Slashdot Mirror
Can Banks Shift Phishing Losses to Customers?
1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?
A little tough love. Hit 'em where it hurts and maybe they'll learn. If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.
"Can Banks Shift Phishing Losses to Customers?" asks the headline.
Of course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?
You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.
Moderate drunk! It's more fun that way!
The problem is that the banks aren't taking appropriate steps to identify the customer before handing over the customer's money. Banks are legislated/insured to only release money to the authorized account holder. When the customer takes reasonable steps to protect their information and follows the banks security procedures they are not responsible for loss.
By putting in place technology that doesn't sufficiently protect the reasonable person from fraud the banks bring the liabilty to themselves. The reason you put money into the bank and pay fees is to prevent unauthorized persons from accessing your money and to provide insurance against such a loss. It is the banks job to put in-place controls and cover the losses that arise from insufficient controls. It is a balancing act between what the consumer wants to put up with in security and what they want to pay for service. It is the banks job to find the equilibrium between the cost of increased controls and the cost of fraud. After all it is the bank not the consumer who is offering the service of withdrawl over the internet.
A good step in the right direction might be two factor authentication.
FTFA: 1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs.
The rational answer should be that law enforcement should persue the criminals and put a freeze on their accounts and seek retribution in monetary and jailtime punishments.
Seriously, if we can find and freeze "terrorist" accounts, how hard is it to track where this money goes?
I mean Phishers have to get it from a bank or ATM somewhere.
Why don't the bank simply reverse the process and force other banks to freeze the accounts? What is preventing them?
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"
John
justice must have a compassionate edge. because if justice is as brutal and swift as crime itself, it is no longer justice
so yes, the people who fall for phishing schemes are stupid. but no: they do not deserve what happened to them. the punishment they receive (losing all of their funds) is not commensurate with the mistake they made. if i get in the car with a drunk driver, i am stupid. but do i deserve to get paralyzed for life in the accident that happens for my mistake? no. so do you laugh and call me a moron or grieve at my infirmity?
whether you laugh or grieve at me is more revelatory about your own immaturity. because god forbid you ever make a little mistake in your life and suffer drastically for the consequences, right? that can never happen to you, right? yes: stupid mistakes have negative consequences. but if the negative consequences are way out of proportion to the error, you should not be so dismissive, you should demonstrate some compassion, or justice really isn't your motivation. if drastic punishment from a simple mistake happens to you, you're just going to suck it up and move on without complaining one bit, right?
well... experience teaches me that those laughing hardest at those horribly punished for simple mistakes are also those who whine the loudest when they become victimized the same way. so yes, banks should pay for phishing schemes, and everyone here shouting "you get what you deserve" are not speaking from a position of concern for justice. they are speaking from just sort of a smug hypocritical contempt for simple human fallibility. which they apparently imagine themselves immune from, out of simple ignorance at how cruel crime can be, and how fickle fate can be
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.
It's how the civil court system and capitalism are supposed to work, anyway. It may just take time (and no freakin' governmental interference by passing "tort reform" limiting the banks' liability, otherwise there will be no financial incentive at all.)
John
The basic way money is stolen is this:
(1) Somebody gets your account information. (Possibly through phishing, possibly just by rummaging through your mail).
(2) They wire money out of your account.
(3) They move the money someplace where it cannot be retrieved.
The problem is in step 2. The banks make absolutely no verification that a transfer is authorized. When I walk into a branch, I can't just pull money out of my account without first verifying who I am. When I write a check, the bank (at least in theory) is supposed to verify that the signature on the check matches the one they have on file. But, there is no similar verification when my account is electronically drafted.
The banks are basically betting that they'll lose less money through fraud than it would cost them to implement security on the back end. It's a calculated risk on their end. If their customers had to pay for the fraud, there would be NO incentive for them to improve security.
Incidently, the comment that "the customers pay for it anyway" is only partially right -- customers pay for part of it through reduced interest rates and so on, but some of it also comes out of the bank's profits. Banks are generally in a competitive market and as long as there are alternatives for savings (e.g. brokerage houses), the market dictates the interest rates paid by the bank.
The bank has motivation and resources to implement a solution, whereas individual customers do not. This is because banks control the technologies that phishers emulate in order to con their targets.
For example, the company I work for is concerned about phishers stealing user accounts, by emailing links to pages that look like our corporate signin page (used for many properties in many locations, so commonly encountered on various sites by our employees.) As individual users, it was extremely difficult to tell whether the page being logged into was legitimate or not; so, the company now uses a cookie to identify you as an employee, and embed your picture (from the company's internal records) into the login page. If there's no picture of you, it's not legitimate.
Is that foolproof? No, because other employees could get your photo and fake the login page. It certainly narrows it down to internal employees and contractors, however, and it's a step that individual employees could never have taken on their own.
Similarly, imagine if ATM cards didn't have PINs, and possession of the card was enough to withdraw money from remote locations. Individual users couldn't do much about this, other than hold onto their card for dear life, but the banks could easily implement PIN codes so that theft of the card did not automatically enable theft of account monies.
Again, is that foolproof? No, because some people write their PINs on their cards (duh) and some people manage to set up "fake" ATMs to collect card swipes and PINs. However, banks now use the unique identifier on the card to access the customer's name and display it before the PIN is punched -- no name means you probably shouldn't use the machine. Again, another step (still not foolproof) that individual users couldn't enact on their own.
If a bank makes a service available, they are the ones in good position to improve the security of that service, and at some point the bank actually hands over the money based on their own assurance that the person using the service is who they say they are, using whatever method the bank provides. All of this is up to the bank, not the user, and so they should carry the liability -- if not, they can always opt to avoid providing those services that they cannot successfully protect.
Does this absolve the users of all responsibility? No, but there are still lots of stupid things users can do -- and shouldn't -- that cause them to lose money that the bank doesn't -- and shouldn't -- have to reimburse.
I guess you can think of it like this: if a bank's machine gives out money to the wrong person, it's the bank's fault -- and if the bank's machine gives out money to the right person, who is then mugged within half a second of the transaction, it's the user's fault.
Well, I can think of some. For example, a friend of mine got his debit card copied. He couldn't have prevented it, Arco got their computer systems compromised and all the debit-card numbers and PINs used at their at-the-pump readers stolen, and he happened to have used his card at an affected Arco station. But the bank could've easily stopped his account from being emptied. He'd made a card-present, ID-presented, signature-obtained transaction in San Jose, CA. 4 hours later, his card was used at an ATM in Thailand and his account emptied in $100-200 increments, it took quite a few transactions to completely drain his account. Now, any basic security profiling should've raised red flags: he's never used his card outside the US, these are cash withdrawals in a country that's known as a source of financial fraud, and it's physically not possible for a person to have gotten from San Jose to Thailand in 4 hours. All the bank would've had to do is refuse that first ATM withdrawal with a message to contact his bank and that would've been the end of the theft before it began. But they allowed all those transactions without questioning them. That's definitely not reasonable care on the part of the bank.
Though the parent is funny, I am not sure why it got +4 Funny instead of +4 Insightful. This is EXACTLY what financial institutions should be doing!! It would work like gangbusters.
/me sighs
Another approach that I think would work well for financial institutions is to make it unequivocally clear that they will never never ever in a million years contact their customers by any method besides snail mail. The customer should be required to sign a sheet saying they understand this before they are allowed to open an account, and it should be the responsibility of the financial institution to make sure that the customer is TOLD this, not just handed a piece of fine print to sign. I have been using online banking at 3 different institutions for approximately 5 years, and I am absolutely sure that in that time I have never recieved any e-mail from them for any reason. Paypal on the other hand... I've gotten both legitimate email and phishers.... so I just blacklist anything with paypal in the subject or content. Sure, it means they have no way to get ahold of me besides snail mail, but they shouldn't need to.
But, perhaps I am a little too idealistic...
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
This is not a security issue, so the banks can't improve it.
Of course it's a security issue. All I need to do to is get your account number and the banks routing number and I can initial an ACH electronic funds transfer against your account. There is no sort of security in place where you can whitelist banks/accounts for initiating an ACH against your account.
Now you might say it's the customers job to better protect their info. Well guess what. You're in line at the grocery store writing out your check. See me behind you in line talking on the cell phone? Guess what...I'm not actually on the phone. I just used my camera phone to snap a photo of your check, which contains ALL of the information I'd need to get the bank to do an ACH transfer out of your account.
Now tell me...does that still not sound like a security issue?
In a Wired article from last year, Bruce Schneier said some very sensible things on this subject:
I think this is absolutely right. Faced with the financial losses of phishing, banks will simply institute procedures, technologies and processes to protect against fraudulent financial TRANSACTIONS. Doubtless, banks will gripe and complain about their new liability. But it was exactly this same liability that made personal credit cards viable - and gave birth to a multi-billion dollar industry.
-Sean
At the same time, however, these fraudulent transactions were in fact made without permission of the account holder, and banks claim to guarantee protection against that.
Otherwise, I could print a book of checks for your account and write checks, and it'd be your fault for giving me the info to make that possible (even though a check is sufficient info).
The bank promises that only transactions actually authorized by you will be applied. The fact that someone has figured out how to trick the bank in to thinking they're talking to you does not imply that you authorized the transactions, although what you did might be exceptionally stupid.
Huh ?
Should it really be possible to drain somebody's account using only their account number & routing number ? Both of those pieces of information are available to anybody you give a check to for a start. Now tell me this isn't a security issue.
The funny part is, when I asked the branch manager what could be done, he tole me, "Just don't give your account number to anyone." Basicly, he told me to never use any checks from my account, because ALL OF THEM HAVE MY ACCOUNT NUMBER! If I write a check to someone, he can then take the check, go onto the Internets, and sign up for pron using CCBill and the account number at the bottom of my check.
Thanks Mr. Manager!!