Slashdot Mirror
German Court Rules That Clients Responsible For Phishing Losses
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.
Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?
I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.
Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).
What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.
If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.
Why ?
The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank (I have a similar bank, they clearly try to educate their users but as always most users are rather lazy than informed.) well, then there's really no way you can still blame the bank.
I know a large amount of users here are from the US and used to credit payments (as opposed to debit, which is the case here). Credit cards generally involve some (at first glance) better customer protection by laying all the risk at the seller, but debit cards almost never do this (and there's no need really).
I wouldnt go so far as to call the victim in this case an idiot, i don't know the guy, and it sounds like something that 1 in every 5 people who operate a computer would fall for at some point or another. But not following safety instructions from your bank, when they're clearly displayed EVERYWHERE, and get send to you in both real letters and as regular email updates, well i'd say the bank tried. My bank even gives free financial and online security seminars for people who aren't sure they understand what all the fuss is about.
Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be
But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"
Muchas Gracias, Señor Edward Snowden !
... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.
However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.
Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.
since noone here seems to bother to actually find out what was going on:
german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").
In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.
In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.
Lets just hope that it doesn't become European law. Actually I hope the judge loses a million
I'm not sure that I agree with that. Most phishing scams are rather obvious, and people really ought to look before they jump.
What feel is missing is that banks and other take it more serious and clean up their practises. Like, I have on a few occasions had my bank call me about something related to security (eg. an unusual transaction) - and bizarrely, the guy calling is reluctant or even refuses to give information about why he calls or which department he calls from - which makes it feel like yet another scam, even if it is genuine.
Ideally, they should give you a call, then let you call back on a security number posted prominently on their web-site (so that it is well-known). This ought to be basic routine.
Well, the U.S. is not the only ones with stupid people, we (Austrians, and Germans too) have got some seriously dumb people, too.
It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.
The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.
If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.
#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.
#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.
#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.
#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"
So there is not much relevance to this story.
bickerdyke
The ruling was that banks do not pay for losses from phishing and can not be held reliable for stupid customers.
That security protocol isn't in use anymore.
The bank specifically issued a warning against exactly the type of attack the customer fell for.
That ruling is in line with the laws in place 2008, when that happend, Laws have been changed since then.
bickerdyke
Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.
My point is very simple: it is not the bank's fault that the client acted in a manner contrary to his own financial interest. Society as a whole operates on the principle that services are generally tailored to the majority. The majority isn't suffering from these issues. If the minority affected by these issues so desires, they're more than welcome to resume good old fashioned "drive down to the bank" methods.
What you're advocating is just another step toward a total nanny state where everyone walks around in government-mandated plastic bubbles. Have fun with that; I won't be attending your party.
Write failed: Broken pipe
Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?
The bank is in a better position to try to reduce this type of scam. The non-security aware Joe, is really a victim who was pushed on to internet banking and then duped. Banks could require (or recommend) security awareness training for anyone who uses their sites, but afaik, they do not.
Why? How should a bank discover the fraud,
Answer a) is whatevery way they want. b) is; if need be by calling the guy back on his phone number; If they are suspicious enough, by having him come into the office and sign it personally whilst being compared against a photo. By requiring him to use a hardware token. Whatever.
What my bank does is sends out an SMS which contains the sum of the transaction; the person it's being paid to and, at the end, an authorization code. As long as my phone isn't hacked they can be pretty sure that I actually authorized the transaction.
if everything is authenticated correctly?
The things were not authenticated correctly. A transaction which the guy didn't want was put through. The authentication system was inadequate for the job and there are very good reasons why people use more sophisticated ones nowadays.
What's most important is that it's the bank which chooses the authentication system. The customer cannot decide that they want to use a different one. Even changing banks often won't help. Because of this, the banks should always take the loss unless the customer acts in a clearly and openly negligent / fraudulent way. If the losses become too big then they can choose to change. If they are acceptable then they can choose a cheaper authentication system. In this case went for the cheaper system rather than a smar card/ certificate based one which would have protected the guy against his own mistake. That decision probably saved them millions of Euros; they can afford to pay out in this particular case.
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?
This depends. If the bank provides a service where they come to your door and there was no reasonable, easy way for you to tell this wasn't a person from that service without using specialist knowledge, then yes. If, on the other hand they don't provide such a service or they make sure that you can easily identify the service, then maybe not. They would have to do something like not carrying out the transactions you asked for if you didn't specfically verithfy the clerk via a phone call so that you learn that you have to do that every time.
There are limits, but the primary responsibility should be on the banks side and they should always have to proove that the customer did something fraudulent or negligent to avoid that.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Why? How should a bank discover the fraud, if everything is authenticated correctly?
Because they (possibly) enabled the fraud to take place. Quoting from the artcle:
According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website.
So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.
Or did the attacker take advantage of a fault in the user's OS or browser. ==> in that case, at first glance, the user would be responsible to run such shoddy software where this is possible. However, in the past, and possibly even now, many banks forced/are forcing their users to use such vulnerable software. If this is the case, again the bank should be responsible. The user would be well advised to go through the "General Conditions" for the web service of the last ten years, and search for any clauses such as "the user agrees to only use Windows and/or Internet Explorer to access the service". If any are found, he should clearly get his money back.
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?
Yes, if the bank habitually conducts its business in such a fashion.
My bank authenticates itself in two ways:
1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.
2) By showing me an image and phrase I chose on the login page.
I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.
Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.
From some of the comments I've read, the banks are responsible for the stupidity of individuals? Am I reading that correctly?
That it falls to a court to decide that in fact the opposite is true, and that just maybe for one tiny moment common sense kicks in and the court says "Actually, you did a dumb thing, despite the warnings all over your account literature, newspapers and broadcast media, now eat the consequences of your ill-considered actions", and the bandwagon collapses under the weight of people who bleat as one "But it's all the banks' fault! They can eat the losses!" Maybe they can, but then if one pensioner does it, and the bank eats it, how many more before it becomes too many and "too big to fail" actually... fails?
Unbefuckinglievable.
I'm with the court on this one. Idiot did idiot thing, idiot can reap the consequences.
Operation Guillotine is in effect.
To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.
I'd love if my bank would allow me to secure my checking account to restrict outgoing payments to a list of accounts/payees confirrmed by the branch.
I'd love to opt-in to a second factor token authentication and 2nd bank card pin that has a lower withdrawl limit or one time pin that I can use in sketchy ATMs POS systems.
I pay the bank dearly to protect my money and deliver service. They have had years to spend on R&D. Luckily, I have not been affected by the lack of security or insurance from my bank.
120 characters ought to be enough for anyone
Try it in some countries.
Some banks barely have counters any more, and my last bank had one serving member of staff for a whole branch (imagine lunchtimes, where all the local businesses come in to put their cash in, or end-of-the-day queues).
Sure, there are funny machines you can do it on, but not if you're a business, not if you're paying cash, not if the Moon is in the seventh quadrant...
And guess what, the queue forms for the cashier because THEY NEED THE CASHIER, because their concerns cannot be met online or by a machine (mainly because the banks stop you doing anything but giving them money by those processes).
You can book an appointment days in advance if you want, so long as it's not at the weekend, or outside normal business hours, and speak to a human for about 10 minutes. Who will then log into the bank's private computer system and do what you need. But if you don't book and you wait in the queue, chances are it'll take hours for a real human to come see you because a) there's one cashier and b) everyone else booked appointments.
Literally, in 2001, my bank had three counter staff, one milling around in the public area to answer questions, and managers were available by appointment or on request. By 2006, there was one single counter staff and NOBODY else except if you kicked up a fuss (like I was forced to several times). I stopped going into banks shortly afterwards. And was it only this bank? No. All three banks in the same town, all large branches of major UK highstreet banks, barely had people visible. Those that were were there to tell you how to use the machines in the branch (which couldn't do 90% of things people use a bank for).
That's *why* online banks took off. If your bank is entirely online (which a few banks are now), then you can do EVERYTHING yourself at your convenience 24 hours a day. Even closing the damn account, which can take HOURS in person.
It used to work. Then the banks realised they could save on people's pensions, so they removed all the staff and went online (some to the extent that they only trade online). Want to speak to a human? Either make an enormous fuss or (nowadays) tell them you'll be applying for a mortgage (they'll fall over themselves to give you an appointment, and then you can discuss their stupid fees for going overdrawn only because they charged you other fees instead).
Mod Parent up, that post is spot on. In fact, the law has been changed 2009 (if I remember rightly) to shift the liability towards the bank unless the customer acts grossly negligent (grob fahrlässig). The court did NOT decide whether the customer would have been liable according to the laws in place today.
Plus many banks in Germany phased out the iTAN system in favor of SMS-codes or TAN-generators that require the debit card to operate and are only valid for the transaction that was entered to generate the TAN (amount, target account etc...).
(I just lost a longer response because I followed the Options link from the preview, not knowing that if I change my options it will nuke my comment.)
First you should keep in mind that the banks love internet banking because it saves them a lot of money. And from a purely formal point of view the fraud started with the bank transferring money abroad in the mistaken believe that their customer asked them to do that. As he didn't, he can ask for his money back *unless* they can prove it was really his fault.
If you look at it with the logic of fairness and efficiency, rather than the logic of individualism, then the situation is as follows:
To minimise the fraud, the damage must be shouldered by whoever is in the best position to prevent it. (If the ultimate victim can't do anything to prevent the fraud, and those who are in a position to increase security have no incentive to prevent it, then we have a problem.) If the fraud is possible due to the customer's recklessness, then the customer should pay. If it could have happened to almost every customer, then it's outside the customer's control and the banks should pay. In borderline cases it is more efficient if the banks pay as well: If they are losing too much money to fraud they can improve security to reduce it, or they can raise their fees, acting in effect as a very cheap and efficient insurance company for their customers if you believe that the customers should be liable.
That's why the considerations in the decision were somewhat analogous to those in an insurance case.
TAN (by now replaced by far more sensible techniques) worked like this:
You got a sealed numbered list of 100 six or eight digit codes. Whenever you wanted to transfer money you had to enter one of the numbers (later a specific one, like #74). This authorized the transfer and you crossed out the number on your list. When around 90% of the list was used up, you got a new on by mail.
The first version (unnumbered) had the obvious drawback of X numbers stolen = x transfers up the the preset transfer limit (you had to show up in person to change that one). Numbered list had the advantage that one never new in advance which number would be asked for, and a potential thief had to get his hand on the whole list.
Of course all that stuff is outdated now and replaced by code generators that work in connection with your bank card or sms codes. Both of these create codes that only work for the specific transaction (amount, receiving account number, etc which is displayed in advance) and only for a very limited time frame (15 minutes).
I often leave my car unlocked. Why?
Thief breaks in, I lose maybe $5 in change form the console and some 15-year old CDs. If my car were locked, I'd lose that, PLUS a $200 car window they smashed to get said items. It is not worth locking my car.
I've built up so much character I have an alter-ego
Well, it's good to see that Germany is finally sending money to Greece.
No, in practice you can not enter in multiple TAN codes for no reason.
The whole point of TAN codes is that it provides a good measure of protection against a having compromised system.
It's your own responsibility to be suitably paranoid about secrets assigned to you, and this guy didn't. If the pizza guy asks for your social security number, don't. Even if the man missed the notice on the login page, he's still negligent.
Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?
You mix up things.
Of course the one stealing your car commits theft, as does the one stealling the 5000 Euro from this person's bank account. And those criminals, when caught, will be held responsible.
The question here is who's liable for the damage incurred by the theft. In case of your car being stolen, you will not be able to get any damages from the car manufacturer arguing, say, not good enough locks on the doors. Just like in case of the money stolen from the bank account, the bank is not liable, and the judge ruled that the locks the bank put in place were good enough, and that the bank client should have taken better care.
And even if the criminal gets caught, that doesn't mean the victim will get their money or car back. So they still lose out.
The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank.
For years, my bank (not one of the world's greatest) has used challenge/response chip-and-PIN authentication, using a small card reader provided free by the bank. You put your card into the reader and enter your PIN, punch in the challenge number given by the website, then type the response code into the website (the reader isn't interfaced with the computer at all), You need to do this every time you add a new payee via online banking. I'm sure its hackable by a sufficiently sophisticated attack, but not your garden variety phishing expedition.
I'd want to look a bit more about the bank's practices before passing judgement about the client's stupidity. My bank likes to cold-call me and "ask a few security questions" - and gets quite nonplussed when I tell them to go fish (I know its my bank because, on one occasion, I had a letter from them reassuring me that the call was legit...). The URL for the e-banking site has no obvious connection with the name of the bank, and even the extended SSL certificate refers to the parent company (which is fairly common knowledge, but still...). Other online services I've encountered do clever things like sending out emails with live weblinks in them and, to add the cherry on top, are indirected via some analytics or marketing firm so they look like "http://www.somelogisticsoutfit.in?addr=www.legitcompany.com" - how exactly is Mr Average Joe expected to distinguish that from "http://www.evilphishers.ru?victim=www.legitcompany.com"? As for the last time I paid my TV License online (this is the UK) they couldn't have made the process look more like a trojan attack if they had tried.
...and why banks still use the same fixed account code for withdrawals, deposits, direct debits and electronic transfers, who knows? How hard can it be to give me a one-time account code to pass to someone who wants to wire me money or set up a direct debit?
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
nslookup of SPARDA.DE. shows no SPF record for the German bank's domain. They probably haven't implemented DKIM either.
I'd say the bank is liable. Any bank should a security IT professional telling them that a combinationof SPF and DKIM is a necessity for any bank with customers prone to pfishing. It's not enough to tell customers to "watch out for pfishing". If the bank acknowledges pfishing, then it needs to do something to prevent it. This usually means a strict SPF setting to filter out spam, plus a DKIM/Domainkey infrastructure to distinguish false positives.
Bank transfers money to a Greek bank.
First bank calls Greek bank, says money was stolen and asks for money back
The Greek bank can now either take the money out of the account, send cops after the thief or acknowledge that they have no idea who really has accounts with them and that they shouldn't be allowed access to the secured banking transfer network. They don't want to do the last one because solving it costs them money and it's hard.