German Court Rules That Clients Responsible For Phishing Losses

benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."

Lets just hope

[Chrisq]

Lets just hope that it doesn't become European law. Actually I hope the judge loses a million

Re:Lets just hope

[Sique]

Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

Re:Lets just hope

What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.

If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.

Re:Lets just hope

Why ?

The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank (I have a similar bank, they clearly try to educate their users but as always most users are rather lazy than informed.) well, then there's really no way you can still blame the bank.

I know a large amount of users here are from the US and used to credit payments (as opposed to debit, which is the case here). Credit cards generally involve some (at first glance) better customer protection by laying all the risk at the seller, but debit cards almost never do this (and there's no need really).

I wouldnt go so far as to call the victim in this case an idiot, i don't know the guy, and it sounds like something that 1 in every 5 people who operate a computer would fall for at some point or another. But not following safety instructions from your bank, when they're clearly displayed EVERYWHERE, and get send to you in both real letters and as regular email updates, well i'd say the bank tried. My bank even gives free financial and online security seminars for people who aren't sure they understand what all the fuss is about.

Re:Lets just hope

The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.

Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.

Re:Lets just hope

[jandersen]

Lets just hope that it doesn't become European law. Actually I hope the judge loses a million

I'm not sure that I agree with that. Most phishing scams are rather obvious, and people really ought to look before they jump.

What feel is missing is that banks and other take it more serious and clean up their practises. Like, I have on a few occasions had my bank call me about something related to security (eg. an unusual transaction) - and bizarrely, the guy calling is reluctant or even refuses to give information about why he calls or which department he calls from - which makes it feel like yet another scam, even if it is genuine.

Ideally, they should give you a call, then let you call back on a security number posted prominently on their web-site (so that it is well-known). This ought to be basic routine.

Re:Lets just hope

[Richard_at_work]

The bank had security in place, the "victim" gave the keys to the kingdom to third parties - why should the bank take the fall for someone who is more than willing to give the criminals everything, voluntarily.

This ruling is pure common sense - if you as a customer aren't willing to take basic precautions then you need to suffer the losses.

Re:Lets just hope

His computer was infected with a trojan that made it look like it was his bank's web site. Don't call people stupid because they can't keep their Windows computer safe from infection. Even professionals can never be 100% sure not to catch a bug.

This is like selling cars "not for going faster than 10mph" and then refusing responsibility when the brakes don't work in a real world situation because the customer didn't make sure to stay within the specified use case. To tell a customer that he's responsible for financial loss which can only be prevented by avoiding all malware on a Windows system is cruel mockery, especially when the bank could prevent the problems by giving the customer a TAN generator which incorporates the transaction details in the TAN.

Re:Lets just hope

[bickerdyke]

That security protocol isn't in use anymore.

The bank specifically issued a warning against exactly the type of attack the customer fell for.

That ruling is in line with the laws in place 2008, when that happend, Laws have been changed since then.

Re:Lets just hope

[philip.paradis]

Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.

My point is very simple: it is not the bank's fault that the client acted in a manner contrary to his own financial interest. Society as a whole operates on the principle that services are generally tailored to the majority. The majority isn't suffering from these issues. If the minority affected by these issues so desires, they're more than welcome to resume good old fashioned "drive down to the bank" methods.

What you're advocating is just another step toward a total nanny state where everyone walks around in government-mandated plastic bubbles. Have fun with that; I won't be attending your party.

Re:Lets just hope

[cmdr_tofu]

Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?
The bank is in a better position to try to reduce this type of scam. The non-security aware Joe, is really a victim who was pushed on to internet banking and then duped. Banks could require (or recommend) security awareness training for anyone who uses their sites, but afaik, they do not.

Re:Lets just hope

[rtfa-troll]

Why? How should a bank discover the fraud,

Answer a) is whatevery way they want. b) is; if need be by calling the guy back on his phone number; If they are suspicious enough, by having him come into the office and sign it personally whilst being compared against a photo. By requiring him to use a hardware token. Whatever.

What my bank does is sends out an SMS which contains the sum of the transaction; the person it's being paid to and, at the end, an authorization code. As long as my phone isn't hacked they can be pretty sure that I actually authorized the transaction.

if everything is authenticated correctly?

The things were not authenticated correctly. A transaction which the guy didn't want was put through. The authentication system was inadequate for the job and there are very good reasons why people use more sophisticated ones nowadays.

What's most important is that it's the bank which chooses the authentication system. The customer cannot decide that they want to use a different one. Even changing banks often won't help. Because of this, the banks should always take the loss unless the customer acts in a clearly and openly negligent / fraudulent way. If the losses become too big then they can choose to change. If they are acceptable then they can choose a cheaper authentication system. In this case went for the cheaper system rather than a smar card/ certificate based one which would have protected the guy against his own mistake. That decision probably saved them millions of Euros; they can afford to pay out in this particular case.

Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

This depends. If the bank provides a service where they come to your door and there was no reasonable, easy way for you to tell this wasn't a person from that service without using specialist knowledge, then yes. If, on the other hand they don't provide such a service or they make sure that you can easily identify the service, then maybe not. They would have to do something like not carrying out the transactions you asked for if you didn't specfically verithfy the clerk via a phone call so that you learn that you have to do that every time.

There are limits, but the primary responsibility should be on the banks side and they should always have to proove that the customer did something fraudulent or negligent to avoid that.

Re:Lets just hope

[ArsenneLupin]

Why? How should a bank discover the fraud, if everything is authenticated correctly?

Because they (possibly) enabled the fraud to take place. Quoting from the artcle:

According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website.

So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.

Or did the attacker take advantage of a fault in the user's OS or browser. ==> in that case, at first glance, the user would be responsible to run such shoddy software where this is possible. However, in the past, and possibly even now, many banks forced/are forcing their users to use such vulnerable software. If this is the case, again the bank should be responsible. The user would be well advised to go through the "General Conditions" for the web service of the last ten years, and search for any clauses such as "the user agrees to only use Windows and/or Internet Explorer to access the service". If any are found, he should clearly get his money back.

Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

Yes, if the bank habitually conducts its business in such a fashion.

Re:Lets just hope

[asdf7890]

Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?

Who pays for your replacement car (or repairs to it if it is found damaged)? The owner of the car park you left it unlocked in? No, you pay either directly or via your insurance. So what happens in the case of you leaving your car door unlocked is exactly the same as the situation here - the owner pays one way or another, the cost of fixing the situation doesn't rest with some other entity. The only difference is that I'm not aware of companies selling "phishing insurance".

Banks could require (or recommend) security awareness training for anyone who uses their sites, but afaik, they do not.

They could. And it would be commercial suicide. If phishing insurance was a real thing, partaking in such an awareness course could be a way to reduce your premiums though, as you would be moving yourself into a lower risk group.

Re:Lets just hope

[jaymemaurice]

To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.

I'd love if my bank would allow me to secure my checking account to restrict outgoing payments to a list of accounts/payees confirrmed by the branch.
I'd love to opt-in to a second factor token authentication and 2nd bank card pin that has a lower withdrawl limit or one time pin that I can use in sketchy ATMs POS systems.

I pay the bank dearly to protect my money and deliver service. They have had years to spend on R&D. Luckily, I have not been affected by the lack of security or insurance from my bank.

Re:Lets just hope

[Chrisq]

You could say "you idiot you deserve that".

But your insurance company will. Most insurance will only pay if there is evidence of theft, damage to the locks, etc. If there is no visible damage, then the loss is your fault for not securing the vehicle.

I am not sure about "evidence of theft", people have had cars opened by hacking remotes, or even being loaded onto a tow truck and claimed succesfully

Re:Lets just hope

[gutnor]

Indeed if you don't follow basic safety instruction you should pay for it.
As you do if you accept to bring the "package of flu medicine" for that "nice gentleman's mum" across border control.
As you do if you don't lock you car and it gets stolen or if you "optimise" the wiring of your house and it burns down.

We have now in a time and age where computers are basically ubiquitous so we must require from people a token level of responsibility.

Re:Lets just hope

[Niedi]

Mod Parent up, that post is spot on. In fact, the law has been changed 2009 (if I remember rightly) to shift the liability towards the bank unless the customer acts grossly negligent (grob fahrlässig). The court did NOT decide whether the customer would have been liable according to the laws in place today.
Plus many banks in Germany phased out the iTAN system in favor of SMS-codes or TAN-generators that require the debit card to operate and are only valid for the transaction that was entered to generate the TAN (amount, target account etc...).

Re:Lets just hope

[gl4ss]

the phisher is responsible, I just suppose they couldn't reach him now.

If the bank had been responsible, then .. well, then you could double your money, just phish yourself.

Re:Lets just hope

[jaymemaurice]

Did the victim give the keys to the kingdom? or just the first door?
The bank COULD require a different/new password with telephone/sms/in person confirmation when sending money to new payee's/payment accounts.

The security model of most online banking is like having cars with locking doors but not locking ignitions... the security does not fit the way people use their banking.

Re:Lets just hope

[mcavic]

His computer was infected with a trojan that made it look like it was his bank's web site.

How much like it? Was it his bank's url at the top? I have actually seen one phishing site in my life that attempted to graphically overwrite the url bar, but it was a little off.

Anyway, malware or not, in this case he should have asked himself why he was entering the codes. (What is this TAN code shit anyway?)

In other cases you might have an argument, because not everyone is observational enough to realize if their bank's site has been altered, or if an ATM has had a skimmer attached.

Re:Lets just hope

[erroneus]

That's kind of the thing isn't it? Authentication? The authentication systems are stupidly weak and without human involvement. For big business, let them run their banking and transactions automated and all that all day long. Let the credit reporting system be their guides. But for the little people? The working individuals? The ID fraud and all other things related are a big problem. People should be able to talk to a real person, face to face, to discuss things when there is any question about whether something is real or not. But a system that depends on magic secret numbers that "only you" can know and calling that your identity is a tremendous convenience for the banks and big business but it is at the expense of the real people who are unwillingly defrauded.

Re:Lets just hope

[mcavic]

Of course the phisher should be responsible, and when they track him down he will be. But good luck with that, and even then, you'll be lucky to get the money back.

Re:Lets just hope

[mcavic]

Most phishing scams are rather obvious

Yes. I found an email in my spam filter the other day that claimed to be a notice from my bank. It was worded the same way that notices from my bank are worded. The From address was right. One small detail - it was full of broken images. And, of course, all the links pointed to a site in another country.

Re:Lets just hope

[geekmux]

What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.

If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.

Assuming that intelligence and common sense has anything to do with current law and litigation these days is an act of stupidity in itself.

Ever notice that warning on electric hairdryers that says to not use them in a tub full of water? The label on an iron that says do not iron clothes while trying to wear them? The baby washtub label that reminds parents to not throw their baby out with the bath water?

People get awarded millions for being stupid all the time in the US, and every label that you see like this is proof.

Re:Lets just hope

Linux? For a non-sophisticated user? Really? So what, then?

Umm... why not? My father uses it, and he used to find his webpages by typing the URL into google.

Re:Lets just hope

[azalin]

TAN (by now replaced by far more sensible techniques) worked like this:
You got a sealed numbered list of 100 six or eight digit codes. Whenever you wanted to transfer money you had to enter one of the numbers (later a specific one, like #74). This authorized the transfer and you crossed out the number on your list. When around 90% of the list was used up, you got a new on by mail.
The first version (unnumbered) had the obvious drawback of X numbers stolen = x transfers up the the preset transfer limit (you had to show up in person to change that one). Numbered list had the advantage that one never new in advance which number would be asked for, and a potential thief had to get his hand on the whole list.
Of course all that stuff is outdated now and replaced by code generators that work in connection with your bank card or sms codes. Both of these create codes that only work for the specific transaction (amount, receiving account number, etc which is displayed in advance) and only for a very limited time frame (15 minutes).

Re:Lets just hope

[hilather]

What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.

If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.

I work for an international bank and I can assure you we take phishing attacks on our customers very seriously. Almost all banks have an email address where you can forward phishing emails or websites to. I'll agree there is some blame to be put on the users, but the banks should not be off the hook. Banks have the man power and clout to actually shut these sites down.

Re:Lets just hope

[Tsu-na-mi]

I often leave my car unlocked. Why?

Thief breaks in, I lose maybe $5 in change form the console and some 15-year old CDs. If my car were locked, I'd lose that, PLUS a $200 car window they smashed to get said items. It is not worth locking my car.

Re:Lets just hope

[Attila+Dimedici]

To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.

Really? Your bank insists that you do online banking? That you conduct money transfers over the Internet? They do not allow you to go down to a bank location to conduct your banking business? Those are all options available to you and if you were to follow them would allow you to opt out of many security liabilities. I am pretty confident that if you never conduct any banking transactions online the courts would find the bank liable if someone hacked into your account and took your money.

Re:Lets just hope

[Bob+the+Super+Hamste]

My personal favorite warning was on an automotive fan belt that said to shut the engine off before removing the old belt. I also like the warnings on a box bullets stating that they contain lead and you shouldn't eat them.

As much as I dislike the bubble wrap world we are moving towards electronic fraud seems to be one area where it is still everyone for themselves. I have had to deal with it a couple of times, one was someone who was probably just guessing card numbers and seeing what ones worked and used wife's for a few purchases on XBox Live and PSN. The one was someone who took out a credit card in my name in another state (North Dakota) and then maxed it out. Interestingly it was a credit card brand I already had and that the payment gets sent to that state (before they had the ability to pay online). It was probably one of their employees who took the info and opened the account and then maxed out the new card. After about 30 minutes of working with the credit card company things were straightened out and it didn't cost me anything other than my time. The interesting thing was it was easier dealing with my credit card company and the ~$1500 in fraud charges than it was dealing with my wife's bank and the ~$75 in fraud charges which required multiple hour long phone calls and sending off several forms by certified mail.

Re:Lets just hope

[neonKow]

No, in practice you can not enter in multiple TAN codes for no reason.

The whole point of TAN codes is that it provides a good measure of protection against a having compromised system.

It's your own responsibility to be suitably paranoid about secrets assigned to you, and this guy didn't. If the pizza guy asks for your social security number, don't. Even if the man missed the notice on the login page, he's still negligent.

Re:Lets just hope

[neonKow]

You're right about one thing: you didn't RTFA.

Re:Lets just hope

[wvmarle]

Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?

You mix up things.

Of course the one stealing your car commits theft, as does the one stealling the 5000 Euro from this person's bank account. And those criminals, when caught, will be held responsible.

The question here is who's liable for the damage incurred by the theft. In case of your car being stolen, you will not be able to get any damages from the car manufacturer arguing, say, not good enough locks on the doors. Just like in case of the money stolen from the bank account, the bank is not liable, and the judge ruled that the locks the bank put in place were good enough, and that the bank client should have taken better care.

And even if the criminal gets caught, that doesn't mean the victim will get their money or car back. So they still lose out.

Re:Lets just hope

[jandersen]

So the issue is taken quiet seriously, you may not agree with some of the methodology, and that's fair enough, but to say banks don't take the issue seriously is misleading.

I'm not really trying to slag them off; but many of the measures seem to be half. You mention scrutinising the logs, which is good and necessary, but why don't they implement some of the simple and easy things that would help a lot - like an easy facility for checking the authenticity of a caller?

Re:Lets just hope

[itsdapead]

The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank.

For years, my bank (not one of the world's greatest) has used challenge/response chip-and-PIN authentication, using a small card reader provided free by the bank. You put your card into the reader and enter your PIN, punch in the challenge number given by the website, then type the response code into the website (the reader isn't interfaced with the computer at all), You need to do this every time you add a new payee via online banking. I'm sure its hackable by a sufficiently sophisticated attack, but not your garden variety phishing expedition.

I'd want to look a bit more about the bank's practices before passing judgement about the client's stupidity. My bank likes to cold-call me and "ask a few security questions" - and gets quite nonplussed when I tell them to go fish (I know its my bank because, on one occasion, I had a letter from them reassuring me that the call was legit...). The URL for the e-banking site has no obvious connection with the name of the bank, and even the extended SSL certificate refers to the parent company (which is fairly common knowledge, but still...). Other online services I've encountered do clever things like sending out emails with live weblinks in them and, to add the cherry on top, are indirected via some analytics or marketing firm so they look like "http://www.somelogisticsoutfit.in?addr=www.legitcompany.com" - how exactly is Mr Average Joe expected to distinguish that from "http://www.evilphishers.ru?victim=www.legitcompany.com"? As for the last time I paid my TV License online (this is the UK) they couldn't have made the process look more like a trojan attack if they had tried.

...and why banks still use the same fixed account code for withdrawals, deposits, direct debits and electronic transfers, who knows? How hard can it be to give me a one-time account code to pass to someone who wants to wire me money or set up a direct debit?

Re:Lets just hope

[Dishevel]

I can talk to a real person.
I can go into the bank between 9 and 5.
I can wait in line. I can do my transaction and I can be safe.
Or.... I can get money and make transfers whenever I want. I can choose convenience.
If I choose the latter then I need to take care with what I am doing.

Re:Lets just hope

[Dishevel]

Yup. For simple things and simple people Linux rocks.
Throw a Mint CD in and my Mother in law can have a running linux distro in no time and be checking her email in 30 min.
Takes longer than 30 min to do the user setup on an HP machine with the OS already installed.

Re:Lets just hope

[Myopic]

The things were not authenticated correctly. A transaction which the guy didn't want was put through. The authentication system was inadequate for the job

This is a good point. No auth system can be perfect, but perhaps this one was inadequate.

Re:Lets just hope

[tazan]

Yep, at my last job the bums would throw a brick through your window to get the change out of the ash trays. I learned my lesson years ago. I had a brand new convertible top cut open at the mall so they could unlock the door and steel a pair of $15 speakers. Now I always leave the doors unlocked unless there's kids playing around and I want to keep them out. That's all car locks are good for.

Re:Lets just hope

[gl4ss]

the same system is in use in finland still, some using the numbered codes, in which the bank asks you a specific code from the code card, some need you to mark codes as used as you go(and doesn't provide a hint which code you should input). the systems have been in use for ~17 years or longer. apparently they do additional checks for some transactions though..

but if one is phishing for codes from the card, he would need to know which numbers to ask(or get lucky, one card has maybe 100 number pairs and the code provided by bank(that you need to match) is 4 digits.

that's why the(rare, succesful) attacks are mitm now, just replicate the entire site and change the transactions to go to another account..

what kind of single use key scenario would be secure then?

I would understand the bank being responsible totally if the criminals had gone into a bank and used faulty id to clean up the accounts..

Re:Lets just hope

[Skapare]

Banks should have the responsibility of providing a means for people to be 100% certain they are connected with the bank's own website instead of any imposter.

Re:Lets just hope

I also like the warnings on a box bullets stating that they contain lead

In some jurisdictions, you aren't allowed to hunt with lead bullets - they don't want animals finding & eating the spent bullets, and don't want the lead leaching into the environment.

As a result, there is a market for non-lead ammunition. It isn't unreasonable to label the boxes.

Re:Lets just hope

[Erikderzweite]

So the right solution is to sue car manufacturer, right?

Re:Lets just hope

[Almandine]

My personal favorite was an allergy warning about containing peanuts. This warning was on a bag of roasted peanuts.

Re:Lets just hope

[jaymemaurice]

My UAE bank (who's terms of service explicitly say they are not liable for any misuse of their online or telephone banking) automatically enrolled me for their telephone banking.

I am pretty confident that if you never conduct any banking transactions online the courts would find the bank liable if someone hacked into your account and took your money

But yet when you send money that they can not get back to a place you never do, you are responsible?! I use online banking all the time to pay my bills, but not transfer money out of the country.

Re:Lets just hope

[Endo13]

Exactly. I'm not sure how people are failing to see this. It's not so much a matter of "well he was just stupid, he deserved what happened" as it is that you cannot hold banks (or other instituions) liable for mistakes their clients make through ignorance or stupidity. It just doesn't work that way. It wasn't a breach in security. It was an individual participating in an activity by his own choice, and falling for a scam. It's the job of law enforcement to go after scammers, not the business.

It sucks, but it's life. Bad people do bad things, and the ignorant pay for it.

Re:Lets just hope

[Endo13]

And yet somehow I've never had a problem with infections on my home PCs (with Windows), despite having them online 24/7 for the past 8+ years, the majority of the time without any active antimalware protection. But then, I also don't download cutesy apps or online greeting cards, I know what to watch for in emails, and I recognize drive-by infections on websites and kill the browser before it actually downloads.

But less knowledgable people still know the risks are out there, and they proceed anyway - at their own risk. Still doesn't excuse them from liability.

Re:Lets just hope

[Asic+Eng]

So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.

I'm not 100% sure, but I think I once got the same (or a very similar) phishing mail that customer got. Basically it invites you to click on a link in the email to go to the bank's site (the bank warns against never doing that) which actually goes somewhere else (the URL is displayed in the browser's location bar) and then enter 10 TANs (something the bank would never ask for in normal operation of the web site).

If things had been as you describe I would agree - however that wouldn't match the definition of phishing, I believe.

Re:Lets just hope

[Cederic]

Banks should have the responsibility of providing a means for people to be 100% certain they are connected with the bank's own website instead of any imposter.

They do. It's called "Notice: Don't be fucking stupid" and they had it paraphrased on the bank's website. This bloke failed to comply.

Re:Lets just hope

[Gamasta]

In Germany you can't undo a transfer order you placed, neither can the bank. If you were doing business with someone, you call them up and ask them to wire it back to you (you need to inform your account information, too, because these are not visible to the receiving end). This is the case here. The guy should have called the cops right away. Bank transactions leave paper trails.

BTW: I still use throw-away passwords for transactions (Commerzbank). I just don't enter many passwords in a single form that looks a lot like my home banking site. It works fine or am I missing something here?

Re:Lets just hope

[Cederic]

When my bank or card company calls me, I tell them that I can not validate who they are and that I will not give them any information. I then ring the number on my debit/credit card, explain that I've just had a call, and every time so far get told, "Oh, yes - we wanted to talk to you about..."

Works for me, the bank's never complained, and it means I don't have to trust random callers with my banking details.

Re:Lets just hope

[Cederic]

why don't they implement some of the simple and easy things that would help a lot - like an easy facility for checking the authenticity of a caller?

Clearly you haven't encountered the term "Identity and access management". Lets just say that the bank I work for spends many millions of pounds on various technologies in that space.

That's not the only financial crime prevention activity but oddly enough this isn't an area I'm going to reveal too much about. Security by obscurity is insufficient but that doesn't stop it contributing to an overall security strategy.

(Note that financial crime is far from the only reason we do this. We have a responsibility to our customers and to our owners to protect their identity, their data and their money. We have regulatory requirements to meet. We generally like being nice people. And our head of Financial Crime gets personally offended and very distressed whenever some lowlife steals money from us).

Re:Lets just hope

[Cederic]

My bank has my email address. So does my credit card company. So does my other bank. So does my other credit card company (which happens to be my other bank too).

None of them send me emails with insecure information in them. They do send emails telling me "We need to tell you something" but then I log onto their website to find out what it is.

(Except my credit card company decided to send spam to me, so now they don't have my email address. As it's an online-only account I suspect this is causing them distress, but the card keeps working.)

Re:Lets just hope

[mcavic]

They send notices if a bill payment gets scheduled, or if someone changes my address or phone number. I can also get balance alerts or notices if my credit card payment is overdue. Combined with the ability to log in and check my transactions, all of this makes it much faster to identify fraud. If someone intercepts my email they might gain more information about me, but no truly sensitive information.

Re:Lets just hope

[Bob+the+Super+Hamste]

Usually when buying ammo it is pretty clear what is lead, bismuth, tungsten, or copper as the manufacture will label the box. How stupid does one need to be to think it would be a good idea to consume a rifle cartridge or shotgun shell.

It is usually fine lead shot that that is banned (your typical bird shot) as water foul will eat it mistaking it for sand and gravel. I haven't heard of a place banning lead rifle bullets, but it wouldn't surprise me if California did this. The problem with non lead rifle hunting bullets is that they don't perform like their lead counterparts (no I am not whining like people do with the switch to steel shot) because of the different densities and the required stabilization. I haven't seen bismuth bullets which would be close enough but a tungsten core bullet wouldn't expand like a soft or hollow point lead one does, same thing with steel core ones. I have seen copper bullets but those don't offer the accuracy that lead ones do (due to the different density) and are stupidly expensive by comparison. If I could find non lead bullets I would probably use them for hunting but I haven't seen any in the caliber I use. When I go bird hunting I always use steel shot even though I would only have to use it if I went on federal land (I don't hunt water foul) because I want to be a good steward of the environment and not spray lead shot all over the place.

Re:Lets just hope

[gutnor]

You may have had a point 5 years ago. But the world has changed. There are device like smartphone and tablets that are basically risk free from a technical point of view (no need for firewall, antivirus, no need to think about not installing that dodgy app, ...). With the new devices, phishing is hardly more technical than all other form of phising using traditional means. You cannot sue the bank if you give your credit card and pin to some stranger in the street. Same on the internet.

For expert attack (like somebody installing a trojan on your computer, somebody cloning your secured token or stealing your credentials from the bank), same thing, you are of course expected to take reasonable measure like using safe device (tablet) instead of expert device like a plain computer and follow the guideline of the bank, but your responsibility stop there. That is about the same level of expertise that we expect you to have in plumbery, electricity, fire fighting, first aid, car maintenance, ... ( try to sue the housing company because "only an electrical engineer would know that sticking your finger in a plug is a bad idea" )

Re:Lets just hope

[BigSlowTarget]

Bank transfers money to a Greek bank.

First bank calls Greek bank, says money was stolen and asks for money back

The Greek bank can now either take the money out of the account, send cops after the thief or acknowledge that they have no idea who really has accounts with them and that they shouldn't be allowed access to the secured banking transfer network. They don't want to do the last one because solving it costs them money and it's hard.

Re:Lets just hope

[Mal-2]

I often leave my car unlocked. Why?

Thief breaks in, I lose maybe $5 in change form the console and some 15-year old CDs. If my car were locked, I'd lose that, PLUS a $200 car window they smashed to get said items. It is not worth locking my car.

I disagree. I had my car broken into and the radio (along with several HUNDRED CDs in paper sleeves) stolen. They smashed a window to get in, which pissed me off far more than the stolen items. However, the passenger side door (which is the side they broke into) was unlocked at the time, because I had been disconnecting the battery when parking. Funny how power door locks don't work in that condition, and I hadn't gotten into the habit of checking it manually. By not locking the door, I opened myself up to casual thieves and STILL failed to stop someone from smashing the window. Chances are, they didn't even CHECK the door before smashing the window.

Re:Lets just hope

[jandersen]

I see you don't answer my question, which doesn't do anything to reassure me of your intentions ;-)

Playing at cloak and daggers may seem necessary to security personnel, but when they contact customers - whom I assume are their 'friend' in this game - they invariably end up looking like they are trying to pry out private and sensitive information, which I can't really imagine is fit for purpose.

And I do know about "Identity and access management", thank you very much, since I work for a company that deals in identification and data quality, among other things. Security by obscurity is an illusion, by the way, since you don't know what "the other side" knows about your secrets - other than it is likely to be much more than you hope.

Re:Lets just hope

[Cederic]

Ah, I misinterpreted your question. You're talking about the customer IDing the bank when it calls them.

As a customer I just don't trust inbound calls. As a bank employee, I have to find mechanisms that balance customer service with security, without pissing off the customer. Any suggestions on how to achieve this bank ID check?

Incidentally, obscurity would be naive to throw away, even though it can't be relied on. It's not an illusion, it's just of limited value and insufficient.

Re:Lets just hope

[Gr8Apes]

the same system is in use in finland still, some using the numbered codes, in which the bank asks you a specific code from the code card, some need you to mark codes as used as you go(and doesn't provide a hint which code you should input).

Asking for a specific code would be a good route, since that actually is a sort of challenge response handshake. If you combine that with 1 time use only and mark them off, phishing becomes harder, unless you get an exceptionally dense person that enters 10+ numbers into a fake web site.

Re:Lets just hope

[cygtoad]

Yes.

Online banking uses outdated crypto

[GeneralTurgidson]

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

Re:Online banking uses outdated crypto

[BorgDrone]

My bank uses a token that require me to insert my debit card into the token, enter my PIN and type in resulting code to log in. For transferring money I need to insert my card, enter PIN, enter code from the screen into token and then type in code from token.

Never heard of a proper bank requiring just a password.

Re:Online banking uses outdated crypto

[gnasher719]

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

Well, it hurts the bank's customer, because the bank's customer was the one who entered ten transaction codes into a fraudulent website himself. With a token based solution, you will come back screaming when a scammer convinces a customer to hand over their token.

Re:Online banking uses outdated crypto

[ledow]

Shouldn't your first thought be to change bank then? And inform them WHY you've changed bank?

Security tokens are a pain in the bum but there are banks that offer them in just about any country you want to pick.

And, how, precisely would it have stopped this attack? He typed security information (which would also include his one-time tokens) into a website that was fraudulent. There's nothing stopping them recording those tokens and typing them into the REAL account just the same and nobody would know until a) he noticed his bank account was empty or b) he tried to log in online on the proper website using the token and it wouldn't accept it.

Re:Online banking uses outdated crypto

[dragisha]

In the world of ultimate surveillance, like one we are becoming (and fast) - some kind of rollback mechanism is (at least to me) most logical thing to do.

Money can be followed, to the moment when a person gets it from ATM or bank clerk. Also, it can be found later - serial numbers are there to be used and I do not doubt they are.

On the other hand, bank can make better authentication (as GeneralTurgidson implies) but also some mechanism for keeping a customer in loop. Some banks report transactions through SMS, for example. Mechanism where transaction is delayed for some time, during which customer can take action. If I don't get SMS confirmation in 3 hours, for example - call bank hotline to stop everything.

And many other things, other than - let customer pay.

Re:Online banking uses outdated crypto

[thegarbz]

Your bank being a joke does not make it the norm. Certainly every bank I dealt with uses some form of two factor authentication often combined with multiple identifiers. My previous bank went like this:

Login: User / Password
External Transaction: SMS an ID number to the elected phone number which is not visible nor can it be changed online.
External transaction over $1000 or to a new account: SMS + two identification questions chosen from a pool of ~10.

My current bank uses a RSA token:
Login: User / Password / Current token
Any External Transaction: Token

This practice seems to be the norm rather than the exception here both for major banks and small credit unions. Maybe it's time you look at alternative places to keep your money?

Re:Online banking uses outdated crypto

[Danieljury3]

I noticed recently that my bank doesn't differentiate between lower and uppercase in both the username and password fields. Found out when I decided to change some of the letters in my password to uppercase and it complained that the old and new passwords were the same.

Re:Online banking uses outdated crypto

[stephanruby]

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

I know it's customary not to read the article, but seriously, please read the article before making these kinds of assumptions. This bank actually had good 2-factor token-based security. German banks usually do. The judge made the right call in this case.

And yes, I do realize that there are lousy banks out there. I know at least one major bank in the US that has super shitty security (even worse than your bank). Thankfully, not all US banks are that bad, it's a mixed-bag really. Sometimes, the blame can be placed squarely with the bank, and sometimes, the blame can be placed squarely with the user.

In this case, the judge clearly took into account the security measures taken by the bank before issuing a verdict against the user. This is as it should be. Fraud can only be dampened down only when incompetency is penalized, regardless of its origin.

Re:Online banking uses outdated crypto

[MadKeithV]

I've been on sites where they've told me that my chosen password was too long. Left there quickly without giving them any more details.

Re:Online banking uses outdated crypto

[arth1]

ome banks report transactions through SMS, for example. Mechanism where transaction is delayed for some time, during which customer can take action. If I don't get SMS confirmation in 3 hours, for example - call bank hotline to stop everything.

And many other things, other than - let customer pay.

So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

I know, you probably meant let the customer pay when being swindled. Which I think is very reasonable. If there's gross negligence on the side of the bank, they should pay for that, and if there's gross negligence on the side of the customer, they should pay for that. And if both, let the customer lose his money and fine the bank.

(And, if a customer engages in what he thinks is an illegal activity (like 419 scams), hit him for that too. These scams wouldn't be common unless people fell for their own greed and lack of respect for the laws.)

It's time that both banks and customers understand that there is a great need for customers to get better educated. They need to understand basic security and be sceptical, or if they can't, abstain from using a self-service, and instead pay for professional services.

Re:Online banking uses outdated crypto

[sociocapitalist]

This TAN code is probably a set of codes on a card that the customer is instructed to input based on [ column, row ], when they want to do something on line. I have something similar here in France. Seems this customer was fooled into putting more than one of them, along with username & password most likely, into the fake web page and the bad guys then were able to use one of them to make the transfer.

I have a business account in Hong Kong that they've provided me a one time token similar to Secure ID for which is going to be a lot more secure unless someone physically got a hold of it, along with my username and password so overall I do agree with you that banks should be using these tokens instead of the matrix cards.

Re:Online banking uses outdated crypto

[TheRaven64]

I have a US bank account which is very much like the grandparent described. I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth. Security there is appalling and in any other vaguely civilised country would mean that they would be liable for pretty much anything bad that happened to my account.

In contrast, my UK bank has an authentication scheme much as you describe. Any time I pay a new person (or a large amount), I need to separately authenticate that transaction, including typing the amount into the external device that generates a single-use token from the chip on my card. The debit card from my US bank doesn't even have a chip...

Re:Online banking uses outdated crypto

[zippthorne]

"TWO" factor?

Although the website to my bank is now more secure (it actually allows me to use password, rather than just using the old 4-digit PIN), the account still has a routing+account number that requires no cryptographic token (or even a one-time-use-with-a-limit number) to allow anyone full access to do anything with the account..

Also, it prints this routing number on the paper, "personal checks" that it issues to every checking customer.

I would love to have a bank that uses two factor authentication. As far as I can tell, the above situation is true for all banks in the US.

Re:Online banking uses outdated crypto

[zippthorne]

Eh.. just make your password longer.

Use this formula:

n=m*ln(s_m)/ln(s_n)

where m is the length of your old password, s_m is the size you thought the character space was and s_n is the size the character space really is. Use conservative values for s_n if you're not certain about other characters.

Depending on the length of your original password, you'll probably be surprised that you only need to add a couple characters to beat the original password's security, and the new password may well be easier to remember.

Re:Online banking uses outdated crypto

[msauve]

...and other than relying on the user to recognize that they have a secure (HTTPS) connection to the legitimate site, with a legitimate cert, what's to stop a man-in-the-middle/proxy attack (unless your token somehow could do end-to-end secure authentication, but if you're reading a PIN and typing it in, it doesn't.

Couldn't such a site could alter transaction data (changing amount, destination account for payments/transfers, etc), and pass that along with proxied credentials? Or simply create new transactions once authenticated? If the site asks for, and gets, the user to enter debit card #, PIN, and token code, doesn't it have everything needed?

Re:Online banking uses outdated crypto

[msauve]

You do realize that SecurID-type tokens do nothing to prevent man-in-the-middle attacks? If a phisher can find a phish who doesn't check sitename/ssl info to verify they're really connected to the bank's site, they're in.

Re:Online banking uses outdated crypto

[rapiddescent]

My bank uses a token that require me to insert my debit card into the token, enter my PIN and type in resulting code to log in. For transferring money I need to insert my card, enter PIN, enter code from the screen into token and then type in code from token.

Never heard of a proper bank requiring just a password.

(this is probably a CAP (chip authentication program) 2FA solution) - I was a designer of a CAP 2FA solution for a large uk bank that was commissioned about 4 years ago. The customer uses an EMV card (a debit card in this case) to create a one time code that can be entered into the online system whilst performing a transaction. The CAP standard actually had three operations identify, respond and sign and any CAP reader can be used with any EMV card. (not a lot of people realise this)

identify just responded with a one time code, respond is short for challenge/respond that asked the user for some numerical input (perhaps an account number to which a payment is being made) and sign asked for a numerical input and a value. These are entered into the disconnected, battery operated reader to generate the code. Despite what the clever chappies at cambridge suggest, the latter two had not been successfully breached (that is, up until I left a few years ago). The system cost double digit millions of GBP to put in. I imagine that the pay back on that investment was about 12 months through reduced fraud.

the really clever part about it is that the code that the user enters back into the system contains other data in it that keeps the bank up to date with the card data. so if your card has had a brute force attack then it's likely that it will fail. All the banks I know of used the CAP standard a little differently. there's one that uses a one-time code (identify) with no user input into the card reader - I'd never trust that model - because there's a simple MITM attack possible not unlike our german dude in TFA that used a list of one time codes.

At the time, I had heard that one of the scratch-card one-time code systems somewhere in europe had been targeted by criminals and totally compromised - but I've never heard it in the media. I wonder if this was it?

Re:Online banking uses outdated crypto

[bickerdyke]

So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

The bank pays for sending the sms. So unless you have internet but no cell phone, there's no additional cost for security on the customer side.

Re:Online banking uses outdated crypto

[firex726]

Whats even worse is some banks have such outdated system they limit the security you can have.

One of my bank sites has a MAX of 6 characters, and no special non-alphanumeric characters.

Re:Online banking uses outdated crypto

[firex726]

Yea, one of my bank sites has a MAX of 6 characters, and no special non-alphanumeric characters.

I closed my account there.

Re:Online banking uses outdated crypto

[dave420]

Maybe where you live. My bank sent me a device I put on the screen, which reads a barcode on the website, which then requires me to enter a pin to retrieve a code which I then type back into the website. I'm in Germany, however.

Re:Online banking uses outdated crypto

[dave420]

No, funnily enough they thought of that. Strange, huh?

Re:Online banking uses outdated crypto

[KingAlanI]

I wouldn't know about HSBC like the sibling AC said, but Citizens seems to have relatively intelligent security practices.
Thing is, even big banks often aren't available in certain parts of the country.

Re:Online banking uses outdated crypto

[a90Tj2P7]

So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

The bank pays for sending the sms. So unless you have internet but no cell phone, there's no additional cost for security on the customer side.

Not with most major US carriers, at least. Both outgoing and incoming text messages count against your bill/limit, whether that's charged per text, x free a month or unlimited.

Re:Online banking uses outdated crypto

[bickerdyke]

Not over here. Sounds like a US problem to me.

Re:Online banking uses outdated crypto

[arth1]

I am indeed lucky enough to have Internet but no mobile phone -- getting rid of that leash was the best thing that happened to me in the oughties. She Who Shall Not Be Named can not bitch at me for turning my cell phone off when I go to have a few pints, and work cannot abuse it to get unreliable 24/7 support for free.

But anyhow, many places (like most of the world except parts of Europe), customers pay to receive SMS, and often also pay a monthly fee to have a text service enabled in the first place.

Re:Online banking uses outdated crypto

[the+eric+conspiracy]

Not to mention that if the issuer of the token is hacked, the token becomes a liability.

Re:Online banking uses outdated crypto

[Asic+Eng]

Actually German banks generally use reasonable security. In this case, in order to make a transfer the customer needed to login to the bank site first, and then for each transaction he would need to enter a one-time TAN (transaction number). They give the customer a card with valid TANs beforehand.

Most German banks would go one further and do a challenge/response system. So the customer would have a sheet with numbered TANs and be prompted for a specific one. Many offer an mTAN (mobile TAN) system where the TAN is sent via SMS to the customer's cell phone.

In this case the customer was willing to enter 10 TANs (which under normal circumstances the bank's web site would *never* ask for - it's one number per transaction). Even if they had used the numbered TAN system - the attacker would probably have managed to get that customer to enter the numbers as well. Only mTAN would have prevented this.

I think the court made the right decision there.

Re:Online banking uses outdated crypto

[mshenrick]

Many banks in England, like mine, Barclays, use a device that looks like a calculator with a card slot to give you a 1-time password after entering your pin on it

Re:Online banking uses outdated crypto

[quacking+duck]

Canadian bank (with massive US presence), password only for online banking. Worse, the password only allows alphanumeric characters--no symbols, not even dashes or periods. The discussion forums I log into have stronger password requirements than that.

Re:Online banking uses outdated crypto

[Cederic]

A routing and account number are merely identifiers of an account. They do not authorise any action against that account.

It's like your name. I know your name: zippthorne. That doesn't authorise me to post on Slashdot using your account.

Differentiate between identifiers and authentication and authorisation.

Re:Online banking uses outdated crypto

[Cederic]

Ok, so the phishing-in-the-middle is into my account. What can he do there?

Oh - that's right. Nothing. You see, no new transactions can be created that aren't signed using the token. As the signing process includes the amount being transferred, and part of the account number to which it's being transferred, it's highly unlikely that the phisher is going to have an account available with the correct characteristics to intercept a new payment I'm initiating.

Ok, letting someone else see the funds you have in your account, potentially eavesdrop on anything you do while in your bank website and risk them capturing secret information isn't a good thing. SecurID-type tokens are not 100% secure. But frankly they add significant security and fraud prevention, help the customer retain faith in their bank and do prevent less sophisticated attacks.

Re:Online banking uses outdated crypto

[Cederic]

the Fiducary Agent should be liable if any party presents with a document or data perporting to represent the individual and thereafter disburses money without it being properly the desire of the individual.

Without even being a lawyer, it seems to me that the obvious counter argument in this situation is that by giving the security access codes away, the customer was authorising (and de facto expressing the desire for) the criminal to access the funds.

To translate that into UK law:
- someone randomly generates a credit card number/pin combination and uses it to steal cash: Bank is liable
- customer gives their card number/pin to a criminal, who uses it to access that account: customer is liable.

The law is already heavily on the consumer's side in the UK (which is understandable, as the banks tend to be better able to cover the losses) but if banks become 100% liable for all fraudulent activity, people would soon start complaining about the difficulty of accessing their money.

Re:Online banking uses outdated crypto

[Jessified]

I don't understand how banks can pass off bank robberies onto customers. Some guy walks in, claims to be me, they believe him and give him all my money and this is my fault??

Re:Online banking uses outdated crypto

[msauve]

" You see, no new transactions can be created that aren't signed using the token. As the signing process includes the amount being transferred, and part of the account number to which it's being transferred "

You don't know how SecureID tokens work, do you?

Re:Online banking uses outdated crypto

[Cederic]

Hmm. Good spot, I'm describing the use of a card reader, not a generic SecurID token.

You're right, can't do transaction signing with those.

Re:Online banking uses outdated crypto

[T+Murphy]

I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth.

What phone did you call from? If you called from a home or cell phone that they would have on record, that would be an extra layer of security you're not giving them credit for. That said, it is quite possible that they would give you the login credentials when calling from a random phone, but until it's tried that would be jumping to conclusions.

Re:Online banking uses outdated crypto

[thegarbz]

What has this to do with the fact that the parent's bank doesn't offer something as basic as two factor authentication?

Re:Online banking uses outdated crypto

[thegarbz]

Nearly all banking fraud is simple. Is the token perfect? No, but it prevents basic attacks and phishing attacks that don't clean out my bank account within 1 minute. That makes any attack an order of magnitude harder. Compare that to the parent I was replying to, who's bank doesn't appear to offer any two factor authentication.

Re:Online banking uses outdated crypto

[thegarbz]

In theory they can, but they would need to execute this attack within the minute it takes for the ID to change.

Re:Online banking uses outdated crypto

[TheRaven64]

I called from Skype - the only time I've ever used Skype was to make free calls to 1-800 numbers in the USA before I got an account with a SIP provider that also offered that.

Tricky

[Spad]

I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.

Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).

Re:Tricky

[rtb61]

Duty of care by the Bank should have warranted a check of unusual transaction. Bank was too lazy and cheap to make a single phone call to check out of pattern transactions, especially in the case of the most vulnerable in the community, pensioners.

Bank should should have been held at least 50% liable for the fraudulent transactions.

Re:Tricky

[Asic+Eng]

Please no. I don't want my bank to constantly interfere with my transactions. It has caused me quite sufficient problems already when traveling abroad, and suddenly the bank decides me spending money during my vacation looked suspicious and blocked my visa card. It's great fun being thousands of miles from home and not being able to access your own damn money.

The guy is a moron - someone would have found a way to trick him out of his money sooner or later. Sorry, but he was warned against everything he did to make that possible - he should bare the costs and learn from it.

Re:Tricky

[rtb61]

I gather you missed the part about the cost of one phone call and you callous disregard for the elderly ensures you will inevitably suffer the same.

they needed a court for that?

[greenfruitsalad]

Why did this need a court decision? It seems pretty logical to me. Banks should be praised for providing free information about phishing attacks.

Re:they needed a court for that?

[Robert+Zenz]

Well, the U.S. is not the only ones with stupid people, we (Austrians, and Germans too) have got some seriously dumb people, too.

shitty lawyer

[nazsco]

Even though i agree with Zappa's plan to get rid of suckers...

All it would take was for the lawyer to ask one bank member to do one transaction. Most banks would require 2 keys.

One for login, another to complete the transaction.

Both with messages that the bank only asks one per session.

Very true

[Chrisq]

A key finding from the Security expert Ross Anderson is:

Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

Re:Very true

[stephanruby]

Thank you. The entire paper is actually a very good read.

Re:Very true

[IamTheRealMike]

Except that's garbage (for some reason I often think this about stuff Ross Anderson writes).

That paragraph basically asserts that CAP/EMV doesn't work at all, despite a lot of evidence to the contrary - like a sharp fall in fraud rates after the systems introduction. It also is based on the massive misconception that US banks are liable for fraudulent transactions. That is not the case. Typically in the case of fraudulent wires, US banks will simply reverse the transactions. ACH fraud is a huge problem for businesses that operate in the USA because ACH transfers are so soft. Banks there routinely "take back" transfers which turned out to be triggered by malware or phishing leaving the recipient of the stolen funds, often a hapless mule, out of pocket. Look at the problems the TradeHill bitcoin exchange had with this, where bad transfers were used to buy Bitcoins and then silently reversed months later by the banks.

The fact that Anderson seems to believe US banks eat the losses caused by their poor security undermines his whole argument. They don't; random victims do. Therefore unsurprisingly they don't invest in better security technology. And - reality check - digitally signing destination account numbers and transaction values with smartcards is better than asking users for an answer to their "secret question". Only somebody way off in academic lala land would believe otherwise. Anderson and his team have published a variety of papers on attacks against these systems, many of them somewhat theoretical or which have been patched later. For him to claim that because often quite obscure flaws have been found in the past, these systems "do not work", I find quite astonishing.

Re:Very true

[quacking+duck]

Similar idea with chip-and-PIN credit cards. It's not to protect you, it's to protect the issuer/bank.

"The PIN entered matched your credit card chip, our Chip-and-PIN system is secure, so you're obviously trying to defraud us."

Re:Very true

[Chrisq]

How strange, I didn't notice - but copying and pasting again and the same thing happens!

Re:Very true

[Chrisq]

s after the systems introduction. It also is based on the massive misconception that US banks are liable for fraudulent transactions. That is not the case. Typically in the case of fraudulent wires, US banks will simply reverse the transactions.

Do you really think that European banks don't reverse illegal transactions when they can? Surprise surprise, no bank anywhere will say "well you got that money fraudulently but you might as well keep it now". The issue is where people do multiple transfers to give themselves time to withdraw the money or purchase high-value resealable goods, so there is no money to refund. This is where bank's liability comes in.

It's always the fault of that 1%

[Taco+Cowboy]

Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be

But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"

Re:It's always the fault of that 1%

[ByOhTek]

Not necessarily - You can take responsibility for your actions and still believe that bankers (more precisely, many investors) are not held accountable for their losses.

That "1%" has the ability to screw things up and still get huge bonuses/payments equal to what would take someone with an average salary 50-100 years to make. Not is not being held responsible. Even someone who is responsible for their actions, ESPECIALLY someone who is responsible for their actions, can see that.

* note - I had not money lost in the meltdown, but at the same time, if I screw up like some of those people did, in my job, then I'd be fired on the spot, and rightfully so. Likewise, if I were dumb enough to enter my data to fraudulent site, then it would be my responsibility to fix the issue, and rightfully so.

Re:It's always the fault of that 1%

[L4t3r4lu5]

Likewise, if I were dumb enough to enter my data to fraudulent site, then it would be my responsibility to fix the issue, and rightfully so.

Does that apply if you are unaware of the fraud? For instance DNS hijack, MITM attack, both of which ensuring the first instance of you knowing of compromise is when you check your statement or the bank freezes your account? What about if your card is skimmed? It's happened to me, and I only ever use ATMs on bank buildings and am meticulous about shielding my PIN.

A lot of this isn't relevant to the story, but your statement is overly vague.

Re:It's always the fault of that 1%

[neonKow]

Yes! Absolutely! Why does everyone feel so entitled to be unaware of their own finances and security to the point of blaming the BANK for a scam?

Obviously the scammer broke the law. But if you can't catch the scammer, it doesn't give you the right to go find the next convenient party and blame it on them.

In this case, the scammer made a site that looked like the banks, but if the site looked like paypal's or the state lottery, and demanded your bank information, do you blame it on paypal/lottery? Obviously not, because they had nothing to do with the scam. Same with the bank.

Welcome to the real world, where if you're unaware of a mistake, it's still your mistake (for giving out 10 TAN codes and ignoring the phishing warning). Catch the crook if you can, but don't blame the service provider for not making their service idiot-proof, especially if you have other banking options anyway.

Re:It's always the fault of that 1%

[Golddess]

While I agree that if it can be reasonably assumed that the account holder should have known something was wrong, it is their fault and theirs alone, and the bank should not be held liable. But your statement doesn't really address the situations that L4t3r4lu5 brought up. Namely, DNS hijacking. You could have clicked your bankofamerica.com bookmark like you always do, and be totally unaware of the fact that you are actually visiting istealyourcash.com. And with the stories about SSL certs being fraudulently issued by some providers, you might not even see any sort of phishing warning.

Now I still agree that in such a scenario, it would not be the bank's fault, but might they still be liable for correcting it? I mean, L4t3r4lu5 also talked about card skimming, which I don't know if it's a law thing or if banks simply provide it to attract customers, but generally I thought that the account holder was not liable for ATM and credit card transactions that they did not approve. So why wouldn't the same policy apply to the above scenario?

Re:It's always the fault of that 1%

[Maxo-Texas]

The older people get, the easier it is to rob them and take advantage of them.

Partly ignorance and partly weakening faculties.

We need to protect people.

Re:It's always the fault of that 1%

[gx5000]

How does it matter in the end ? The bank traced the money correct ? They will reclaim it no problems and defraud this poor naive bloke ?

Re:It's always the fault of that 1%

[tragedy]

Why does everyone feel so entitled to be unaware of their own finances and security to the point of blaming the BANK for a scam?

Bear in mind that we're discussing this on a site that presents itself as "News for Nerds". Those discussing this are probably among the top 5% of people in the area of computer/security savvy. Most people probably don't even know how to check a link before clicking on it, but for everyone here, such a basic security step is second nature. The banks are doing business with all of those other people as well as with us. They do have some basic responsibility to provide security that most people can work with. The problem is, they don't. The kind of security banks provide seems to be stuck somewhere around the early 20th century or late 19th rather than the 21st

Take credit cards. An unchanging series of numbers given in the clear for every transaction. Their biggest security "innovation" in recent years is 3 or 4 extra digits written on the back of the card. Wow, that's real security genius. The kind of technology to create a secure, hidden key based, authentication system has existed for decades, but the banks stick with primitive technology and broken security practices. Given that, it's hard not to blame the banks when these things happen.

Re:It's always the fault of that 1%

[ByOhTek]

>Does that apply if you are unaware of the fraud? For instance DNS hijack, MITM attack, both of which ensuring the first instance of you knowing of
> compromise is when you check your statement or the bank freezes your account? What about if your card is skimmed? [geek.com] It's happened to me,
> and I only ever use ATMs on bank buildings and am meticulous about shielding my PIN.

The only case that I really think could be the bank's fault, is the first two, and then only if the hacker got the bank's cert, and were using it. Otherwise, it is just as much my fault for using my particular DNS/ISP/etc. It certianly isn't the bank's fault. All of these cases, it's good business practice for the bank to help out - "protecting customer money" and giving them a sense of security using that bank - however it is not the bank's responsibility unless they screw up. I would have more choices in what happened, than they do.

Re:It's always the fault of that 1%

[ByOhTek]

If the bank tracks the money down and can retrieve it, it should definitely go back to the person it was defrauded from - however these institutions are not perfect or omniscient - they can't always track it down.

There is a maximum level of customer stupidity...

[gweihir]

... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.

However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.

So what

[cygtoad]

Seriously, I don't entirely disagree with this ruling. Why should the bank pay for losses from these phishing scams? It is not like there was a breach of their systems. The breach was entirely on the client side. Am I missing something here?
I expect my bank will do what it can to protect me from scams, but they can't protect me from every stupid way I might be duped.

Re:So what

[Robert+Zenz]

The ruling was that banks do not pay for losses from phishing and can not be held reliable for stupid customers.

Re:So what

[krept]

I think the ruling was that clients are responsible for the losses.

Just my two cents

[timerider]

since noone here seems to bother to actually find out what was going on:

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

Re:Just my two cents

german banks do use a two factor authentication scheme: - to log in you need your account number and a five digit pin - to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

While I agree with your general point, what you're describing might be the minimum requirements; for example, at ING-DiBa:
- to log in you need your account number + an 'ID' number at least 7 digits long + a virtual keyboard-input 6-digit PIN
- to authorize a transaction, you need a 6-digit m-TAN sent by SMS

In short, you can often find a bank paying more attention to security...

Re:Just my two cents

[bickerdyke]

Nowadays, yes. The case from the article happend 2008.

Re:Just my two cents

[Golden_Rider]

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

While I agree with your general point, what you're describing might be the minimum requirements; for example, at ING-DiBa:
- to log in you need your account number + an 'ID' number at least 7 digits long + a virtual keyboard-input 6-digit PIN
- to authorize a transaction, you need a 6-digit m-TAN sent by SMS
In short, you can often find a bank paying more attention to security...

My (German) bank recently switch to a smart TAN system with a card reader. To authorize any transaction, you need to insert your debit card into the reader and then have the reader pick up some flashing bar code transmission from your screen. You then can verify the transaction on the display of the reader (amount, account number, etc.) and if everything is correct, you then use the TAN the card reader generated to authorize the transaction on your computer. So if anybody wants to transfer some money from your account, he would need a.) the password to log onto the banking website b.) your debit card and c.) your specific card reader (every bank account is linked to one specific card reader). The whole thing looks similar to this: https://www.volksbank-forchheim.com/files/smarttan_leser_klein.jpg

Re:Just my two cents

[sociocapitalist]

You are accurate but a one time physical token (ie SecureID) would still be safer for the customer. The bank SHOULD be using these (my bank does) and as they are not then arguably they are to some degree or another responsible.

Re:Just my two cents

[Edzilla2000]

Actually it used to be taken as medicine, so I'm guessing it's more or less safe in small amounts.

Re:Just my two cents

[AmiMoJo]

entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

One common trick to defeat that is the fake "sorry you entered the wrong PIN, please enter a different one" scam. Admittedly doing this 10 times is a bit excessive, but of course we don't know that it was all in one transaction and may have been spread over several.

In fact you are assuming it was all done in one go, where as it sounds like he probably made 10 separate legit transactions and each of them was hijacked and turned into a non-legit one. Maybe he paid some bills online over the course of a month and didn't get any "you haven't paid" reminder letters until weeks after the fraud started.

I didn't RTFA and have no idea if this is actually what happened, I'm just saying we can't assume every victim is a moron.

Bi-directional authentication

[PSVMOrnot]

It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.

The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.

If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.

Re:Bi-directional authentication

[Cederic]

Cryptographic transaction signing. Already implemented on my bank account.

Some clarifications

[bickerdyke]

#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.

#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.

#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

So there is not much relevance to this story.

Re:Some clarifications

[bickerdyke]

He ignored the banks security warnings, and that's why _he_ is responsible for his losses.

Nothing to see here. please move on.

Stupidity still isn't protected by the law.

Re:Some clarifications

[zAPPzAPP]

The difference as I see it is, that before, as in this case, a whole number of one time codes (called TAN) was issued to a customer at once.
Any one of these TANs (by free choice of the customer) would be enough to permit a single transaction. After that it would be 'used up'.

Nowadays, the banks (that I know of) still issue a lot of TANs to their customers. But when an order needs to be authorized, they now ask for a specific TAN.
As in "give us TAN number 42". Any other TAN, even though not used yet, won't do.

Re:Some clarifications

[sociocapitalist]

I find it easy enough to image someone who is not an expert in computers going to the wrong web page (ie typo in the bank name www.banksrsu.com instead of www.banksrus.com) and being faced with username, login and ONE code entry...which doesn't work and so the page reloads and they're asked for ANOTHER code entry. Granted most people would give up after trying a few times but nonetheless it's trivial to get a minimum of three or four codes + username and password information.

I have a card from one of my banks where there are eight columns and six rows giving 48 codes which the bad guys now have three or four of. If they are persistent or lucky they might just be able to initiate a wire transfer out of my account (I have no idea if the bank locks the account after several bad code entries but I suspect not as they assume valid username & password).

One time tokens (ie securID) should be required for ALL bank accounts for any and all online transactions.

Re:Some clarifications

[AmiMoJo]

It's the bank that save money by offering online banking instead of traditional counters

Plus they want everyone to shop online with confidence because that means credit/debit card fees going to them. Making all purchases with plastic instead of cash is a bank's wet dream.

A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence.

Interesting. How do they check? Do you have to submit your PC as evidence? Also I have anti-virus software installed and up to date but not in active scanning mode, I just do on-demand scanning of downloads and a weekly full scan. Does that still count?

Come to think of it Windows 7 ships with Windows Defender built in and active by default. Does Windows Defender count or do you have to install something else?

What happens if the user has one of those scam anti-virus programs like Windows Antivirus 2012 that pretends to find lots of infections but really does nothing? They could believe they have anti-virus software installed.

On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

Won't necessarily help. The more complex scams actually log in to the legit bank website using the details you supply and feed you the real account data from it. They wait for you to make a legit transaction and simply change the destination account quietly. You enter your PIN, they use it on the legit banking site to authorize the transaction and you are none-the-wiser. Only one PIN required.

Re:Some clarifications

[bickerdyke]

You raised a few valid points, but they haven't been decided on by the courts as far as I know.

The attack vector from your last paragraph won't work with the security measures currently in place. Before clearing a transaction, you receive a SMS with the details of your transaction and you have to confirm it with a hash that's included in that message. Alomst all security systems require a confirmation with an externally generated hash, be it mTAN as I desecribed or TANS generated by an external device.

Re:Some clarifications

[Gamasta]

This. With an exception to #2: I'm still using one-time codes as of now (Commerzbank), though they offered to change it. I've refused so far.

Re:Some clarifications

[Cederic]

Can someone knowledgable in cryptography explain why a "one-time pad" system isn't a good solution security wise for online banking?

Because it's got nothing to do with cryptography. A one-time pad is a shared key use to encrypt/decrypt information, where
- use of the key just once adds to its security by providing far less data from which to try and spot patterns and decrypt the message.
- by not using a shared key, fewer copies exist, reducing the chance of acquiring a copy

A one-time transaction code is an authentication mechanism. It's a token saying, "Yeah, this transaction is real". If I know your one-time transaction code, I can attach it to my transaction and it'll still say, "Yeah, this transaction is real" whether it is or not.

So if I can get you to tell me your transaction code - or better yet, your next ten codes - I can issue a transaction with your confirmation that it's valid. The bank merely checks that you've validated the transaction and completes it, and I walk away with $5k.

No crytography was involved (which is why I've answered, despite being a muppet when it comes to cryptography).

German courts

[ffflala]

The German judicial branch's approach is often a fascinating contrast to that of US state and federal courts. Germany has specialized highest courts for specific subject matters: tax, admin, labor, social, constitutional... and the high court in TFA.

As an example: the Bundesverfassungsgericht (the highest German conlaw court, not the highest "ordinary" court in TFA) decreed it unconstitutional to publicly print (or run big news stories about) the names of notorious, convicted criminals, once the criminals have completed their sentences and have been released. The idea is that imprisonment is supposed to be such a thing that, once a person is released, they have actually been rehabilitated to the point where they can once again function in society without posing a threat to the well-being of others.

Given the depth of the cultural grab of the US first amendment --freedom of speech, baby!-- the thought that one shouldn't be able to print the names of convicted criminals in news media probably sets off all sorts of knee-jerk 1st amendment concerns. But given the realities of prison, enforcing that the prison goals of rehabilitation and public safety over raw punishment seems to me a wise approach that I wish the US would adopt. But over here, such a concept probably sounds like something that would be characterized as deplorable, pollyannish weak liberal democrat thinking.

I've read a handful of English translations of the decisions of the Constitutional Court/Bundesverfassungsgericht (the German conlaw court, not the "ordinary" court in TFA). Last time I checked, most of the text of the most useful read I found is here: http://goo.gl/dlwi9 [goo.gl]

Re:There is a maximum level of customer stupidity.

A bank is not required to be able to cancel money transfers, not for 6 weeks, not even for one day. That requirement only applies to debit transactions.

I'm okay with this ruling, but ..

[Weezul]

In fact, creating an "incentive not to be stupid" is an incredibly stupid reason that almost no court would adopt.

In this case, the bank has already taken all measures the court felt "reasonable". Ain't possible to reverse international bank transfers like one reverses credit card transfers though.

It isn't that the customer was stupid, but that the customer has exhausted the banks serious attempt at securing their money. And trust me German banks foist much more security upon their customers than American banks.

They do what they can

[Sycraft-fu]

My bank authenticates itself in two ways:

1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.

2) By showing me an image and phrase I chose on the login page.

I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.

Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.

I'm a little confused here.

[Tastecicles]

From some of the comments I've read, the banks are responsible for the stupidity of individuals? Am I reading that correctly?

That it falls to a court to decide that in fact the opposite is true, and that just maybe for one tiny moment common sense kicks in and the court says "Actually, you did a dumb thing, despite the warnings all over your account literature, newspapers and broadcast media, now eat the consequences of your ill-considered actions", and the bandwagon collapses under the weight of people who bleat as one "But it's all the banks' fault! They can eat the losses!" Maybe they can, but then if one pensioner does it, and the bank eats it, how many more before it becomes too many and "too big to fail" actually... fails?

Unbefuckinglievable.

I'm with the court on this one. Idiot did idiot thing, idiot can reap the consequences.

Re:I'm a little confused here.

"the banks are responsible for the stupidity of individuals"

No, the banks are responsible for their lack of transaction security.

"Medallion signature guarantee"

Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.

That's a passable description of the Medallion signature guarantee process http://www.sec.gov/answers/sigguar.htm and unsurprisingly many banks require you to go through that to transfer your IRA out of their bank but never require it when you transfer your IRA in.

IOW, ont when it benefits the banks do they require high security.

Re:in person banking

[ledow]

Try it in some countries.

Some banks barely have counters any more, and my last bank had one serving member of staff for a whole branch (imagine lunchtimes, where all the local businesses come in to put their cash in, or end-of-the-day queues).

Sure, there are funny machines you can do it on, but not if you're a business, not if you're paying cash, not if the Moon is in the seventh quadrant...

And guess what, the queue forms for the cashier because THEY NEED THE CASHIER, because their concerns cannot be met online or by a machine (mainly because the banks stop you doing anything but giving them money by those processes).

You can book an appointment days in advance if you want, so long as it's not at the weekend, or outside normal business hours, and speak to a human for about 10 minutes. Who will then log into the bank's private computer system and do what you need. But if you don't book and you wait in the queue, chances are it'll take hours for a real human to come see you because a) there's one cashier and b) everyone else booked appointments.

Literally, in 2001, my bank had three counter staff, one milling around in the public area to answer questions, and managers were available by appointment or on request. By 2006, there was one single counter staff and NOBODY else except if you kicked up a fuss (like I was forced to several times). I stopped going into banks shortly afterwards. And was it only this bank? No. All three banks in the same town, all large branches of major UK highstreet banks, barely had people visible. Those that were were there to tell you how to use the machines in the branch (which couldn't do 90% of things people use a bank for).

That's *why* online banks took off. If your bank is entirely online (which a few banks are now), then you can do EVERYTHING yourself at your convenience 24 hours a day. Even closing the damn account, which can take HOURS in person.

It used to work. Then the banks realised they could save on people's pensions, so they removed all the staff and went online (some to the extent that they only trade online). Want to speak to a human? Either make an enormous fuss or (nowadays) tell them you'll be applying for a mortgage (they'll fall over themselves to give you an appointment, and then you can discuss their stupid fees for going overdrawn only because they charged you other fees instead).

Re:There is a maximum level of customer stupidity.

[gweihir]

Despite you being an AC, I will answer that: This is an European case, the laws are different here.

Re:There is a maximum level of customer stupidity.

[gweihir]

Despite you being an AC, I will answer that:

Cash withdrawals that exceed the booked balance (i.e. plus 6 weeks in the case of a bank transfer) plus the credit limit are not possible or at the risk of the bank. Remember though that this is Europe, in the states this is likely very much different. I admit that my knowledge of this is a few years old. It is possible that they have changes some things.

As to your scenario: That is easy. The idiot that gave their bank card gets full liability. Same as for "finance agent" that pass bank transfers onwards via Western Union and the like. The funky thing in this case is that the Greek bank seems to have been unable to identify who the money was paid to.

Makes sense in the German context

[Hans+Adler]

(I just lost a longer response because I followed the Options link from the preview, not knowing that if I change my options it will nuke my comment.)

First you should keep in mind that the banks love internet banking because it saves them a lot of money. And from a purely formal point of view the fraud started with the bank transferring money abroad in the mistaken believe that their customer asked them to do that. As he didn't, he can ask for his money back *unless* they can prove it was really his fault.

If you look at it with the logic of fairness and efficiency, rather than the logic of individualism, then the situation is as follows:

To minimise the fraud, the damage must be shouldered by whoever is in the best position to prevent it. (If the ultimate victim can't do anything to prevent the fraud, and those who are in a position to increase security have no incentive to prevent it, then we have a problem.) If the fraud is possible due to the customer's recklessness, then the customer should pay. If it could have happened to almost every customer, then it's outside the customer's control and the banks should pay. In borderline cases it is more efficient if the banks pay as well: If they are losing too much money to fraud they can improve security to reduce it, or they can raise their fees, acting in effect as a very cheap and efficient insurance company for their customers if you believe that the customers should be liable.

That's why the considerations in the decision were somewhat analogous to those in an insurance case.

Re:There is a maximum level of customer stupidity.

[gl4ss]

european banks will let you withdraw your balance to zero(even if you had bad credit rating) the minute the cash hits the account. the canceling of valid(technically) transfers is definitely not available to private individuals either, so the 6 week limit if it exists might just as well not exist at all(I suppose they might use it in cases of botched db run transfers etc, which do happen, some people got their tax refunds in finland twice last fall for example..).

no doubt emptying was done at the greek end - or the money was sent as some sort of redeemable to cash transfer instead of one that hit some pensioners shill account first..

Fixed the title

"German Court Rules That Clients Responsible For Phishing Losses Caused By Their Own Gross Negligence"

For the benefit of the hapless customer, here are a few tips:

1) Your bank has a very good reason for repeatedly warning against sites asking you to never enter a string of TAN codes for a good reason.

2) There is no such thing as the "wallet inspector". Even if such a position existed, the tracksuit clad kid who took your wallet earlier today must surely have seemed an odd choice for such an important position.

3) No, it is not normal for your wife to be spending so many weekends traveling with the orchestra? Wouldn't you think it odd that she has no interest in music, and doesn't play a single instrument?

4) The bridge you bought is in fact the property of New York City. Didn't you think it odd that the wallet inspector from the park yesterday was the same guy going door to door last week selling prominent American landmarks?

Financial meltdown

[machine321]

Well, it's good to see that Germany is finally sending money to Greece.

A bank can cancel a transaction

[e70838]

when it makes a mistake. Why the bank could not cancel a transaction when it is a fraudulent transaction. Transaction cancelling is not exceptional because bank employees are human. The only explanation of the fact that bank refuse to cancel fraudulent transaction is that they earn a lot with fraud. Or maybe someone knows better than me. My main source is my wife that tells me about the huge mistakes she discovers and fixes.

My bank would have taken responsibility.

[JustAnotherIdiot]

Mostly because they would have seen this 5k transfer, it would raise some flags in my account, they would stop the charge and call me.
This has happened several times when I've lent money to a few of my friends.

New Business model?

[nurb432]

Phishing insurance.

No SPF, no DKIM

[snsh]

nslookup of SPARDA.DE. shows no SPF record for the German bank's domain. They probably haven't implemented DKIM either.

I'd say the bank is liable. Any bank should a security IT professional telling them that a combinationof SPF and DKIM is a necessity for any bank with customers prone to pfishing. It's not enough to tell customers to "watch out for pfishing". If the bank acknowledges pfishing, then it needs to do something to prevent it. This usually means a strict SPF setting to filter out spam, plus a DKIM/Domainkey infrastructure to distinguish false positives.

Re:No SPF, no DKIM

[cdrguru]

Sorry, SPF is meaningless. When registrars will provide obvious domain names that are in conflict with legitimate businesses. For example, you have www.bankofamerica.com, which has EV SSL and is the real site. OK, so now user gets an email from www.bankofamericachecking.com and provides a link to - you guessed it - www.bankofamericachecking.com. Of course this site doesn't have much longevity because it is hosted in the US.

Alternatively, you have the site hosted in Netherlands (with strong privacy committments) or China (who thinks ripping off Americans is funny) and it could last a couple of months.

The point is, as long as a registrar will issue a domain name like www.bankofamericachecking.com the system is completely screwed up. Yes, you can also get an EV SSL certificate for www.bankofamericachecking.com from some folks. All you need is proof that you have some connection to "americachecking" or some part of the name like that. Not every SSL provider will do it, but the ones that will are likely well known in the phishing circles.

So SPF means nothing if you control the domain. Which is easy enough.

Re:No SPF, no DKIM

[snsh]

However, SPF still stops phishing emails forged from BANKOFAMERICA.COM. Sure, it's not perfect, but it helps.

To put it another way: "The perfect is the enemy of the good."

I kind of like the Conexus system

[msobkow]

I recently switched to the Conexus Credit Union here in Regina, Canada.

I've used online banking for years, but Conexus is the first bank to require a cookie that they set into my browser. Setting the cookie is a special registration process that asks you to answer one of the "secret questions" that you set up when you enable the online banking services for your account.

The net result is that you can't even try to log in with a computer or device that hasn't been "registered" by answering such a question. It may not be full two-factor authentication, but it's a heck of a lot better than the account number/password combination that every other bank I've ever dealt with uses.

It's the next-best thing to real two-factor authentication with a hardware dongle or id-code sheet such as used by the German banks described in the article.

As to bank liability: I agree with the German courts. No matter how many times you warn people, no matter how clearly you explain the risks, there will always be a few people who don't read the warnings, ignore the warnings, or otherwise compromise their own security. As long as the bank has not been leaving an insecure protocol or technology in place that they knew (or should have known) could be breached, it's the consumer's own damned fault.

What's next? A cell phone wielding driver suing the cell phone maker for damages because they got in a car accident despite it being illegal to use a cell phone while driving in their jurisdiction?

So, to be fair,

[Khashishi]

when the Bank makes an error and deposits 50000000 credits into my account, the bank is responsible, right?

Leaving your car unlocked

[coyote_oww]

I had thieves cut my convertible top in 3 places - it took three tries for them to get a hole they could reach the lock from, they were that stupid. So it is perhaps unsuprising that they only made off with a couple of very old used cassette tapes (with Christian rock on them, so maybe they needed them more than me). Since that time, I do not routinely lock the doors, and with the convertible, I have gone so far as to leave the top down when parking in San Franciso tourist areas. Nothing ever got molested. The seagulls worried me more.

I've only ever lost stuff from locked cars.

Re:Leaving your car unlocked

[tgd]

I had thieves cut my convertible top in 3 places - it took three tries for them to get a hole they could reach the lock from, they were that stupid. So it is perhaps unsuprising that they only made off with a couple of very old used cassette tapes (with Christian rock on them, so maybe they needed them more than me). Since that time, I do not routinely lock the doors, and with the convertible, I have gone so far as to leave the top down when parking in San Franciso tourist areas. Nothing ever got molested. The seagulls worried me more.

I've only ever lost stuff from locked cars.

I can second that, on all accounts. Especially the concern about the seagulls. I usually throw towels over the seat, but I've come back to bombs dropped in the cupholders, and once on the shifter. Never had anything taken out of a car left with its windows down or the top down.