Banks to blame users for Web fraud?

Banks to blame users for Web fraud?

Summary: commentary When Sydney resident Tim Ireland returned home from a trip down the NSW South Coast, he was horrified to find that his entire savings account had been cleaned out.Reporting the anomaly to his bank, Ireland was told he "must have given his Internet banking password to someone".


commentary When Sydney resident Tim Ireland returned home from a trip down the NSW South Coast, he was horrified to find that his entire savings account had been cleaned out.

Reporting the anomaly to his bank, Ireland was told he "must have given his Internet banking password to someone". He replied that it definitely wasn't the case. An investigation ensued -- and with the help of the Federal Police it was discovered that Ireland's account had been depleted courtesy of a keystroke-logging Trojan lurking on a PC he had used in a South Coast café during his trip.

The bank eventually refunded the money, wiped the resulting overdraft fees and -- after some wrangling -- waived the interest he'd paid on his credit card while the investigation took place.

To date, victims of Internet fraud in Australia have had much the same experience -- banks provide a guarantee that they will make up for any losses caused by the compromising of user accounts.

But in recent years, fraud-related losses have grown -- to at least AU$25 million a year according to the Australian Securities and Investment Commission (ASIC). There's a lot more financial pressure on banks to mitigate this risk.

So much so that across the Tasman, the New Zealand Banker's Association has revised its code of practice to make users potentially liable for amounts they are defrauded should the bank prove the user's defences (OS and security software) weren't up to scratch.

The Australian Bankers' Association (ABA) has assured customers that such a scenario won't happen here. The banking industry's position on liability has never changed, the association said, and the banks plan to continue to wear the risk.

But recent developments raise some questions about their commitment to staying this course.

The ABA reacted angrily earlier in the year after press reports suggested banks were responsible for lobbying ASIC to consider changes to liability in its pending review of the EFT (Electronic Funds Transfer) Code of Practice in Australia.

In its consultation paper, ASIC stated that "some industry representatives have proposed that users could potentially be made liable under the EFT Code for the full amount of losses from malicious code compromises of account access data unless they have 'minimum' (or sometimes 'adequate') equipment security."

Who might these "industry representatives" be? Banks, perhaps? Are there any other parties that would have something to gain from this scenario?

The language of this proposal is strikingly similar to the code approved in New Zealand.

A quick glance at the member base of both the NZ Banker's Association and ABA is also telling.

The ABA is made of up 25 banks -- the largest of which are Westpac, the ANZ, The Commonwealth Bank of Australia and National Australia Bank.

The member companies of New Zealand's Bankers' Association include Westpac, ANZ, The National Bank of NZ (also owned by the ANZ), ASB Bank (wholly owned by The Commonwealth Bank) and The Bank of New Zealand (wholly owned by National Australia Bank).

Aside from locally-owned Kiwibank and TSB Bank and a handful of internationals, it's an Aussie-owned affair across the Tasman.

This makes the ABA's position look somewhat compromised. Yes, its member banks say they won't make online banking users liable in Australia, but they are more than happy to try it out in New Zealand.

Security getting too expensive?
Clearly, Internet banking fraud is a problem that needs to be contended with.

For some high-value banking customers, the solution is two-factor authentication -- a token-based system which strengthens the security of online banking by exponential degrees.

But the present thinking within the banking sector is that transferring liability to the user is an easier solution. Or perhaps a cheaper one -- as ASIC plainly states in its consultation paper, enhanced security measures such as two-factor authentication involves "significant costs" for banks. Distributing tokens to their whole online customer base is a cost the banks just won't wear.

In the meantime, it looks like our Kiwi neighbours are being used as lab rats in terms of passing liability on to the user.

Ireland is just one who hopes local banks don't follow their Kiwi counterparts. He said that if his bank hadn't eventually come to the party and covered the loss, he would have been in a "nightmare situation".

"It was just prior to Christmas and the amount taken was all the money I had in the world," he said. "I would have been left with absolutely no cash."

"What irked me most is that the banks don't make it clear to you that the onus is on you to [transact securely]," he said. "You assume that your bank is insured if someone walks in and holds the place up, why should online theft be any different?"

Topics: Security, Banking, Broadband, Browser, Censorship, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Banks to blame users for Web fraud?

    They would if they thought they could get away with it.
    For years banks have been engaging in risk shifting with credit cards where they push the cost of fraud onto hapless merchants who relied on the banks authorisation as acceptance by the bank of the validity of a transaction. Subsequently, when fraud was discovered, the bank charged back the transaction to the merchant.
    Consumers are better protected by legislation and also the sensitivity of politicians to concerns of voters.
  • Banks can and should secure internet banking

    It's wrong that Banks expect customers to secure their pc's. The PC is not always owned by the customer (for ex: internet cafe's) and security of PC's is so difficult to ensure. Perhaps Microsoft should be liable also? The fact is the banks CAN ensure better security of online transactions. For example, many banks are now implementing systems that allow logging into internet banking without having to type a password (using randomised mouse movements instead). This completely avoids the issue of key loggers. Banks just need to accept that users will stop using online banking if they are made laible for fraud. People will cease to trust online transactions and there will be a drop in commercial activity. People will stop making spontaneous transactions and this will result in less spending. This will result in less fees for the banks, less income for retailers.

    The fact is the modern world needs online transactions, and nothing the banks can do will change this. They need us to be using online services as much as the retailers. Do they really want to go back to the days of numerous branches dotted through out the suburbs? The banks forget it is they who are pushing us into using online banking, so they should be interested in keeping the system secure.
  • Make use of two-factor authentication

    What's interesting about your article is that it fails to address that most major banks now offer 2nd-factor authentication for online banking users - NAB offers this for it's Internet Banking users at no cost. The scenario of Ireland could not have taken place if Ireland was registered for 2nd-factor authentication such as SMS Security, provided by both NAB and CBA.
  • Banks don't want to wear the cost of tokens?

    I think this is a small price to pay considering they have pushed consumers in the past towards ATM's and online banking to enable them to cull staff and shut down branches.