Can Banks Shift Phishing Losses to Customers? 425
1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?
Bank of Ireland has extremely bad security! (Score:3, Informative)
Bank of Ireland, on the other hand, uses just a lame 6-digit password, your contact phone number and a 6-digit account number. Very lousy security there. I definitely don't feel safe using their internet banking facilities. Even 8 years ago my Dutch bank modem service already used 2-factor auth.
So, yes, I feel that in this case BOI is completely to blame for this.
I have to side with the bank on this one (Score:2, Informative)
Historicly, if you get conned, that's your problem.
If the bank sold phishing insurance, it would invite people to get in cahoots with the phishers.
The simple rule for ALL online banking is this:
All online banking transactions should be initiated by YOU. If someone who looks like the bank contacts you with something, even if it looks perfectly innocent, never trust them. Instead, hit the bank's web site as you ordinarily would, not by clicking on a link in an e-mail, but by going to their main site and logging in as usual. This constitutes a transaction intiated by YOU. Once logged in, you will, under many online banking systems, find something in your "message center". If it matches up with what you received via e-mail, then it really was from the bank.
It really is that simple.
Sadly, some legitimate financial institutions do put links in e-mails. Forbidding this practice would make phishing virtually impossible, so I would advocate forbidding banks to send anything containing a link in an e-mail, not even as a copy-paste. If the bank sends you a message telling you it's time to update your password, and there are no links, then you MUST initiate the transaction by their legitimate URL, and you cannot be phished unless the bank has been hacked.
If the bank is hacked, then yes, the bank is liable. This is more likely to be insurable; especially under a well-regulated banking system.
Convenient? No. But then neither is having a lock on your door.
Re:"Can Banks Shift Phishing Losses to Customers?" (Score:3, Informative)
Oh Dear (Score:2, Informative)
So the Bank of Ireland hasn't a clue about forged From: addresses, encourages customers to involve innocent ISP's abuse departments, and takes no interest in pursuing malicious emails involving its own name. It suggests the police might care more about the Bank's security than the bank itself.
IMHO the BOI has no business berating its own customers for not having a clue/care, especially when they demonstrate so little themselves.
Re:Fools and their Money 2.0 (Score:3, Informative)
Email alerts from banks can be very useful as well. Such as alerts of low balance or overdraft, or even unusual activity. If someone pulled a bunch of money out of my account and I don't hear about it till I get a letter in the mail days letter, by that time I'd be lucky to have anything left, and probably several days of bounced payments to go along with it.
Re:I say, "Yes. Yes they should." (Score:3, Informative)
I don't agree.
The online banking security is too weak if it is based just on a piece of information (username+password). There's already been cases of viruses that do keylogging to gather online banking information for criminals.
The security needs to be based on a combination of something that you know (username+password), plus something you have (e.g. ATM card). No virus can steal your ATM card, and if your wallet gets stolen your PIN code is hopefully unknown to the thief
I've used online banking both in Sweden and in the US.
In the US, the online bank security seems to be about par with Slashdot's. Once someone has your username+password, they can get your money.
In Sweden most (all?) banks don't let you transfer money from your online account with just a username+password. You also need a one-time code for each transfer. These are either generated by a small device [tinyurl.com], or sent out on credit-card sized cards with ~100 codes. This is a little bit more cumbersome, but it sure feels more safe, especially when using public terminals that may have keyloggers on them.
I mean, seriously, how useful/safe is online banking if you can only use it on your own computer (because of possible keyloggers on public terminals), and even at home you have to make damn sure that you didn't get a keylogging virus through the latest security exploit???
Re:Checks? Here? (Score:3, Informative)
In this case, 'sic' must stand for "spelling is correct". From Merriam-Webster:
Main Entry: 1check
Pronunciation: 'chek
Function: noun
7 : a written order directing a bank to pay money as instructed : DRAFT
Main Entry: cheque
Pronunciation: 'chek
chiefly British variant of 1CHECK 7