Forgot your password?
typodupeerror

Can Banks Shift Phishing Losses to Customers? 425

Posted by Zonk
from the gee-that'd-be-great dept.
1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?
This discussion has been archived. No new comments can be posted.

Can Banks Shift Phishing Losses to Customers?

Comments Filter:
  • by GekkePrutser (548776) on Friday September 15, 2006 @06:54PM (#16117559)
    I'm an account holder with Bank of Ireland, and have had several accounts with Dutch banks. ALL Dutch banks use two-factor authentication when making payments, either with a digital "calculator" device or a list of passwords, where for every payment a different password is requested, and the list renewed when it has been used up.

    Bank of Ireland, on the other hand, uses just a lame 6-digit password, your contact phone number and a 6-digit account number. Very lousy security there. I definitely don't feel safe using their internet banking facilities. Even 8 years ago my Dutch bank modem service already used 2-factor auth.

    So, yes, I feel that in this case BOI is completely to blame for this.

  • by istartedi (132515) on Friday September 15, 2006 @06:58PM (#16117589) Journal

    Historicly, if you get conned, that's your problem.

    If the bank sold phishing insurance, it would invite people to get in cahoots with the phishers.

    The simple rule for ALL online banking is this:

    All online banking transactions should be initiated by YOU. If someone who looks like the bank contacts you with something, even if it looks perfectly innocent, never trust them. Instead, hit the bank's web site as you ordinarily would, not by clicking on a link in an e-mail, but by going to their main site and logging in as usual. This constitutes a transaction intiated by YOU. Once logged in, you will, under many online banking systems, find something in your "message center". If it matches up with what you received via e-mail, then it really was from the bank.

    It really is that simple.

    Sadly, some legitimate financial institutions do put links in e-mails. Forbidding this practice would make phishing virtually impossible, so I would advocate forbidding banks to send anything containing a link in an e-mail, not even as a copy-paste. If the bank sends you a message telling you it's time to update your password, and there are no links, then you MUST initiate the transaction by their legitimate URL, and you cannot be phished unless the bank has been hacked.

    If the bank is hacked, then yes, the bank is liable. This is more likely to be insurable; especially under a well-regulated banking system.

    Convenient? No. But then neither is having a lock on your door.

  • by jay2003 (668095) on Friday September 15, 2006 @07:11PM (#16117660)
    Clearly, you've never any taken any economics classes or you learned nothing. Your statement is only true in market segments approaching perfect competition, and there are very few of those outside farming. In market segements where sellers or services providers have market power, which banks do evidenced by their enormous profits, it's simply false to claim that all costs are passed on to customers. Often the factor that dominates prices is the marginal revenue lost by reducing prices rather the level of marginal cost per unit.
  • Oh Dear (Score:2, Informative)

    by mbrett (751233) on Friday September 15, 2006 @07:35PM (#16117768)
    If you go to the Bank of Ireland's "Security and Online Fraud" page, you'll find no instructions on how to report phishing/scamming attempts to them. Instead they suggest forwarding the mail to the local Gardai/Police, or, with no smiley faces even, the abuse address of the remitter's ISP (abuse@hotmail.com, etc).

    So the Bank of Ireland hasn't a clue about forged From: addresses, encourages customers to involve innocent ISP's abuse departments, and takes no interest in pursuing malicious emails involving its own name. It suggests the police might care more about the Bank's security than the bank itself.

    IMHO the BOI has no business berating its own customers for not having a clue/care, especially when they demonstrate so little themselves.

  • by mrbooze (49713) on Friday September 15, 2006 @07:42PM (#16117823)
    Just the opposite, banks have been pushing for *more* online contact and less snail mail. I still get paper statements mailed from Wells Fargo and every time I check my account online I get a big ad page urging me to switch to paperless online statements.

    Email alerts from banks can be very useful as well. Such as alerts of low balance or overdraft, or even unusual activity. If someone pulled a bunch of money out of my account and I don't hear about it till I get a letter in the mail days letter, by that time I'd be lucky to have anything left, and probably several days of bounced payments to go along with it.
  • by d2ksla (89385) <krister AT kmlager DOT com> on Saturday September 16, 2006 @05:55AM (#16119523) Homepage
    the individual, rather than the bank, should be held accountable in this scenario.

    I don't agree.

    The online banking security is too weak if it is based just on a piece of information (username+password). There's already been cases of viruses that do keylogging to gather online banking information for criminals.

    The security needs to be based on a combination of something that you know (username+password), plus something you have (e.g. ATM card). No virus can steal your ATM card, and if your wallet gets stolen your PIN code is hopefully unknown to the thief

    I've used online banking both in Sweden and in the US.

    In the US, the online bank security seems to be about par with Slashdot's. Once someone has your username+password, they can get your money.

    In Sweden most (all?) banks don't let you transfer money from your online account with just a username+password. You also need a one-time code for each transfer. These are either generated by a small device [tinyurl.com], or sent out on credit-card sized cards with ~100 codes. This is a little bit more cumbersome, but it sure feels more safe, especially when using public terminals that may have keyloggers on them.

    I mean, seriously, how useful/safe is online banking if you can only use it on your own computer (because of possible keyloggers on public terminals), and even at home you have to make damn sure that you didn't get a keylogging virus through the latest security exploit???

  • Re:Checks? Here? (Score:3, Informative)

    by LordKronos (470910) on Saturday September 16, 2006 @09:38AM (#16119938) Homepage
    You're in line at the grocery store writing out your check[sic].

    In this case, 'sic' must stand for "spelling is correct". From Merriam-Webster:

    Main Entry: 1check
    Pronunciation: 'chek
    Function: noun .....
    7 : a written order directing a bank to pay money as instructed : DRAFT

    Main Entry: cheque
    Pronunciation: 'chek
    chiefly British variant of 1CHECK 7

Stellar rays prove fibbing never pays. Embezzlement is another matter.

Working...