Can Banks Shift Phishing Losses to Customers?

1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?

I do what I can to the phishers

[plover]

Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it. I do this even though I am not a customer of the bank in question. Some banks like Barclay's have easy-to-find "Report fraudulent e-mail here" links, while others seem to go far out of their way to hide any contact information at all.

The banks with the helpful "report here" links also typically have helpful auto-responders, and their sites and form letters at least make it seem like they care about security. The banks who make it hard to hear from their customers usually don't reply at all. If I were shopping for a new bank, I'd definitely stay away from those that don't have an easy-to-find contact point near the front of their site. I get the impression they do not take security or phishing threats seriously at all. They'll probably be the ones that would fight their victims.

Re:I do what I can to the phishers

[Anonymous Crowhead]

Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it.

I used to do that about spam......in 1992. Seriously, where do you find the time?

No

[4D6963]

No

If they did so, then all you'd have to do would be to set up a phishing site, be a victim of your own phishing and then be payed back by your bank.

That, and also, blah blah people blah blah stupid blah blah genetic pool blah.

Knowing my clients

[bigattichouse]

Knowing my clients, I smell a new "insurance product" ... a general "electronic age" insurance product to cover online fraud (buyer/seller problems), identity theft and now phishing. "e-Policy" or something.

My $0.02 (no pun intended)

[Guppy06]

1. It seems that the task of finding and catching phishers should be put to those best able to pursue them: the banks. If the customer is responsible for the loss, be prepared to see silly little class actions against phishers, with the only real victors being the lawyers.
2. If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere.

Re:Banks.

[Richard_at_work]

Remember, there are only so many blocks you can put in between an idiot and his money before he gets pissed off and takes it else where.

Personally, Im all for banks charging phishing victims for the losses - many dont cover fraud resulting from the customer failing to take appropriate measures to protect their card details, how is failing to protect their login details any different?

Re:Fools and their Money 2.0

[plover]

a bank could perhaps continuously move the URLs for images on the bank's site

I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"

Pressure the banks or negligent customers?

[noidentity]

So, if we put pressure on banks by making them pay, maybe they'll do things to make phishing attacks harder to carry out. Sounds good... but

If we put pressure on customers by making them pay, maybe they'll do things that make phishing attacks harder to carry out.

In the end, I as a customer to my own bank can entirely prevent phishing attacks on my account, through very little cost to myself. Therefore, I would like to be held responsible for phishing rather than my bank, otherwise I'll be paying for other customers' negligence.

Re:Maybe...

[Todd Knarr]

Well, I can think of some. For example, a friend of mine got his debit card copied. He couldn't have prevented it, Arco got their computer systems compromised and all the debit-card numbers and PINs used at their at-the-pump readers stolen, and he happened to have used his card at an affected Arco station. But the bank could've easily stopped his account from being emptied. He'd made a card-present, ID-presented, signature-obtained transaction in San Jose, CA. 4 hours later, his card was used at an ATM in Thailand and his account emptied in $100-200 increments, it took quite a few transactions to completely drain his account. Now, any basic security profiling should've raised red flags: he's never used his card outside the US, these are cash withdrawals in a country that's known as a source of financial fraud, and it's physically not possible for a person to have gotten from San Jose to Thailand in 4 hours. All the bank would've had to do is refuse that first ATM withdrawal with a message to contact his bank and that would've been the end of the theft before it began. But they allowed all those transactions without questioning them. That's definitely not reasonable care on the part of the bank.

Read your bank's TOS lately?

[winkydink]

Many of them now say something to the effect of the customer having take "reasonable care" to protect themselves from identity theft / being hacked. If you don't, then no money back for you.

We ALL have to take responsibility

[cycle003]

Financial institutions have the responsibility to protect us from unauthorized access to our accounts. It should then be the burden of the institution to show that the account holder was at fault.

However, We ALL have to take responsibility

As a consumer,
1) never enter personal information in response to e-mail initiated requests, etc. 2) report suspicious emails, websites, etc. 3) Use common sense (nevermind, that'll never work)

As for the banks,
1) Provide security measures to reduce chances of phising losses; while authentication is not perfect, it's a decent start (althoug I find it pretty annoying) 2) Educate their customers 3) Need to offer an easy, user-friendly way to report phishing (PayPal does a good job of this) 4) Make their policies clear; if they won't cover losses due to phishing attacks, we should know before putting our money in their hands 5) If they can't sustain the losses, then they need a new business model; what do banks do with those $30 fees that they love to ambush everyone with

Now the Government,
1) NEEDS TO PROSECUTE OFFENDERS by enforcing existing laws; it's amazing how apathetic the authorities are towards identity theft, etc. 2) Ensure laws are adequate for protecting consumers and prosecuting offenders 3) Educate the people

Re:Fools and their Money 2.0

[DarkProphet]

Though the parent is funny, I am not sure why it got +4 Funny instead of +4 Insightful. This is EXACTLY what financial institutions should be doing!! It would work like gangbusters.

Another approach that I think would work well for financial institutions is to make it unequivocally clear that they will never never ever in a million years contact their customers by any method besides snail mail. The customer should be required to sign a sheet saying they understand this before they are allowed to open an account, and it should be the responsibility of the financial institution to make sure that the customer is TOLD this, not just handed a piece of fine print to sign. I have been using online banking at 3 different institutions for approximately 5 years, and I am absolutely sure that in that time I have never recieved any e-mail from them for any reason. Paypal on the other hand... I've gotten both legitimate email and phishers.... so I just blacklist anything with paypal in the subject or content. Sure, it means they have no way to get ahold of me besides snail mail, but they shouldn't need to.

But, perhaps I am a little too idealistic... /me sighs

Re:I say, "Yes. Yes they should."

[ElleyKitten]

Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.

I think you're not understanding the concept of phishing. Phishing is where scammers pretend to be a bank or whatever so someone will give them their bank account information. It has nothing whatsoever to do with the bank's security. It doesn't involve the bank's website, the bank's databases, or anything else the bank can control. It involves a fake email and a fake website and a confused person. In fact, I'm sure if a bank totally stopped doing online transactions altogether they'd still have a few customers fall victim to phishing. There just isn't much banks can do to stop it.

It's unfortunate, but unless the phishers can be found (which is pretty much never) the customer has to be the one to bear responsibility. They need to keep track of who they give their information to, and while they don't deserve to lose all their money, others who didn't make the mistake shouldn't have to take responsibility for it. It sucks, but that's life.

Re:I say, "Yes. Yes they should."

[dgatwood]

Two factor would make phishing harder, but what we really need is better built-in browser support for two factor auth as an extension to the HTTPS protocol.

In an ideal world, the browser supports two factor auth for access to the website via http auth, but would put up a warning that says "WARNING: Your password is being sent insecurely. (Send Anyway) ((Cancel))" if the connection is not encrypted with a properly signed cert. This authentication should require you to key in your account name, pin number, and password in separate fields and should be displayed by the browser, not as a web page that can be faked. By so doing, you basically eliminate the possibility of a phishing attack using an unencrypted channel that looks like the encrypted channel enough to fool someone into giving up the needed information.

With that single change, you have a solution that will dramatically reduce phishing attacks, as it requires the phishers to have a legitimate signed SSL cert, which means there is (in theory) a solid paper trail leading back to them. Phishing expeditions that involve SSL are very, very rare by comparison to the unsecured versions, require a much greater financial investment, are much more likely to result in a successful arrest and prosecution (because of the paper trail from obtaining the cert and the requirement that such certs are tied to a valid domain name, both of which make it harder to use hijacked machines as servers).

Unfortunately, it's a chicken and egg problem. The browser vendors probably won't add such authentication mechanisms into the browsers unless sites want it, and banking sites aren't willing to spend money on two-factor devices unless they provide a tangible benefit (and without such browser support, they really don't).

Re:I do what I can to the phishers

[CuriHP]

Funny you should mention the ATM example. I, embarassingly, did exactly that. And you know what. My bank did reimburse it. Bank of America if you're interested. In the long run, they'll end up making a lot more from em and my money than the $200 the incident cost them. It just makes sense for them to do it.

Re:Bands & Customers should exercise due dilig

[kebes]

Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.

I actually know someone who fell for a phishing email. The bank called him up the next day, and asked if he had authorized two $700.00 transfers to out-of-country accounts. He said "no." and they dutifully marked it as fraud. So apparently (some) banks do monitor transactions and flag anything that looks strange.

Similarly I've often had my credit card company call me to confirm transactions that appeared dubious. Often within hours of making an unusual purchase, they'll respond. The response time makes me suspect that they have computers watching transactions using heuristics to pick out unusual transactions.

So at least anecdotally, some banks are proactive enough to prevent phishing from generating losses for customers or themselves.

No.

[Anonymous Coward]

No. Absolutely should the user take some of the blame. The bank is POWERLESS to keep all these phishing incidents from happening. Some, sure, but never all.

If there's one thing we know phishers sure are clever. However, short of a full blown DNA test and firstborn in a cage as collateral, some bad guy somewhere is going to figure out how to collect stuff from careless users who then get their accounts cleared out.

Just to be clear, I work with (not for) bankers, and I have developed a strong hatred for them, and fear for my money every day with some of the shit I see them doing. (Stops to check anonymous checkbox.) However, the users are stupid stupid stupid.

It would be relatively easy for a banker to add an auditing guideline (which they have lots of already) that checks off a list of due dilligence stuff they could do;

- HTTP-Refferer analysis on online banking sites to catch images being used
- Image remote linking blockage (makes the phisher rehost them, and completely blocks some scripts and emails that phishers use)
- NEVER, I mean FUCKING NEVER emailing a user for anything but "come log in for your e-statement" in plain text. I see this all the time, stupid HTML shit emails with links all over coming FROM THE BANK's inept marketing department. Then the same damn email two days later from a phisher.
- Force users to use SSL for every part of the web site, every time for all pages.
- General education, etc.
- A FREAKING RESPONSE PLAN. I get calls "what do I do" to which I say "i dunno, you are the security officer, I just sold you the hard drive, you figure it out" If the guy is linking to your page for images, CHANGE THE IMAGE, PUT GOATSE or something out there!

All of this, and users STILL get half way or all the way through the "what's your dog's name and SSN" forms before figuring out it's bad.

90% of the time, the user has missed some obvious clue that should send alarm bells off in their heads. Sure, the banks need to get way more educated than they are (small banks have _no_ expertise on this stuff, and big banks have the IT ivory tower that never gets in the trenches with the marketing department, the tellers, and the phone answerers to teach them).

So the bankers need to get on the ball and have a list of things they have done, and some simple training and a response plan. They can't force people to learn how to prevent this. So they shouldn't be held responsible if they do basic steps.

Too bad it means more stuff for the ignorant "auditors" to do (outside Government) and some arbitrary plan that can get done by some consultant that splits as soon as it is done. But come on, users need to figure some of this out.

Re:I do what I can to the phishers

[eggoeater]

The fact that someone has figured out how to trick the bank in to thinking they're talking to you does not imply that you authorized the transactions

Trick????

I'm a call center engineer for a large financial institution. Guess what they do to verify you are who you say you are? They ask questions. They ask for the same information people enter into the phishing sites.

They require 3 pieces of information. (Mother's maiden, DOB, SSN, etc). Once the caller answers those questions, they HAVE TO treat the caller as the account owner and do whatever they ask. It's not a trick.
The phishers are the ones playing the trick and deserve to be punished.

How Phishing Works

[The Famous Brett Wat]

You underestimate the problem. Phishing is actually a two-pronged attack -- or at least this is my experience in Australia. (Not that I've fallen victim, but I've conversed quite a bit with those that have.) The first prong of the attack is the fake bank message and website that we all know and loathe. The second prong doesn't even look remotely related: it's usually an employment scam, like the Norway Consulting Employment Scam [wa.gov.au] which is arriving in my inbox with tedious regularity.

This is how it works. Phisher P (probably located in Russia, or nearby) obtains access to online bank account of victim V. At the same time, P also runs a job scam like the "Norway Consulting" job scam and ropes in "employee" E, who happens to have an account at the same bank. E is told that their job involves accepting payments from customers and forwarding the money via Western Union or Money Gram. (The exact pretext may change, but the money transfer part remains steadfastly constant.) So P then transfers funds from V to E, then contacts E and has him quickly withdraw the money and go make a Western Union transfer. By the time anyone realises that they've been had, P has his money and has vanished. The remaining question is whether the loss is to be borne by V for being a sucker, E for being a dupe, or all the bank's customers generally.