Most people ... know not to give out their credit card number to someone who calls them on the phone and asks for it, regardless of where they say they're calling from.

          Well, you know that, and I know that, but I don't believe that most people know that.

          Several years back, while working as a data-entry temp, I spent about three months on a project fixing bad orders in one company's database. This mostly involved calling the person who'd placed the order (often after hunting down a phone number for them)

      • by plover (150551) * on Friday September 15, 2006 @06:38PM (#16117462) Homepage Journal
        a bank could perhaps continuously move the URLs for images on the bank's site

        I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"

        • by Gnavpot (708731)

          > a bank could perhaps continuously move the URLs for images on the bank's site

          I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"

          Visiting your bank through a proxy could be a really scary experience then, depending on the config

        • by cowtamer (311087)
          Microsoft Internet Explorer 7 already does this if you turn on the right option. It uses some sort of blacklist in combination with something similar to the approach you suggest. I believe gmail already has this for the e-mails it can identify...
        • by DarkProphet (114727) <chadwick_nofx&hotmail,com> on Friday September 15, 2006 @07:22PM (#16117701)
          Though the parent is funny, I am not sure why it got +4 Funny instead of +4 Insightful. This is EXACTLY what financial institutions should be doing!! It would work like gangbusters.

          Another approach that I think would work well for financial institutions is to make it unequivocally clear that they will never never ever in a million years contact their customers by any method besides snail mail. The customer should be required to sign a sheet saying they understand this before they are allowed to open an account, and it should be the responsibility of the financial institution to make sure that the customer is TOLD this, not just handed a piece of fine print to sign. I have been using online banking at 3 different institutions for approximately 5 years, and I am absolutely sure that in that time I have never recieved any e-mail from them for any reason. Paypal on the other hand... I've gotten both legitimate email and phishers.... so I just blacklist anything with paypal in the subject or content. Sure, it means they have no way to get ahold of me besides snail mail, but they shouldn't need to.

          But, perhaps I am a little too idealistic... /me sighs
          • Re: (Score:3, Informative)

            by mrbooze (49713)
            Just the opposite, banks have been pushing for *more* online contact and less snail mail. I still get paper statements mailed from Wells Fargo and every time I check my account online I get a big ad page urging me to switch to paperless online statements.

            Email alerts from banks can be very useful as well. Such as alerts of low balance or overdraft, or even unusual activity. If someone pulled a bunch of money out of my account and I don't hear about it till I get a letter in the mail days letter, by that
      • by Nurseman (161297)
        what does a genuine email fromm the bank look like?

        Simple. My bank N E V E R sends an email that requires a logon. Most banks are the same.
        DONT CLICK that link and you will be fine

    • by TXG1112 (456055)
      How do you prove that you didn't give up your account info? What if the banks security is compromised and they claim it was through phishing?

      Banks need to make their systems more secure. The fact that it is so easy to commit fraud through phishing is a problem.
    • by HiThere (15173) *
      I can see that argument with last years phish. Unfortunately, I've heard a few stories indicating that there are some phish of a new species arriving...and that they can fool "the very elect". Something about a trick where they hijack the ISP's DSN reference for the bank. So you can type http://mylocal.bank.com/ [bank.com] into your browser...and end up at a site that looks just like your bank's site, and can do man-in=the-middle interfacing with your bank account, so it can act properly.

      Personally, I avoid doing A
      • by tbo (35008)
        Something about a trick where they hijack the ISP's DSN reference for the bank. So you can type http://mylocal.bank.com/ [bank.com] into your browser...and end up at a site that looks just like your bank's site, and can do man-in=the-middle interfacing with your bank account, so it can act properly.

        That's why you type https://www.mybank.com into the browser window--the "s" means use SSL, and you'll see a dialog about bad certificates or whatever if somebody tries a man-in-the-middle attack. Now, some banks don't use
    • by Tackhead (54550)
      > On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.

      Exactly. I exercise a lot more due diligence than most customers do: Hardware firewall (ingress/egress), software firewall (egress), Firefox (instead of IE) Javashit disabled (in Firefox and IE), autorun and other "conveniences" in Windows disabled, following security news, and pa

    • ETrade offers little RSA dongles and you append the everchanging 6 digit number to your passord. Might be helpful if banks offered this for regular online customers. Well, maybe if emails are delayed by the timeframe the 6 digits are valid.

      An option to restrict online access to an IP or subnet would be nice too.
    • by mrsam (12205)
      if you get suckered into giving someone your account information, that's kind of your own problem.

      I presume, then, you've never written a single check, and you do not use credit cards. Your account number is printed right there on every check you write, and your credit card account number -- which is just another kind of a bank account -- is printed right there on the face of your credit card.

      Or, perhaps, you ran a background check on every company and individual that handles your checks and credit charges
    • by aiken_d (127097)

      Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem.

      I'm with you, in principle. However, how about when someone at the bank leaks your info? Hardly fair to make the customer pay in the case, and the difficulty lies in *proving* how the information was compromised. If we are going to move to a system where customers are responsible for losses due to stupidly giving out their information, the burden of proof had damned well bett

  • I don't know if I can stand to hear about countless back and forth lawsuits that are coming. Why put it off. I'll just give up the rest of my money now.
    • Re: (Score:3, Insightful)

      by CrazyJim1 (809850)
      As much as America funds other governments, I don't think Uncle Sam should pay for Ireland's banking debts. Maybe the banks in the FDIC...
      • by Telvin_3d (855514)

        As much as America funds other governments, I don't think Uncle Sam should pay for Ireland's banking debts. Maybe the banks in the FDIC...

        Considering that he US national debt is currently eight and a half trillion dollars (no, not a typo or exaggeration), I would say you have more of a case for other governments funding the US.

        If you want to see the current US national debt, check this out http://www.publicdebt.treas.gov/opd/opdpenny.htm [treas.gov]

  • by Anonymous Coward
    Phishing is no different than other scams out there. One in my area has two men dressed as workers from the water department who enter the home to "check the water pressure." While one sets to work inside the other takes the victim outside to check the faucets leaving the first to go looking for the jewlery box.

    Does the water department have to cover the cost of the missing rings? No. Then why must financial institutions?
  • No (Score:3, Interesting)

    by 4D6963 (933028) on Friday September 15, 2006 @06:23PM (#16117365)

    No

    If they did so, then all you'd have to do would be to set up a phishing site, be a victim of your own phishing and then be payed back by your bank.

    That, and also, blah blah people blah blah stupid blah blah genetic pool blah.

  • by Maxwell'sSilverLART (596756) on Friday September 15, 2006 @06:24PM (#16117369) Homepage

    "Can Banks Shift Phishing Losses to Customers?" asks the headline.

    Of course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?

    You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

    • You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

      Exactly true in the short-term, but not true in the long-term because customers can chose which bank to do business with. Banks still compete and the ones that can levy the lowest fees because they have the lowest phishing related losses will get the most business. The interesting
    • They should lower the interest they pay out to customers. They then should create free insurance up to $50k in damages to any person who loses their money through phishing. Although the crooks win until caught, this provides a safety net. Although smart people don't get all the interest they earn, everyone, smart or ignorant, will be ensured that they will never be so devastatingly hurt.
    • by Gnavpot (708731)

      f course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?

      I am so tired of hearing this "Company X lost Y millions. But they will just raise their prices so the customers will pay the bill".

      Ask yourself one simple question:
      If the company could earn an extra Y millions

    • Re: (Score:3, Informative)

      by jay2003 (668095)
      Clearly, you've never any taken any economics classes or you learned nothing. Your statement is only true in market segments approaching perfect competition, and there are very few of those outside farming. In market segements where sellers or services providers have market power, which banks do evidenced by their enormous profits, it's simply false to claim that all costs are passed on to customers. Often the factor that dominates prices is the marginal revenue lost by reducing prices rather the level
  • Knowing my clients (Score:3, Interesting)

    by bigattichouse (527527) on Friday September 15, 2006 @06:25PM (#16117375) Homepage
    Knowing my clients, I smell a new "insurance product" ... a general "electronic age" insurance product to cover online fraud (buyer/seller problems), identity theft and now phishing. "e-Policy" or something.
  • by Guppy06 (410832) on Friday September 15, 2006 @06:26PM (#16117384)
    1. It seems that the task of finding and catching phishers should be put to those best able to pursue them: the banks. If the customer is responsible for the loss, be prepared to see silly little class actions against phishers, with the only real victors being the lawyers.
    2. If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere.
    • Re: (Score:3, Insightful)

      by pla (258480)
      If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere

      Damn - Here goes a wasted mod point, but I consider this point so insightful, I must reply.

      I know people who, even in the current environment where banks bear the vast majority of the pain for most financial fraud, refuse to keep their money in the bank. They currently fall in the minority, but do exist. And not just fogies and Luddites - I know a 26YO EE who has no cre
  • Banks. (Score:5, Insightful)

    by m0rph3us0 (549631) on Friday September 15, 2006 @06:26PM (#16117386)
    The problem is that the banks aren't taking appropriate steps to identify the customer before handing over the customer's money. Banks are legislated/insured to only release money to the authorized account holder. When the customer takes reasonable steps to protect their information and follows the banks security procedures they are not responsible for loss.

    By putting in place technology that doesn't sufficiently protect the reasonable person from fraud the banks bring the liabilty to themselves. The reason you put money into the bank and pay fees is to prevent unauthorized persons from accessing your money and to provide insurance against such a loss. It is the banks job to put in-place controls and cover the losses that arise from insufficient controls. It is a balancing act between what the consumer wants to put up with in security and what they want to pay for service. It is the banks job to find the equilibrium between the cost of increased controls and the cost of fraud. After all it is the bank not the consumer who is offering the service of withdrawl over the internet.

    A good step in the right direction might be two factor authentication.
    • Re: (Score:3, Interesting)

      Remember, there are only so many blocks you can put in between an idiot and his money before he gets pissed off and takes it else where.

      Personally, Im all for banks charging phishing victims for the losses - many dont cover fraud resulting from the customer failing to take appropriate measures to protect their card details, how is failing to protect their login details any different?
  • Wouldn't it be nice if customers and banks alike used secure email? [blogspot.com]
  • by unborracho (108756)
    People that give up their info that easily deserve to have their money taken away.
  • If you send all your bank account details to some Nigerian "widow" based on the contents of an email written all in block capitals, then that's hardly the bank's problem, is it? At the other end of the scale if you visit your bank's actual website only to have your account details obtained by some cracker that managed to compromise the webserver then that is very much the bank's problem. In practice though, the vast majority of fraud is going to fall somewhere in between those two extremes, so really this
  • incentives (Score:3, Insightful)

    by brre (596949) on Friday September 15, 2006 @06:31PM (#16117411)
    If you want the party that has the most control of the security system to have the incentive to fix the problem, the bank should pay.

    If you want to take away the incentive to fix the problem from the party that has the most control of the security system, the customer should pay.

  • by sweetnjguy29 (880256) on Friday September 15, 2006 @06:32PM (#16117420) Journal
    The reason why phishing attacks work is that people are fooled into giving credit card information to what appears to be a legitimate website. This could have been avoided if the customer was more careful, but then again, we all get tricked from time to time.

    Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.

    By analogy, if someone forges a check, and signs my name, and the bank cashes that check, the bank is on the hook for the cash. Also, if someone lies about their identity, and the bank doesn't verify their identity, they are also on the hook for the check. The same should be true with online transactions.

    If European banks and governments wont protect customers from fraud, online purchases will be doomed.
    • Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.

      I actually know someone who fell for a phishing email. The bank called him up the next day, and asked if he had authorized two $700.00 transfers to out-of-country accounts. He said "no." and they dutifully marked it as fraud. So apparently (some) banks do monitor transactions and flag anything that looks strange.

      Similarly I've often had my
  • by vertinox (846076) on Friday September 15, 2006 @06:33PM (#16117423)
    FTFA: 1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs.

    The rational answer should be that law enforcement should persue the criminals and put a freeze on their accounts and seek retribution in monetary and jailtime punishments.

    Seriously, if we can find and freeze "terrorist" accounts, how hard is it to track where this money goes?

    I mean Phishers have to get it from a bank or ATM somewhere.

    Why don't the bank simply reverse the process and force other banks to freeze the accounts? What is preventing them?
    • You underestimate the problem. Phishing is actually a two-pronged attack -- or at least this is my experience in Australia. (Not that I've fallen victim, but I've conversed quite a bit with those that have.) The first prong of the attack is the fake bank message and website that we all know and loathe. The second prong doesn't even look remotely related: it's usually an employment scam, like the Norway Consulting Employment Scam [wa.gov.au] which is arriving in my inbox with tedious regularity.

      This is how it works. Ph

  • I have this to say about that.

    It's the TYPE of phishing that should be investigated and judged. If I verify my contact info with the bank after an elaborate security hole makes it LOOK like the bank even after typing in the bank's direct web address, yes I think I should be protected under some umbrella of some insurance policy somewhere. (BTMK, in canada, our accounts are insured up to a certain limit, separate from the banks insurance)

    If I GIVE authorization for someone to take the money, no, the respons
  • First you need to prove where the money was lost from in the first place. You can't instantly assume that it was a user falling for a phishing scam. Particularly after so many companies have been losing backup takes, customer records through social engineering, and the list goes on.

    I'm all for the victim of phishing being responsible for their own finances. After all, it was their inability to take BASIC security precautions that we have been preaching for DECADES people...not a few years, DECADES!

    Howeve
  • My online terms and conditions state that if I give out my online account and password I am responsible for their use. So if I give a phisher the information I lose. If my information is gained without my consent ot knowledge, it is their loss. So it would depend on the phishing scam. If my browser is hooked and I go directly to the real bank website I should trust the technology (sorry LOL) that I should be secure in trusting that transmitting the data of my account, password, etc. is secure. I should not
  • Banks have no way to stop foolish customers from falling into phishing traps. They could try to recover the money, but ultimately it's the customer's fault. The bank is not at fault, apart from some not using SSL on their login page to prove their identity, which customers never bother to verify anyways, and there's very little the bank can do to remedy it, unless the FDIC is willing to foot the bill.
  • justice must have a compassionate edge. because if justice is as brutal and swift as crime itself, it is no longer justice

    so yes, the people who fall for phishing schemes are stupid. but no: they do not deserve what happened to them. the punishment they receive (losing all of their funds) is not commensurate with the mistake they made. if i get in the car with a drunk driver, i am stupid. but do i deserve to get paralyzed for life in the accident that happens for my mistake? no. so do you laugh and call me a moron or grieve at my infirmity?

    whether you laugh or grieve at me is more revelatory about your own immaturity. because god forbid you ever make a little mistake in your life and suffer drastically for the consequences, right? that can never happen to you, right? yes: stupid mistakes have negative consequences. but if the negative consequences are way out of proportion to the error, you should not be so dismissive, you should demonstrate some compassion, or justice really isn't your motivation. if drastic punishment from a simple mistake happens to you, you're just going to suck it up and move on without complaining one bit, right?

    well... experience teaches me that those laughing hardest at those horribly punished for simple mistakes are also those who whine the loudest when they become victimized the same way. so yes, banks should pay for phishing schemes, and everyone here shouting "you get what you deserve" are not speaking from a position of concern for justice. they are speaking from just sort of a smug hypocritical contempt for simple human fallibility. which they apparently imagine themselves immune from, out of simple ignorance at how cruel crime can be, and how fickle fate can be
  • Maybe some others with merchant experience can back me up on this, but most of the fraud is actually assumed by the merchant.

    The abuse the banks dole out to retailers is so bad Walmart is setting up their own bank just to get a piece of the scam. http://www.fdic.gov/regulations/laws/walmart/index .html [fdic.gov] They had to drag the banks to court just to get them to stop abusing them on transaction fees.

    In the end, the merchant will pay dearly for the priviledge of accepting a payment made with phished cards. That
  • by cfulmer (3166) on Friday September 15, 2006 @06:50PM (#16117533) Homepage Journal
    The basic way money is stolen is this:

    (1) Somebody gets your account information. (Possibly through phishing, possibly just by rummaging through your mail).
    (2) They wire money out of your account.
    (3) They move the money someplace where it cannot be retrieved.

    The problem is in step 2. The banks make absolutely no verification that a transfer is authorized. When I walk into a branch, I can't just pull money out of my account without first verifying who I am. When I write a check, the bank (at least in theory) is supposed to verify that the signature on the check matches the one they have on file. But, there is no similar verification when my account is electronically drafted.

    The banks are basically betting that they'll lose less money through fraud than it would cost them to implement security on the back end. It's a calculated risk on their end. If their customers had to pay for the fraud, there would be NO incentive for them to improve security.

    Incidently, the comment that "the customers pay for it anyway" is only partially right -- customers pay for part of it through reduced interest rates and so on, but some of it also comes out of the bank's profits. Banks are generally in a competitive market and as long as there are alternatives for savings (e.g. brokerage houses), the market dictates the interest rates paid by the bank.


  • There is no cure for impersonation if you provide a con man all of the details required to impersonate you. If you fall for a phishing scam you did as much as dressed up a con man to look just like you and gave him your photo ID cards.

    In the pre-Internet days, a con man would have to work harder. You had to withdraw the money for him (like using the old Pideon Drop scam, http://en.wikipedia.org/wiki/Pigeon_drop [wikipedia.org] ).

    The bank could use things like a PIN for account access, but if you gave out our PIN, how i
  • the money is responsible beyond a certain point. Obviously the theifs are ultimately responsible but to blame the business? I don't think so. They could advertise indemnity or something to gain customers but that's an optional feature IMO.

    The business site must have some ability to validate a customer and attempt to prevent phishing site copies.

    LoB
  • So, if we put pressure on banks by making them pay, maybe they'll do things to make phishing attacks harder to carry out. Sounds good... but

    If we put pressure on customers by making them pay, maybe they'll do things that make phishing attacks harder to carry out.

    In the end, I as a customer to my own bank can entirely prevent phishing attacks on my account, through very little cost to myself. Therefore, I would like to be held responsible for phishing rather than my bank, otherwise I'll be paying for other c
  • by GekkePrutser (548776) on Friday September 15, 2006 @06:54PM (#16117559)
    I'm an account holder with Bank of Ireland, and have had several accounts with Dutch banks. ALL Dutch banks use two-factor authentication when making payments, either with a digital "calculator" device or a list of passwords, where for every payment a different password is requested, and the list renewed when it has been used up.

    Bank of Ireland, on the other hand, uses just a lame 6-digit password, your contact phone number and a 6-digit account number. Very lousy security there. I definitely don't feel safe using their internet banking facilities. Even 8 years ago my Dutch bank modem service already used 2-factor auth.

    So, yes, I feel that in this case BOI is completely to blame for this.

  • Advertising (Score:3, Funny)

    by HTH NE1 (675604) on Friday September 15, 2006 @06:54PM (#16117561)
    Phishing seems to be good advertising for banks. I'd never heard of Fifth Third Bank [53.com] until I was suddenly getting 5 phishing e-mails a day for it.
  • Historicly, if you get conned, that's your problem.

    If the bank sold phishing insurance, it would invite people to get in cahoots with the phishers.

    The simple rule for ALL online banking is this:

    All online banking transactions should be initiated by YOU. If someone who looks like the bank contacts you with something, even if it looks perfectly innocent, never trust them. Instead, hit the bank's web site as you ordinarily would, not by clicking on a link in an e-mail, but by going to their main site a

  • by jay2003 (668095) on Friday September 15, 2006 @07:00PM (#16117597)

    If someone forged your driver's license and went to the bank to withdraw your money in person, it's the bank's fault for giving it to them. Same principle should hold for online transactions. If the bank gives the wrong person your money, it's not your problem.

    If the liability moves to customers, the banks won't have any incentive to improve security. Worse, the bank will start blaming you for breeches that are completely their fault. The bank will claim you didn't protect your password when their systems are comprised and your account is drained.

  • by DaveJay (133437) on Friday September 15, 2006 @07:01PM (#16117601)
    The bank has motivation and resources to implement a solution, whereas individual customers do not. This is because banks control the technologies that phishers emulate in order to con their targets.

    For example, the company I work for is concerned about phishers stealing user accounts, by emailing links to pages that look like our corporate signin page (used for many properties in many locations, so commonly encountered on various sites by our employees.) As individual users, it was extremely difficult to tell whether the page being logged into was legitimate or not; so, the company now uses a cookie to identify you as an employee, and embed your picture (from the company's internal records) into the login page. If there's no picture of you, it's not legitimate.

    Is that foolproof? No, because other employees could get your photo and fake the login page. It certainly narrows it down to internal employees and contractors, however, and it's a step that individual employees could never have taken on their own.

    Similarly, imagine if ATM cards didn't have PINs, and possession of the card was enough to withdraw money from remote locations. Individual users couldn't do much about this, other than hold onto their card for dear life, but the banks could easily implement PIN codes so that theft of the card did not automatically enable theft of account monies.

    Again, is that foolproof? No, because some people write their PINs on their cards (duh) and some people manage to set up "fake" ATMs to collect card swipes and PINs. However, banks now use the unique identifier on the card to access the customer's name and display it before the PIN is punched -- no name means you probably shouldn't use the machine. Again, another step (still not foolproof) that individual users couldn't enact on their own.

    If a bank makes a service available, they are the ones in good position to improve the security of that service, and at some point the bank actually hands over the money based on their own assurance that the person using the service is who they say they are, using whatever method the bank provides. All of this is up to the bank, not the user, and so they should carry the liability -- if not, they can always opt to avoid providing those services that they cannot successfully protect.

    Does this absolve the users of all responsibility? No, but there are still lots of stupid things users can do -- and shouldn't -- that cause them to lose money that the bank doesn't -- and shouldn't -- have to reimburse.

    I guess you can think of it like this: if a bank's machine gives out money to the wrong person, it's the bank's fault -- and if the bank's machine gives out money to the right person, who is then mugged within half a second of the transaction, it's the user's fault.
  • Lets rephrase the question

    I run a business where I hold money for people to keep it safe from thieves.

    I give their money to a thief.

    Who is at fault ?

    Sounds like the bank is trying to skirt their responsibility, and developed an insecure method of keeping their customers money safe from theives.
  • by cycle003 (980723) on Friday September 15, 2006 @07:15PM (#16117675)

    Financial institutions have the responsibility to protect us from unauthorized access to our accounts. It should then be the burden of the institution to show that the account holder was at fault.

    However, We ALL have to take responsibility

    As a consumer,
    1) never enter personal information in response to e-mail initiated requests, etc. 2) report suspicious emails, websites, etc. 3) Use common sense (nevermind, that'll never work)

    As for the banks,
    1) Provide security measures to reduce chances of phising losses; while authentication is not perfect, it's a decent start (althoug I find it pretty annoying) 2) Educate their customers 3) Need to offer an easy, user-friendly way to report phishing (PayPal does a good job of this) 4) Make their policies clear; if they won't cover losses due to phishing attacks, we should know before putting our money in their hands 5) If they can't sustain the losses, then they need a new business model; what do banks do with those $30 fees that they love to ambush everyone with

    Now the Government,
    1) NEEDS TO PROSECUTE OFFENDERS by enforcing existing laws; it's amazing how apathetic the authorities are towards identity theft, etc. 2) Ensure laws are adequate for protecting consumers and prosecuting offenders 3) Educate the people

  • In Mexico, bankers may make fraud your problem [sptimes.com]
    by DAVID ADAMS and GINA MANFREDO
    St. Petersburg (Florida) Times, June 17, 2006

    MEXICO CITY -- One morning last July Alejandro Sanchez got a worried phone call from the branch manager at his bank.

    There had been some unusual activity on his account.

    "She asked if I had made some transfers," said Sanchez, 46. "She told me not to worry and she would call me back."

    A few hours later somber bank officials showed up at his office to advise him that his company accounts, to
  • by cutecub (136606) on Friday September 15, 2006 @07:29PM (#16117736)

    In a Wired article from last year [wired.com], Bruce Schneier said some very sensible things on this subject:

    Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.

    I think this is absolutely right. Faced with the financial losses of phishing, banks will simply institute procedures, technologies and processes to protect against fraudulent financial TRANSACTIONS. Doubtless, banks will gripe and complain about their new liability. But it was exactly this same liability that made personal credit cards viable - and gave birth to a multi-billion dollar industry.


    -Sean
    • As someone who does work in the systems of a top-10 US card issuer, I can tell you we lose over 3 million USD to fraud every MONTH. And the company I work for is nowhere close to being the biggest! (The top couple of banks are separated by a decimal place worth of volume from the rest)

      As most of you probably know, banks make money by earning a small amount of money on each of a lot of transactions. $3 million worth of loss takes a LOT of transactions.

      Every time some fraud scheme comes up on Slashdot, eve

Anything free is worth what you pay for it.

Working...