Don't refund all online fraud victims: It only encourages their sloppy security, says police chief

Banks should stop automatically reimbursing victims of online financial fraud, since it rewards their bad security habits, according to the head of Europe's largest police force.
Written by Liam Tung, Contributing Writer

London police chief Sir Bernard Hogan-Howe: Bank customers are being rewarded for their bad security choices.

Image: Policy Exchange/Wikipedia

Banks should stop automatically refunding victims of online fraud, because it only reinforces poor computer security choices, according to the UK's Metropolitan Police commissioner.

If the banks removed that financial safety net, London chief Sir Bernard Hogan-Howe believes consumers would be taught to take computer security more seriously.

With full refunds for online fraud victims, he told The Times, customers are being "rewarded for bad behavior".

London's Metropolitan Police Service is the UK's largest force and describes itself as the world's second largest force after the NYPD.

The commissioner doesn't suggest removing the obligation for banks to refund online fraud victims, but thinks penalties should be created for poor security, such as failing to keep software up to date.

He suggests banks could refund only a portion of funds lost in online fraud, if the victim is running outdated software.

"If you are continually rewarded for bad behavior, you will probably continue to do it but if the obverse is true you might consider changing behavior," he said.

"The system is not incentivizing you to protect yourself. If someone said to you, 'If you've not updated your software, I will give you half back,' you would do it."

It's not clear whether he was referring to running up-to-date antivirus or merely ensuring general software, such as Microsoft Word, is up to date.

Some UK banks, such as Barclays, offer online customers free subscriptions to anti-malware products and so they could be expected to run it.

Updating general software is more problematic for consumers. Automated malware from so-called exploit-kits take advantage of unpatched flaws in browsers and plugins, such as Adobe Flash, Java and Microsoft Silverlight.

Some banking malware uses emailed document attachments and attempts to convince targets to disable security settings.

The suggestion also comes as malware makers increasingly turn to file-encrypting ransomware, where victims are forced to pay in exchange for a decryption key.

The UK police will for the first time include cybercrime estimates in official crime figures this July.

Based on a survey of 1,000 Britons, security vendor Symantec estimated that 12 million people in the UK experienced cybercrime in 2015.

More on security

Editorial standards