Slashdot Mirror
German Court Rules That Clients Responsible For Phishing Losses
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Lets just hope that it doesn't become European law. Actually I hope the judge loses a million
Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.
I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.
Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).
Why did this need a court decision? It seems pretty logical to me. Banks should be praised for providing free information about phishing attacks.
Even though i agree with Zappa's plan to get rid of suckers...
All it would take was for the lawyer to ask one bank member to do one transaction. Most banks would require 2 keys.
One for login, another to complete the transaction.
Both with messages that the bank only asks one per session.
Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be
But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"
Muchas Gracias, Señor Edward Snowden !
... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.
However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Seriously, I don't entirely disagree with this ruling. Why should the bank pay for losses from these phishing scams? It is not like there was a breach of their systems. The breach was entirely on the client side. Am I missing something here?
I expect my bank will do what it can to protect me from scams, but they can't protect me from every stupid way I might be duped.
since noone here seems to bother to actually find out what was going on:
german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").
In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.
In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.
It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.
The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.
If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.
#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.
#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.
#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.
#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"
So there is not much relevance to this story.
bickerdyke
The German judicial branch's approach is often a fascinating contrast to that of US state and federal courts. Germany has specialized highest courts for specific subject matters: tax, admin, labor, social, constitutional... and the high court in TFA.
As an example: the Bundesverfassungsgericht (the highest German conlaw court, not the highest "ordinary" court in TFA) decreed it unconstitutional to publicly print (or run big news stories about) the names of notorious, convicted criminals, once the criminals have completed their sentences and have been released. The idea is that imprisonment is supposed to be such a thing that, once a person is released, they have actually been rehabilitated to the point where they can once again function in society without posing a threat to the well-being of others.
Given the depth of the cultural grab of the US first amendment --freedom of speech, baby!-- the thought that one shouldn't be able to print the names of convicted criminals in news media probably sets off all sorts of knee-jerk 1st amendment concerns. But given the realities of prison, enforcing that the prison goals of rehabilitation and public safety over raw punishment seems to me a wise approach that I wish the US would adopt. But over here, such a concept probably sounds like something that would be characterized as deplorable, pollyannish weak liberal democrat thinking.
I've read a handful of English translations of the decisions of the Constitutional Court/Bundesverfassungsgericht (the German conlaw court, not the "ordinary" court in TFA). Last time I checked, most of the text of the most useful read I found is here: http://goo.gl/dlwi9 [goo.gl]
A bank is not required to be able to cancel money transfers, not for 6 weeks, not even for one day. That requirement only applies to debit transactions.
In fact, creating an "incentive not to be stupid" is an incredibly stupid reason that almost no court would adopt.
In this case, the bank has already taken all measures the court felt "reasonable". Ain't possible to reverse international bank transfers like one reverses credit card transfers though.
It isn't that the customer was stupid, but that the customer has exhausted the banks serious attempt at securing their money. And trust me German banks foist much more security upon their customers than American banks.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
My bank authenticates itself in two ways:
1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.
2) By showing me an image and phrase I chose on the login page.
I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.
Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.
is it really that fucking inconvenient to do your banking *in person* and to not set up online banking access at all?
for generations before internet banking took off.. it was how things were done. and it worked. and still does.
it ain't hard.
From some of the comments I've read, the banks are responsible for the stupidity of individuals? Am I reading that correctly?
That it falls to a court to decide that in fact the opposite is true, and that just maybe for one tiny moment common sense kicks in and the court says "Actually, you did a dumb thing, despite the warnings all over your account literature, newspapers and broadcast media, now eat the consequences of your ill-considered actions", and the bandwagon collapses under the weight of people who bleat as one "But it's all the banks' fault! They can eat the losses!" Maybe they can, but then if one pensioner does it, and the bank eats it, how many more before it becomes too many and "too big to fail" actually... fails?
Unbefuckinglievable.
I'm with the court on this one. Idiot did idiot thing, idiot can reap the consequences.
Operation Guillotine is in effect.
Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.
That's a passable description of the Medallion signature guarantee process http://www.sec.gov/answers/sigguar.htm and unsurprisingly many banks require you to go through that to transfer your IRA out of their bank but never require it when you transfer your IRA in.
IOW, ont when it benefits the banks do they require high security.
How do you cancel a cash withdrawal?
What happens a lot is that financial criminals seek out greedy adolescents/young adults and ask them to "borrow" their bank account under some sort of pretext, for a small reward. On this bank account a deposit is made (usually the result of some scam, like this one), and that deposit is withdrawn in cash straight away, normally via an ATM. The debit card is then handed back to the unsuspecting (naive) owner of the bank account. Two weeks later the police knocks on the door. But by then the true criminals have gone, leaving only a dead end trail behind.
Despite you being an AC, I will answer that: This is an European case, the laws are different here.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
They are as I described them. I am German.
Despite you being an AC, I will answer that:
Cash withdrawals that exceed the booked balance (i.e. plus 6 weeks in the case of a bank transfer) plus the credit limit are not possible or at the risk of the bank. Remember though that this is Europe, in the states this is likely very much different. I admit that my knowledge of this is a few years old. It is possible that they have changes some things.
As to your scenario: That is easy. The idiot that gave their bank card gets full liability. Same as for "finance agent" that pass bank transfers onwards via Western Union and the like. The funky thing in this case is that the Greek bank seems to have been unable to identify who the money was paid to.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
(I just lost a longer response because I followed the Options link from the preview, not knowing that if I change my options it will nuke my comment.)
First you should keep in mind that the banks love internet banking because it saves them a lot of money. And from a purely formal point of view the fraud started with the bank transferring money abroad in the mistaken believe that their customer asked them to do that. As he didn't, he can ask for his money back *unless* they can prove it was really his fault.
If you look at it with the logic of fairness and efficiency, rather than the logic of individualism, then the situation is as follows:
To minimise the fraud, the damage must be shouldered by whoever is in the best position to prevent it. (If the ultimate victim can't do anything to prevent the fraud, and those who are in a position to increase security have no incentive to prevent it, then we have a problem.) If the fraud is possible due to the customer's recklessness, then the customer should pay. If it could have happened to almost every customer, then it's outside the customer's control and the banks should pay. In borderline cases it is more efficient if the banks pay as well: If they are losing too much money to fraud they can improve security to reduce it, or they can raise their fees, acting in effect as a very cheap and efficient insurance company for their customers if you believe that the customers should be liable.
That's why the considerations in the decision were somewhat analogous to those in an insurance case.
european banks will let you withdraw your balance to zero(even if you had bad credit rating) the minute the cash hits the account. the canceling of valid(technically) transfers is definitely not available to private individuals either, so the 6 week limit if it exists might just as well not exist at all(I suppose they might use it in cases of botched db run transfers etc, which do happen, some people got their tax refunds in finland twice last fall for example..).
no doubt emptying was done at the greek end - or the money was sent as some sort of redeemable to cash transfer instead of one that hit some pensioners shill account first..
world was created 5 seconds before this post as it is.
"German Court Rules That Clients Responsible For Phishing Losses Caused By Their Own Gross Negligence"
For the benefit of the hapless customer, here are a few tips:
1) Your bank has a very good reason for repeatedly warning against sites asking you to never enter a string of TAN codes for a good reason.
2) There is no such thing as the "wallet inspector". Even if such a position existed, the tracksuit clad kid who took your wallet earlier today must surely have seemed an odd choice for such an important position.
3) No, it is not normal for your wife to be spending so many weekends traveling with the orchestra? Wouldn't you think it odd that she has no interest in music, and doesn't play a single instrument?
4) The bridge you bought is in fact the property of New York City. Didn't you think it odd that the wallet inspector from the park yesterday was the same guy going door to door last week selling prominent American landmarks?
I remember a (computer) system whereby the "secret" key changed after each usage,
i.e. it expired immediately after its use. This was a long time ago.
I'm appalled that 4 digit pins are still the norm. I have never done on-line banking for this
reason. Most people don't realize that Banks are not responsible if an electronic
transfer takes place, even if it used forged credentials. It's a matter of their grace that a
compromised account is credited, but there is no requirement for them to do so .
Remember, on-line backing is primarily for the banks - not so much for the consumer.
Well, it's good to see that Germany is finally sending money to Greece.
when it makes a mistake. Why the bank could not cancel a transaction when it is a fraudulent transaction. Transaction cancelling is not exceptional because bank employees are human. The only explanation of the fact that bank refuse to cancel fraudulent transaction is that they earn a lot with fraud. Or maybe someone knows better than me. My main source is my wife that tells me about the huge mistakes she discovers and fixes.
Mostly because they would have seen this 5k transfer, it would raise some flags in my account, they would stop the charge and call me.
This has happened several times when I've lent money to a few of my friends.
What do I know, I'm just an idiot, right?
Phishing insurance.
---- Booth was a patriot ----
nslookup of SPARDA.DE. shows no SPF record for the German bank's domain. They probably haven't implemented DKIM either.
I'd say the bank is liable. Any bank should a security IT professional telling them that a combinationof SPF and DKIM is a necessity for any bank with customers prone to pfishing. It's not enough to tell customers to "watch out for pfishing". If the bank acknowledges pfishing, then it needs to do something to prevent it. This usually means a strict SPF setting to filter out spam, plus a DKIM/Domainkey infrastructure to distinguish false positives.
I recently switched to the Conexus Credit Union here in Regina, Canada.
I've used online banking for years, but Conexus is the first bank to require a cookie that they set into my browser. Setting the cookie is a special registration process that asks you to answer one of the "secret questions" that you set up when you enable the online banking services for your account.
The net result is that you can't even try to log in with a computer or device that hasn't been "registered" by answering such a question. It may not be full two-factor authentication, but it's a heck of a lot better than the account number/password combination that every other bank I've ever dealt with uses.
It's the next-best thing to real two-factor authentication with a hardware dongle or id-code sheet such as used by the German banks described in the article.
As to bank liability: I agree with the German courts. No matter how many times you warn people, no matter how clearly you explain the risks, there will always be a few people who don't read the warnings, ignore the warnings, or otherwise compromise their own security. As long as the bank has not been leaving an insecure protocol or technology in place that they knew (or should have known) could be breached, it's the consumer's own damned fault.
What's next? A cell phone wielding driver suing the cell phone maker for damages because they got in a car accident despite it being illegal to use a cell phone while driving in their jurisdiction?
I do not fail; I succeed at finding out what does not work.
when the Bank makes an error and deposits 50000000 credits into my account, the bank is responsible, right?
I had thieves cut my convertible top in 3 places - it took three tries for them to get a hole they could reach the lock from, they were that stupid. So it is perhaps unsuprising that they only made off with a couple of very old used cassette tapes (with Christian rock on them, so maybe they needed them more than me). Since that time, I do not routinely lock the doors, and with the convertible, I have gone so far as to leave the top down when parking in San Franciso tourist areas. Nothing ever got molested. The seagulls worried me more.
I've only ever lost stuff from locked cars.
If the bank had proper security procedures in place to prevent phishing, they should not be held liable.
IMHO, many institutions don't have proper security in place. It's tricky, and would require them to do some inconvenient things.
For example, Progressive Insurance has called me in the past asking for updates--via robocall. Now that's offensive enough, but how do I even know if it's Progressive? I don't. Certainly not before morning coffee.
The simple rule is this: ONLY CLIENTS CONTACT SERVERS. Note, a "server" is any company that provides a service, not just a box with blinky lights.
As an exception, if the server needs info, it is allowed to send one and only one request: I AM FOO COMPANY SERVER. PLEASE LOG IN.
Note that this exception is carefully crafted not so much for what is says, but what it doesn't say. It doesn't say, "call Foo company at xxx-xxx-xxxx". The number could be bogus. It certainly doesn't say "click this link". It should obviously be illegal for any bank to send HTML mail with clickable links or text fields into which data may be entered.
Since few institutions are behaving in this manor, we have to guard ourselves by treating all conversations initiated by companies as requests to visit their site or call into their main trunk line, and nothing more. It really is the only way to guard against this.
Now, if the bank were following this procedure and the guy got scammed it's his fault. Based on my experience, at least with US institutions, the bank bears some blame.
This is the ideal post for someone who desires to be familiar with this subject.Full of professional insight based on testing by experts that knew what they were talking about. California Fishing Guide,California Fishing Reports. Fishing Guide Ken Hoffman with over 30 years experience
I think this type of thing needs to be decided on a case-by-case basis, taking multiple factors into account.
Blaming it all on the customer is often unfair, but banks shouldn't be left footing the bill for truly stupid people after they have been warned either.
My bank has one of those OTP tokens, but if you think about it, that doesn't really protect you from phishing sites either, as they could just pass-through the code and log into the real site at the same time you log into their fake site. If the bank makes a good effort to warn the user "Don't send your password by mail to anyone, anywhere, for any reason, ever - including us.", and then they go emailing it around when the "bank" (hacker) asks them to for it - they aren't too bright.
The same thing - if the bank says "Always type in the URL, never click a link in an email", and then the user clicks the link in a specific email and proceeds to log in even though the SSL cert is showing bright red on the screen (or the fake site isn't even SSL at all)...
There needs to be some sharing of responsibility.