German Court Rules That Clients Responsible For Phishing Losses

benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."

Re:Lets just hope

[Sique]

Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

Re:Lets just hope

What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.

If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.

Re:Lets just hope

Why ?

The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank (I have a similar bank, they clearly try to educate their users but as always most users are rather lazy than informed.) well, then there's really no way you can still blame the bank.

I know a large amount of users here are from the US and used to credit payments (as opposed to debit, which is the case here). Credit cards generally involve some (at first glance) better customer protection by laying all the risk at the seller, but debit cards almost never do this (and there's no need really).

I wouldnt go so far as to call the victim in this case an idiot, i don't know the guy, and it sounds like something that 1 in every 5 people who operate a computer would fall for at some point or another. But not following safety instructions from your bank, when they're clearly displayed EVERYWHERE, and get send to you in both real letters and as regular email updates, well i'd say the bank tried. My bank even gives free financial and online security seminars for people who aren't sure they understand what all the fuss is about.

Very true

[Chrisq]

A key finding from the Security expert Ross Anderson is:

Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

It's always the fault of that 1%

[Taco+Cowboy]

Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be

But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"

Re:It's always the fault of that 1%

[neonKow]

Yes! Absolutely! Why does everyone feel so entitled to be unaware of their own finances and security to the point of blaming the BANK for a scam?

Obviously the scammer broke the law. But if you can't catch the scammer, it doesn't give you the right to go find the next convenient party and blame it on them.

In this case, the scammer made a site that looked like the banks, but if the site looked like paypal's or the state lottery, and demanded your bank information, do you blame it on paypal/lottery? Obviously not, because they had nothing to do with the scam. Same with the bank.

Welcome to the real world, where if you're unaware of a mistake, it's still your mistake (for giving out 10 TAN codes and ignoring the phishing warning). Catch the crook if you can, but don't blame the service provider for not making their service idiot-proof, especially if you have other banking options anyway.

Re:Lets just hope

The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.

Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.

Just my two cents

[timerider]

since noone here seems to bother to actually find out what was going on:

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

Some clarifications

[bickerdyke]

#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.

#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.

#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

So there is not much relevance to this story.

Re:Lets just hope

[jaymemaurice]

To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.

I'd love if my bank would allow me to secure my checking account to restrict outgoing payments to a list of accounts/payees confirrmed by the branch.
I'd love to opt-in to a second factor token authentication and 2nd bank card pin that has a lower withdrawl limit or one time pin that I can use in sketchy ATMs POS systems.

I pay the bank dearly to protect my money and deliver service. They have had years to spend on R&D. Luckily, I have not been affected by the lack of security or insurance from my bank.