Can Banks Shift Phishing Losses to Customers?

1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?

I say, "Yes. Yes they should."

[Anonymous Crowhead]

A little tough love. Hit 'em where it hurts and maybe they'll learn. If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.

Fools and their Money 2.0

[Skyshadow]

Hacking? Yes.
ID theft? Yes.
Fraud? Yes.

Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.

On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.

Re:Let Uncle Sam pay

[CrazyJim1]

As much as America funds other governments, I don't think Uncle Sam should pay for Ireland's banking debts. Maybe the banks in the FDIC...

They have to learn sometime

[Anonymous Coward]

Phishing is no different than other scams out there. One in my area has two men dressed as workers from the water department who enter the home to "check the water pressure." While one sets to work inside the other takes the victim outside to check the faucets leaving the first to go looking for the jewlery box.

Does the water department have to cover the cost of the missing rings? No. Then why must financial institutions?

"Can Banks Shift Phishing Losses to Customers?"

[Maxwell'sSilverLART]

"Can Banks Shift Phishing Losses to Customers?" asks the headline.

Of course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?

You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

Re:I say, "Yes. Yes they should."

[soft_guy]

It isn't clear to me that you have to do anything wrong to be the victim of fraud. The banks need to come up with a method to combat financial fraud, or they need to absorb losses as the cost of doing business. Bankrupting individuals isn't the answer.

Banks.

[m0rph3us0]

The problem is that the banks aren't taking appropriate steps to identify the customer before handing over the customer's money. Banks are legislated/insured to only release money to the authorized account holder. When the customer takes reasonable steps to protect their information and follows the banks security procedures they are not responsible for loss.

By putting in place technology that doesn't sufficiently protect the reasonable person from fraud the banks bring the liabilty to themselves. The reason you put money into the bank and pay fees is to prevent unauthorized persons from accessing your money and to provide insurance against such a loss. It is the banks job to put in-place controls and cover the losses that arise from insufficient controls. It is a balancing act between what the consumer wants to put up with in security and what they want to pay for service. It is the banks job to find the equilibrium between the cost of increased controls and the cost of fraud. After all it is the bank not the consumer who is offering the service of withdrawl over the internet.

A good step in the right direction might be two factor authentication.

x.509 certificates . . .

[rbannon]

Wouldn't it be nice if customers and banks alike used secure email? [blogspot.com]

Re:I do what I can to the phishers

[plover]

I get maybe one phish every two weeks or so, it takes me about two or three minutes to report it. No skin off my nose, really. Do you like phishers, or getting their bait in your email? Do you think it's OK for them to scam people, just because you don't know the victims in advance?

The faster anybody responds, the faster the phishing web host can be taken down, and the fewer people can be scammed. Fewer victims == fewer profits for the phishers.

They annoy me. A lot. The least I can do is annoy them back by keeping their take as low as possible.

incentives

[brre]

If you want the party that has the most control of the security system to have the incentive to fix the problem, the bank should pay.

If you want to take away the incentive to fix the problem from the party that has the most control of the security system, the customer should pay.

Bands & Customers should exercise due diligenc

[sweetnjguy29]

The reason why phishing attacks work is that people are fooled into giving credit card information to what appears to be a legitimate website. This could have been avoided if the customer was more careful, but then again, we all get tricked from time to time.

Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.

By analogy, if someone forges a check, and signs my name, and the bank cashes that check, the bank is on the hook for the cash. Also, if someone lies about their identity, and the bank doesn't verify their identity, they are also on the hook for the check. The same should be true with online transactions.

If European banks and governments wont protect customers from fraud, online purchases will be doomed.

Its the Phisers who should pay!

[vertinox]

FTFA: 1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs.

The rational answer should be that law enforcement should persue the criminals and put a freeze on their accounts and seek retribution in monetary and jailtime punishments.

Seriously, if we can find and freeze "terrorist" accounts, how hard is it to track where this money goes?

I mean Phishers have to get it from a bank or ATM somewhere.

Why don't the bank simply reverse the process and force other banks to freeze the accounts? What is preventing them?

Re:I say, "Yes. Yes they should."

[secolactico]

It isn't clear to me that you have to do anything wrong to be the victim of fraud.

You haven't done anything wrong, neither has the bank. How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible? The customer for not being more careful? The bank for not making it more difficult for people to impersonate customers (and at the same time making it more difficult for honest people to conduct their business from afar). Insurance? (fat chance)

not true: "morons get what they deserve"

[circletimessquare]

justice must have a compassionate edge. because if justice is as brutal and swift as crime itself, it is no longer justice

so yes, the people who fall for phishing schemes are stupid. but no: they do not deserve what happened to them. the punishment they receive (losing all of their funds) is not commensurate with the mistake they made. if i get in the car with a drunk driver, i am stupid. but do i deserve to get paralyzed for life in the accident that happens for my mistake? no. so do you laugh and call me a moron or grieve at my infirmity?

whether you laugh or grieve at me is more revelatory about your own immaturity. because god forbid you ever make a little mistake in your life and suffer drastically for the consequences, right? that can never happen to you, right? yes: stupid mistakes have negative consequences. but if the negative consequences are way out of proportion to the error, you should not be so dismissive, you should demonstrate some compassion, or justice really isn't your motivation. if drastic punishment from a simple mistake happens to you, you're just going to suck it up and move on without complaining one bit, right?

well... experience teaches me that those laughing hardest at those horribly punished for simple mistakes are also those who whine the loudest when they become victimized the same way. so yes, banks should pay for phishing schemes, and everyone here shouting "you get what you deserve" are not speaking from a position of concern for justice. they are speaking from just sort of a smug hypocritical contempt for simple human fallibility. which they apparently imagine themselves immune from, out of simple ignorance at how cruel crime can be, and how fickle fate can be

Re:I say, "Yes. Yes they should."

[plover]

Actually, I think the pressure to improve security will eventually come from insurance and lawsuits.

Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.

It's how the civil court system and capitalism are supposed to work, anyway. It may just take time (and no freakin' governmental interference by passing "tort reform" limiting the banks' liability, otherwise there will be no financial incentive at all.)

Of COURSE the banks should make good

[cfulmer]

The basic way money is stolen is this:

(1) Somebody gets your account information. (Possibly through phishing, possibly just by rummaging through your mail).
(2) They wire money out of your account.
(3) They move the money someplace where it cannot be retrieved.

The problem is in step 2. The banks make absolutely no verification that a transfer is authorized. When I walk into a branch, I can't just pull money out of my account without first verifying who I am. When I write a check, the bank (at least in theory) is supposed to verify that the signature on the check matches the one they have on file. But, there is no similar verification when my account is electronically drafted.

The banks are basically betting that they'll lose less money through fraud than it would cost them to implement security on the back end. It's a calculated risk on their end. If their customers had to pay for the fraud, there would be NO incentive for them to improve security.

Incidently, the comment that "the customers pay for it anyway" is only partially right -- customers pay for part of it through reduced interest rates and so on, but some of it also comes out of the bank's profits. Banks are generally in a competitive market and as long as there are alternatives for savings (e.g. brokerage houses), the market dictates the interest rates paid by the bank.

Re:My $0.02 (no pun intended)

[pla]

If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere

Damn - Here goes a wasted mod point, but I consider this point so insightful, I must reply.

I know people who, even in the current environment where banks bear the vast majority of the pain for most financial fraud, refuse to keep their money in the bank. They currently fall in the minority, but do exist. And not just fogies and Luddites - I know a 26YO EE who has no credit cards, no bank account, and buys EVERYTHING with cash or money-orders.

If banks start telling people "Aww, gee, someone emptied your account using seemingly-legit info, tough luck; I guess you'll use a bit more care next time, eh?", you can expect to see the world's economies collapse overnight as people move their life saving to their mattresses.



So no, banks will stoically take the hit, as they have always done. Not just for fear of losing customers, but for fear of losing public confidence in the the ONE thing they actually "sell" - The legal fiction of fungibility of food/goods for paper, and more recently, paper for bits. If they lose that quite literally delusional association of "value" most people have for their magical green paper, game over - They go from running the world, to owning a lot of nonmagical green paper.

yes, it's the bank's problem

[jay2003]

If someone forged your driver's license and went to the bank to withdraw your money in person, it's the bank's fault for giving it to them. Same principle should hold for online transactions. If the bank gives the wrong person your money, it's not your problem.

If the liability moves to customers, the banks won't have any incentive to improve security. Worse, the bank will start blaming you for breeches that are completely their fault. The bank will claim you didn't protect your password when their systems are comprised and your account is drained.

The bank is in a better position to do something

[DaveJay]

The bank has motivation and resources to implement a solution, whereas individual customers do not. This is because banks control the technologies that phishers emulate in order to con their targets.

For example, the company I work for is concerned about phishers stealing user accounts, by emailing links to pages that look like our corporate signin page (used for many properties in many locations, so commonly encountered on various sites by our employees.) As individual users, it was extremely difficult to tell whether the page being logged into was legitimate or not; so, the company now uses a cookie to identify you as an employee, and embed your picture (from the company's internal records) into the login page. If there's no picture of you, it's not legitimate.

Is that foolproof? No, because other employees could get your photo and fake the login page. It certainly narrows it down to internal employees and contractors, however, and it's a step that individual employees could never have taken on their own.

Similarly, imagine if ATM cards didn't have PINs, and possession of the card was enough to withdraw money from remote locations. Individual users couldn't do much about this, other than hold onto their card for dear life, but the banks could easily implement PIN codes so that theft of the card did not automatically enable theft of account monies.

Again, is that foolproof? No, because some people write their PINs on their cards (duh) and some people manage to set up "fake" ATMs to collect card swipes and PINs. However, banks now use the unique identifier on the card to access the customer's name and display it before the PIN is punched -- no name means you probably shouldn't use the machine. Again, another step (still not foolproof) that individual users couldn't enact on their own.

If a bank makes a service available, they are the ones in good position to improve the security of that service, and at some point the bank actually hands over the money based on their own assurance that the person using the service is who they say they are, using whatever method the bank provides. All of this is up to the bank, not the user, and so they should carry the liability -- if not, they can always opt to avoid providing those services that they cannot successfully protect.

Does this absolve the users of all responsibility? No, but there are still lots of stupid things users can do -- and shouldn't -- that cause them to lose money that the bank doesn't -- and shouldn't -- have to reimburse.

I guess you can think of it like this: if a bank's machine gives out money to the wrong person, it's the bank's fault -- and if the bank's machine gives out money to the right person, who is then mugged within half a second of the transaction, it's the user's fault.

Re:I say, "Yes. Yes they should."

[iamacat]

How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible?

Not much. When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India. When a bank sends an e-mail it should be digitally signed. My credit card should generate (say, with a keypad and LCD) one time use authorization numbers based on the charge amount. As long as the bank doesn't give users a way to distinguish between legitimate and fraudulent communication, they should be responsible for the results.

Re:I say, "Yes. Yes they should."

[kilgortrout]

The bank has done plenty wrong - they've allowed an unauthorized party to access your account and withdraw funds. They've cultivated a business model where financial transactions can be conducted over and insecure network without adequate identity verification and they've done so knowing full well that the network is rife with phishing scams which capitalize on those weaknesses. If they can now shift any loses back to the customer, there will be no incentive for the banks to improve security.

Re:I say, "Yes. Yes they should."

[LordKronos]

This is not a security issue, so the banks can't improve it.

Of course it's a security issue. All I need to do to is get your account number and the banks routing number and I can initial an ACH electronic funds transfer against your account. There is no sort of security in place where you can whitelist banks/accounts for initiating an ACH against your account.

Now you might say it's the customers job to better protect their info. Well guess what. You're in line at the grocery store writing out your check. See me behind you in line talking on the cell phone? Guess what...I'm not actually on the phone. I just used my camera phone to snap a photo of your check, which contains ALL of the information I'd need to get the bank to do an ACH transfer out of your account.

Now tell me...does that still not sound like a security issue?

Bruce Schneier gets it right again...

[cutecub]

In a Wired article from last year [wired.com], Bruce Schneier said some very sensible things on this subject:

Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.

I think this is absolutely right. Faced with the financial losses of phishing, banks will simply institute procedures, technologies and processes to protect against fraudulent financial TRANSACTIONS. Doubtless, banks will gripe and complain about their new liability. But it was exactly this same liability that made personal credit cards viable - and gave birth to a multi-billion dollar industry.

-Sean

Re:I do what I can to the phishers

[Fareq]

At the same time, however, these fraudulent transactions were in fact made without permission of the account holder, and banks claim to guarantee protection against that.

Otherwise, I could print a book of checks for your account and write checks, and it'd be your fault for giving me the info to make that possible (even though a check is sufficient info).

The bank promises that only transactions actually authorized by you will be applied. The fact that someone has figured out how to trick the bank in to thinking they're talking to you does not imply that you authorized the transactions, although what you did might be exceptionally stupid.

Re:I say, "Yes. Yes they should."

[Anonymous Coward]

When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India.

Ummm, you do know that Caller ID is easy to spoof, right?

Re:I say, "Yes. Yes they should."

[terrymr]

Huh ?

Should it really be possible to drain somebody's account using only their account number & routing number ? Both of those pieces of information are available to anybody you give a check to for a start. Now tell me this isn't a security issue.

Re:I say, "Yes. Yes they should."

[vijayiyer]

Agreed, but this article is in the context of phishing scams. I would argue that there's a difference between someone impersonating an individual to the bank (like the example you gave), and impersonating the bank to the individual (phishing). In the case of you describe, the individual, is being impersonated, and the bank is the one involved in the transaction. I would agree that they need superior authentication systems in that case. In the case of phishing, however, the bank, through no fault of theirs, is being impersonated. A gullible individual will likely provide any information required for a bank transfer, including the information to change the whitelist. The same gullible individual would likely not even set up such a whitelist. Since the bank isn't a party to any of this communication, I think that the individual, rather than the bank, should be held accountable in this scenario.

Can Banks Shift Phishing Losses to Customers?

[iminplaya]

I'm sure they would love to. But we must not let them. We put our money in banks because it's supposed to be more secure than keeping it under the mattress. If they don't secure our money, then we have no reason to let them keep and profit from it. Phishing is a problem because the banks are too loose, lazy, cheap, etc. etc. etc. And it's way too easy for them to simply write off the losses. And we accept anything they tell us too easily. We presently have the same problem with the government. If they shift the problem to the customer, then it will get much worse. Make it their problem, and don't allow undue inconvenience to the customer, and it will decrease dramatically. Put your money back under the mattress until they fix it. For a really quick fix, burn your credit cards.

By now, I'm sure this is all very redundant, but it doesn't make it any less important. You have the power to change things. Use it or lose it.

Re:I say, "Yes. Yes they should."

[FLEB]

There's ways involving using VOIP gateways, and also a few that just involve routing your call through so many third parties that an operator just comes on and asks "What's your number?". Also, I believe anyone with a PBX (PBX? Is that correct? I should know this.) can set their CID to whatever they want. There's another level of identification-- ANI-- that's much more difficult to spoof, but you generally have to be on the recieving end of a toll-free number to be get that info.

Same here

[p51d007]

ANY suspicious mail that falls into my hotmail box (usually paypal, or ebay) I immediately go to the official sites and send them as much as I can. Usually, within an hour or so, the site in question has been taken down. If more people like us (hard core computer users) would take the lead in reporting phishers as quickly as possible, instead of deleting the junk mail, maybe it would help cut down on phishers. It only takes a minute or two to report them. Also, if we could do what we can with our relatives (we all know they call US when something goes haywire), to explain and show them what not to do, maybe it would go away. My dad has gotten in the habit of calling me on the phone before clicking on a linked website if he isn't sure. He even called me one time when he was going to buy something online, and he didn't see "the padlock" or the https in firefox. If we can get others in the habit of what to look for, phishing could be reduced. I'd much rather take a call from a friend or family member asking if a site is legit, then have them get scammed, or their computer hosed.

Re:I do what I can to the phishers

[Static.Reality]

Otherwise, I could print a book of checks for your account and write checks, and it'd be your fault for giving me the info to make that possible (even though a check is sufficient info).

This analogy would be better if you said that you printed a book of checks and then fooled the customer to sign them all. If you sign the check, you are liable. When you give a phisher your ssn, user name, password, ect. you are essentially signing the check. No one went through your mail, found you account number and forged your signature. You were conned into giving the criminal a signed, blank check. While I feel sorry for everyone that has been through this ordeal (and I worked for a bank for five years and saw plenty of them), I don't think that the bank should be liable.

Re:I do what I can to the phishers

[2nd Post!]

Call it empathy, call it preparation, call it karma. One day you will be that idiot that got fooled by a flawless scam because you didn't help strengthen the system when you had the opportunity.

That, and every dollar the banks lose, ultimately if it isn't paid for by the scammed, it is paid for by EVERYONE ELSE, in the form of fees, insurance, taxes, and service charges.

So if you don't help stop the problem, you will pay for it in one way or another.

Bruce Schneier obviously isn't in financial IT.

[daemonenwind]

As someone who does work in the systems of a top-10 US card issuer, I can tell you we lose over 3 million USD to fraud every MONTH. And the company I work for is nowhere close to being the biggest! (The top couple of banks are separated by a decimal place worth of volume from the rest)

As most of you probably know, banks make money by earning a small amount of money on each of a lot of transactions. $3 million worth of loss takes a LOT of transactions.

Every time some fraud scheme comes up on Slashdot, everyone bitches that the banks don't do enough.
Do you really, truly think that banks aren't interested in plugging a $3 million/month leak?

The problem is that, a lot like hackers vs. DRM - or spammers vs. every geek on Earth - the people looking to break the system are always one step ahead.

Phishing will die off on the same day we geeks manage to stop the last spammer. They have similar tactics, and do at some points overlap. And, since we are much better equipped than banks to fight that battle, and we have yet to win, you can assume that day is far off.

Remember, banks are in the business of making transactions, not software. Keep in mind what you're asking them to be good at is in no way how they make money. Find/invent a solution yourself and sell it to them. I guarantee they'll be interested, so long as your answer costs less than $3 million USD/year.

Re:I do what I can to the phishers

[Pig Hogger]

If you leave your ATM card in the ATM machine with the pin in, ready to withdraw cash, would you expect your bank to reimburse you?

Darn right they should! They programmed the ATM with very poor ergonomics. My bank will not give you the cash until you pull out the card from the reader.

Re:not true: "morons get what they deserve"

[Detritus]

Many drunk drivers are not "obviously drunk". They can behave normally, even though their reflexes and judgement are substantially impaired. Are you going to give your friends a roadside sobriety test every time you get in their car?

Re:I say, "Yes. Yes they should."

[mike2R]

TFA isn't talking about an all or nothing situation though - it's talking about banks trying to refuse to cover losses where the customer has definately been negligent.

Take an extreme example. If I posted my online banking details here, and someone used them to drain my account, should I really be able to turn round to the bank and tell them they should refund me since it's a cost of doing business?

Obvioulsy real cases are much more of a grey area, and to be honest I'm not to sure where I stand or where I'd draw the line, but I do think there is at least a hypothetical level of idiocy which the banks shouldn't be obliged to compensate.