Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Banks Shift Phishing Losses to Customers?

Posted by ryuzaki0 on from the gee-that'd-be-great dept.

1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?

9 of 425 comments (clear)

  1. I do what I can to the phishers by plover · · Score: 3, Interesting
    Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it. I do this even though I am not a customer of the bank in question. Some banks like Barclay's have easy-to-find "Report fraudulent e-mail here" links, while others seem to go far out of their way to hide any contact information at all.

    The banks with the helpful "report here" links also typically have helpful auto-responders, and their sites and form letters at least make it seem like they care about security. The banks who make it hard to hear from their customers usually don't reply at all. If I were shopping for a new bank, I'd definitely stay away from those that don't have an easy-to-find contact point near the front of their site. I get the impression they do not take security or phishing threats seriously at all. They'll probably be the ones that would fight their victims.

    --
    John
    1. Re:I do what I can to the phishers by Anonymous+Crowhead · · Score: 3, Interesting

      Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it.

      I used to do that about spam......in 1992. Seriously, where do you find the time?

  2. My $0.02 (no pun intended) by Guppy06 · · Score: 3, Interesting
    1. It seems that the task of finding and catching phishers should be put to those best able to pursue them: the banks. If the customer is responsible for the loss, be prepared to see silly little class actions against phishers, with the only real victors being the lawyers.
    2. If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere.
  3. Re:Fools and their Money 2.0 by plover · · Score: 5, Interesting
    a bank could perhaps continuously move the URLs for images on the bank's site

    I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"

    --
    John
  4. Re:Maybe... by Todd+Knarr · · Score: 4, Interesting

    Well, I can think of some. For example, a friend of mine got his debit card copied. He couldn't have prevented it, Arco got their computer systems compromised and all the debit-card numbers and PINs used at their at-the-pump readers stolen, and he happened to have used his card at an affected Arco station. But the bank could've easily stopped his account from being emptied. He'd made a card-present, ID-presented, signature-obtained transaction in San Jose, CA. 4 hours later, his card was used at an ATM in Thailand and his account emptied in $100-200 increments, it took quite a few transactions to completely drain his account. Now, any basic security profiling should've raised red flags: he's never used his card outside the US, these are cash withdrawals in a country that's known as a source of financial fraud, and it's physically not possible for a person to have gotten from San Jose to Thailand in 4 hours. All the bank would've had to do is refuse that first ATM withdrawal with a message to contact his bank and that would've been the end of the theft before it began. But they allowed all those transactions without questioning them. That's definitely not reasonable care on the part of the bank.

  5. Read your bank's TOS lately? by winkydink · · Score: 3, Interesting

    Many of them now say something to the effect of the customer having take "reasonable care" to protect themselves from identity theft / being hacked. If you don't, then no money back for you.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  6. We ALL have to take responsibility by cycle003 · · Score: 3, Interesting

    Financial institutions have the responsibility to protect us from unauthorized access to our accounts. It should then be the burden of the institution to show that the account holder was at fault.

    However, We ALL have to take responsibility

    As a consumer,
    1) never enter personal information in response to e-mail initiated requests, etc. 2) report suspicious emails, websites, etc. 3) Use common sense (nevermind, that'll never work)

    As for the banks,
    1) Provide security measures to reduce chances of phising losses; while authentication is not perfect, it's a decent start (althoug I find it pretty annoying) 2) Educate their customers 3) Need to offer an easy, user-friendly way to report phishing (PayPal does a good job of this) 4) Make their policies clear; if they won't cover losses due to phishing attacks, we should know before putting our money in their hands 5) If they can't sustain the losses, then they need a new business model; what do banks do with those $30 fees that they love to ambush everyone with

    Now the Government,
    1) NEEDS TO PROSECUTE OFFENDERS by enforcing existing laws; it's amazing how apathetic the authorities are towards identity theft, etc. 2) Ensure laws are adequate for protecting consumers and prosecuting offenders 3) Educate the people

  7. Re:Fools and their Money 2.0 by DarkProphet · · Score: 4, Interesting

    Though the parent is funny, I am not sure why it got +4 Funny instead of +4 Insightful. This is EXACTLY what financial institutions should be doing!! It would work like gangbusters.

    Another approach that I think would work well for financial institutions is to make it unequivocally clear that they will never never ever in a million years contact their customers by any method besides snail mail. The customer should be required to sign a sheet saying they understand this before they are allowed to open an account, and it should be the responsibility of the financial institution to make sure that the customer is TOLD this, not just handed a piece of fine print to sign. I have been using online banking at 3 different institutions for approximately 5 years, and I am absolutely sure that in that time I have never recieved any e-mail from them for any reason. Paypal on the other hand... I've gotten both legitimate email and phishers.... so I just blacklist anything with paypal in the subject or content. Sure, it means they have no way to get ahold of me besides snail mail, but they shouldn't need to.

    But, perhaps I am a little too idealistic... /me sighs

    --
    What could possibly hurt the security of the American people more than giving our own government the ability to hide its
  8. Re:I say, "Yes. Yes they should." by dgatwood · · Score: 3, Interesting

    Two factor would make phishing harder, but what we really need is better built-in browser support for two factor auth as an extension to the HTTPS protocol.

    In an ideal world, the browser supports two factor auth for access to the website via http auth, but would put up a warning that says "WARNING: Your password is being sent insecurely. (Send Anyway) ((Cancel))" if the connection is not encrypted with a properly signed cert. This authentication should require you to key in your account name, pin number, and password in separate fields and should be displayed by the browser, not as a web page that can be faked. By so doing, you basically eliminate the possibility of a phishing attack using an unencrypted channel that looks like the encrypted channel enough to fool someone into giving up the needed information.

    With that single change, you have a solution that will dramatically reduce phishing attacks, as it requires the phishers to have a legitimate signed SSL cert, which means there is (in theory) a solid paper trail leading back to them. Phishing expeditions that involve SSL are very, very rare by comparison to the unsecured versions, require a much greater financial investment, are much more likely to result in a successful arrest and prosecution (because of the paper trail from obtaining the cert and the requirement that such certs are tied to a valid domain name, both of which make it harder to use hijacked machines as servers).

    Unfortunately, it's a chicken and egg problem. The browser vendors probably won't add such authentication mechanisms into the browsers unless sites want it, and banking sites aren't willing to spend money on two-factor devices unless they provide a tangible benefit (and without such browser support, they really don't).

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.