Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can Banks Shift Phishing Losses to Customers?

Zonk posted more than 8 years ago | from the gee-that'd-be-great dept.

425

1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?

Sorry! There are no comments related to the filter you selected.

I do what I can to the phishers (3, Interesting)

plover (150551) | more than 8 years ago | (#16117326)

Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it. I do this even though I am not a customer of the bank in question. Some banks like Barclay's have easy-to-find "Report fraudulent e-mail here" links, while others seem to go far out of their way to hide any contact information at all.

The banks with the helpful "report here" links also typically have helpful auto-responders, and their sites and form letters at least make it seem like they care about security. The banks who make it hard to hear from their customers usually don't reply at all. If I were shopping for a new bank, I'd definitely stay away from those that don't have an easy-to-find contact point near the front of their site. I get the impression they do not take security or phishing threats seriously at all. They'll probably be the ones that would fight their victims.

Re:I do what I can to the phishers (3, Interesting)

Anonymous Crowhead (577505) | more than 8 years ago | (#16117361)

Whenever I receive a phishing email, I immediately capture what I can of it (including headers,) then head to the legitimate site and look for a place to report it.

I used to do that about spam......in 1992. Seriously, where do you find the time?

Re:I do what I can to the phishers (2, Insightful)

plover (150551) | more than 8 years ago | (#16117398)

I get maybe one phish every two weeks or so, it takes me about two or three minutes to report it. No skin off my nose, really. Do you like phishers, or getting their bait in your email? Do you think it's OK for them to scam people, just because you don't know the victims in advance?

The faster anybody responds, the faster the phishing web host can be taken down, and the fewer people can be scammed. Fewer victims == fewer profits for the phishers.

They annoy me. A lot. The least I can do is annoy them back by keeping their take as low as possible.

Re:I do what I can to the phishers (1)

Anonymous Crowhead (577505) | more than 8 years ago | (#16117541)

Do you look through all your spam for phishing emails? What I meant was that in 1992, I'd get one spam email every couple of days so it was not much work to email abuse@... and postmaster@ or look through the headers to see where they came from. Now I get 200 a day, with maybe a few dozen making it through the filters. I don't have time or inclination to even look through those but just delete them on site. I like the phisher no more than I like the guy offering me hot stock that's just waiting to explode, a $400,000 mortgage with only a $200/mo payment, or MR THIMBUKTU FROM NIGERIA. Every one is a scam trying to rip you off.

Re:I do what I can to the phishers (1)

jdigriz (676802) | more than 8 years ago | (#16117608)

Same here John. Phuk the phishers, I say.

Read your bank's TOS lately? (3, Interesting)

winkydink (650484) | more than 8 years ago | (#16117643)

Many of them now say something to the effect of the customer having take "reasonable care" to protect themselves from identity theft / being hacked. If you don't, then no money back for you.

I say, "Yes. Yes they should." (4, Insightful)

Anonymous Crowhead (577505) | more than 8 years ago | (#16117329)

A little tough love. Hit 'em where it hurts and maybe they'll learn. If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.

Re:I say, "Yes. Yes they should." (2, Insightful)

soft_guy (534437) | more than 8 years ago | (#16117377)

It isn't clear to me that you have to do anything wrong to be the victim of fraud. The banks need to come up with a method to combat financial fraud, or they need to absorb losses as the cost of doing business. Bankrupting individuals isn't the answer.

Re:I say, "Yes. Yes they should." (2, Insightful)

secolactico (519805) | more than 8 years ago | (#16117446)

It isn't clear to me that you have to do anything wrong to be the victim of fraud.

You haven't done anything wrong, neither has the bank. How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible? The customer for not being more careful? The bank for not making it more difficult for people to impersonate customers (and at the same time making it more difficult for honest people to conduct their business from afar). Insurance? (fat chance)

Re:I say, "Yes. Yes they should." (5, Insightful)

plover (150551) | more than 8 years ago | (#16117495)

Actually, I think the pressure to improve security will eventually come from insurance and lawsuits.

Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.

It's how the civil court system and capitalism are supposed to work, anyway. It may just take time (and no freakin' governmental interference by passing "tort reform" limiting the banks' liability, otherwise there will be no financial incentive at all.)

Re:I say, "Yes. Yes they should." (1)

vijayiyer (728590) | more than 8 years ago | (#16117621)

And, as usual, the informed people will end up subsidizing the ignorant. This is not a security issue, so the banks can't improve it. The banks will have to pay, either directly, or through insurance premiums. This gets passed on to the consumer. Why in the world should the banks be liable for someone impersonating them? Should you get sued for a scam artist impersonating you?

Re:I say, "Yes. Yes they should." (0)

Anonymous Coward | more than 8 years ago | (#16117574)

How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible?

Well, credit card contracts explicitly mention fraud, and normally limit your liability to $50 in the case of fraud provided you report the fraud promptly.

By comparison, for fraud involving your ATM card, you are responsible for fraud when you disclose your PIN to someone.

Re:I say, "Yes. Yes they should." (2, Funny)

SeattleGameboy (641456) | more than 8 years ago | (#16117434)

I probably wouldn't bother seeking a refund.

Won't seek a refund for $200k loss???

Bill, is that you?

Re:I say, "Yes. Yes they should." (0)

afidel (530433) | more than 8 years ago | (#16117478)

Until the banks use the best available security measures to secure their customers accounts they should be heald liable. Two factor authentication schemes are well understood and cheap enough to implement that failing to use them is negligence, or at least culpability in any online loss. Using a random character generator like SecureID prevents replay attacks and makes man in the middle attacks much harder, using password protected smartcards eliminates them altogether. Just as using photo's on physical cards would greatly reduce the occourance of credit card fraud in the physical realm these methods would reduce it online, the fact is that it costs the credit card company's more whereas fraud only costs the merchant, because the fraudulant purchase is charged to the merchant's account who accepted the card.

Re:I say, "Yes. Yes they should." (1)

MorderVonAllem (931645) | more than 8 years ago | (#16117563)

Unfortunately two-factor authentication has already been hacked. Basically (i can't remember the link but i'm sure it was posted here) the hackers copied the two-factor authentication and then used the window that their given (i think it was 5 minutes) and logged on using their system. simple. People need more diligence in their online activities to prevent them from being suckered, anybody can fake a site but it's pretty damn obvious when the URL isn't what it should be and there are lots of tools out there to help. The simplest way to prevent phishing through emails is that when you get an email from paypal or bofa or any where go to that site by hand never click on the link in the email. period. -Morder

Re:I say, "Yes. Yes they should." (1)

afidel (530433) | more than 8 years ago | (#16117655)

SecureID only has an ~30 second window for each password. This means that you have to get the passphrase from the user and use it to login to the originating website in less than 15 seconds on average, not impossible but more difficult then a static password. As I said mutual authentication with password protected smartcards is really the way to go =)

Re:I say, "Yes. Yes they should." (1)

EL_mal0 (777947) | more than 8 years ago | (#16117588)

It's not all the bank's fault. Ignorant/naive/stupid people are (largely) at fault. The customers are the ones giving people access to their accounts. How is this the bank's fault? (I'm sure someon can come up with a car analogy to help me out here.) My bank has sent me letters and has, from time to time, posted warnings on their website about phishing scams. They have done their part to warn me, and should bear no responsibility if I give my account information away.

No doubt some things need to be done to tighten up access to bank accounts, etc. But no matter what extra security you put in place, people will always fall for scams. Give them password protected smartcards and the next thing you know, you'll see phishing attacks saying "There's been a recall on your smartcard. Please send it along with your password and any cash you happen to have on hand to 123 Fake St, Springfield USA". Hopefully people won't fall for this, but I'm sure that some people will fall for it just as some people today ignore news reports, letters from the bank, etc. that tell them to beware phishing scams.

So until banks figure out a way to secure accounts from stupid customers, I'll answer the question "is it ultimately the customer's responsibility to make educated use of technology?" with a resounding YES!

Re:I say, "Yes. Yes they should." (1)

milo_a_wagner (1002274) | more than 8 years ago | (#16117509)

I agree completely. Regardless of the amounts involved, anyone retarded enough to be taken in by a phishing scam, despite the massive efforts of all the major banks to raise awareness of the issue, deserves to suffer more than simply financially. I refuse to believe that any user of internet banking is stupid enough to have ignored the warnings on their bank's website, the news reports and the constant bombardment of precautionary advice from all quarters on the subject. I do not believe in pandering to imbeciles, particularly if it gives rise to a justification for higher bank charges/smaller returns levied against intelligent and competent account holders.

Fools and their Money 2.0 (2, Insightful)

Skyshadow (508) | more than 8 years ago | (#16117335)

Hacking? Yes.
ID theft? Yes.
Fraud? Yes.

Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.

On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.

Re:Fools and their Money 2.0 (1)

whoever57 (658626) | more than 8 years ago | (#16117402)

Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.
I think the issue is actually rather gray. The questions one has to ask are: what does a genuine email fromm the bank look like? Can it be easily distinguished from a phishing email? Does the bank embed links to login pages in their emails? How responsive is the bank to reports of phishing? For example, a bank could perhaps continuously move the URLs for images on the bank's site, so that a phishing webpage that pointed to images on the bank's site would have broken links, etc.. There are probably lots of other questions.

Re:Fools and their Money 2.0 (1)

Skyshadow (508) | more than 8 years ago | (#16117425)

It's a simple sophistication issue.

Most people (with the obvious exception of Grampa Simpson) know not to give out their credit card number to someone who calls them on the phone and asks for it, regardless of where they say they're calling from. The lesson that needs to be imparted here is along those same lines -- never click on a link embedded in an email that takes you to a web site that asks for personal information, no matter where that site seems to be.

Re:Fools and their Money 2.0 (1)

pluther (647209) | more than 8 years ago | (#16117586)

Most people ... know not to give out their credit card number to someone who calls them on the phone and asks for it, regardless of where they say they're calling from.

Well, you know that, and I know that, but I don't believe that most people know that.

Several years back, while working as a data-entry temp, I spent about three months on a project fixing bad orders in one company's database. This mostly involved calling the person who'd placed the order (often after hunting down a phone number for them) and asking them for the missing information, which was usually a bad credit card number (either the card didn't work, or the number was wrong).

If the person didn't want to give the information over the phone to a person that had called them, we were instructed to give them the company's main 800 number, and a reference number so they could verify that it was legitimate. In three months I did not have to give this information out a single time.

I was constantly surprised at first, but in three months, hundreds of phone calls, not a single person refused to give me their full name, address, alternate phone numbers, and credit card numbers over the phone when I called them. Since some of these orders were many months old, many of the customers didn't even remember placing the order. And at least once a day I got responses along the line of "Oh, I didn't place that. I guess my husband must have. Hold on, I'll go get his card for you."

Re:Fools and their Money 2.0 (5, Interesting)

plover (150551) | more than 8 years ago | (#16117462)

a bank could perhaps continuously move the URLs for images on the bank's site

I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"

Re:Fools and their Money 2.0 (1)

Gnavpot (708731) | more than 8 years ago | (#16117547)

> a bank could perhaps continuously move the URLs for images on the bank's site

I like that idea a lot! Use a sessionID-named folder for any URLs that have bank logos, and any requests for logos that use an expired session ID would return an image of a stopsign with the text: "STOP - ERASE ANY PERSONAL INFORMATION FROM THIS PAGE - THIS IS A FRAUDULENT WEBSITE!!! SOMEONE IS TRYING TO STEAL YOUR MONEY!!!"
Visiting your bank through a proxy could be a really scary experience then, depending on the configuration of said proxy.

Re:Fools and their Money 2.0 (1)

cowtamer (311087) | more than 8 years ago | (#16117607)

Microsoft Internet Explorer 7 already does this if you turn on the right option. It uses some sort of blacklist in combination with something similar to the approach you suggest. I believe gmail already has this for the e-mails it can identify...

Re:Fools and their Money 2.0 (1)

Nurseman (161297) | more than 8 years ago | (#16117502)

what does a genuine email fromm the bank look like?

Simple. My bank N E V E R sends an email that requires a logon. Most banks are the same.
DONT CLICK that link and you will be fine

Re:Fools and their Money 2.0 (1)

Saven Marek (739395) | more than 8 years ago | (#16117571)

> what does a genuine email fromm the bank look like?

Simple. My bank N E V E R sends an email that requires a logon. Most banks are the same.


This is exactly the case with an aunt of mine. I stepped through setting up her net banking, and told her, explicitly explained and MADE SURE she got it that her bank will NEVER send an email asking for password details, personal info, logins, etc. I showed her the page on her bank's own site that explained that, and went through why it was important.

And then six months later she's phished, and loses a little over $1200. Her excuse? "Yeah I knew they wouldn't send those emails out, but it looked real".

There's no helping some people, they just want to lose their cash I'm sure.

Re:Fools and their Money 2.0 (1)

TXG1112 (456055) | more than 8 years ago | (#16117421)

How do you prove that you didn't give up your account info? What if the banks security is compromised and they claim it was through phishing?

Banks need to make their systems more secure. The fact that it is so easy to commit fraud through phishing is a problem.

Re:Fools and their Money 2.0 (1)

HiThere (15173) | more than 8 years ago | (#16117493)

I can see that argument with last years phish. Unfortunately, I've heard a few stories indicating that there are some phish of a new species arriving...and that they can fool "the very elect". Something about a trick where they hijack the ISP's DSN reference for the bank. So you can type http://mylocal.bank.com/ [bank.com] into your browser...and end up at a site that looks just like your bank's site, and can do man-in=the-middle interfacing with your bank account, so it can act properly.

Personally, I avoid doing ANY banking over the net. I don't think even the cautious and honorable ones are secure. I also don't think that most banks fall into the "cautious and honorable" category. Unfortunately, this doesn't totally remove me from danger, because the bank won't accept a "no internet business on my account" rule from me. None of the ones close enough to conveniently reach will.

The long and the short of it is...you can't reliably tell the phish from the bank. If banks are going to do business over the net, then they must be forced to accept the costs of phishing as a part of the cost of doing business. If they won't...most of my money is going to go looking for another home. (I keep telling myself I should do that anyway, because they barely pay sufficient interest in most years to cover inflation.)

Re:Fools and their Money 2.0 (1)

tbo (35008) | more than 8 years ago | (#16117646)

Something about a trick where they hijack the ISP's DSN reference for the bank. So you can type http://mylocal.bank.com/ [bank.com] into your browser...and end up at a site that looks just like your bank's site, and can do man-in=the-middle interfacing with your bank account, so it can act properly.

That's why you type https://www.mybank.com into the browser window--the "s" means use SSL, and you'll see a dialog about bad certificates or whatever if somebody tries a man-in-the-middle attack. Now, some banks don't use https for their login page (they use a different method to encrypt just the login info), but the good ones do.

Personally, I avoid doing ANY banking over the net.

So what if some thugs make you withdraw money from the ATM at gunpoint? Did you shred your ATM card, too? Come on, there's a balance between risk and convenience, and saying "no" to online banking because of the very small risk of some new advanced attack is kind of silly.

Re:Fools and their Money 2.0 (1)

Tackhead (54550) | more than 8 years ago | (#16117523)

> On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.

Exactly. I exercise a lot more due diligence than most customers do: Hardware firewall (ingress/egress), software firewall (egress), Firefox (instead of IE) Javashit disabled (in Firefox and IE), autorun and other "conveniences" in Windows disabled, following security news, and patching for things (like the WMF and JPEG header exploits) that my previous defenses wouldn't have defended me against, and keeping a known good disk image on read-only media to wipe the box and start over. I've yet to see anything get past the hardware firewall. So far. But someday I'll screw up. Or just be unlucky. (Hmm, how sure can any of us be that the routers and/or DNS servers between your box and your bank's box are never compromised, especially with ISPs getting into the "let's fuck around with DNS" game like Verizon did a while back, and Earthpink's trying to do now :)

If my bank's no longer willing to back its customers up, I'll do the only sensible thing: go back to meatspace banking.

So, Bank, what's it gonna be? Do you really want to have to hire enough tellers to support a significant fraction of your customers going back to meatspace? Or are the cost savings you deliver to your shareholders (and the market share and deposit base that you gain by being easier to do business with) sufficient to justify the occasional payout to a duped/phished customer?

But seeing as how electronic banking has enabled you to offer some of the most powerful and convenient financial services to the market anywhere in the world, you gotta ask yourself a question: "Do I feel unlucky?"

I know what you're thinking. You're thinking "does phishing cost me $6B/year, and will my customers going back to meatspace or to my competitors cost me only $5B?"

Well, to tell you the truth, in all the technological excitement, I'm not really sure myself.

But it comes down to just one question: Your customers don't want to be phished. You don't want your customers to be phished. You're implementing security measures, but they're not perfect. So it comes down to just one question. Do you feel unlucky?

Well do ya ... Bank?

Re:Fools and their Money 2.0 (1)

Likuid (1002587) | more than 8 years ago | (#16117529)

I think this is more than just a case of right and wrong here. While its easy to say its the customers fault, which it is, that isnt always the best coarse of action for the bank. People need to be able to trust their bank, and that their money is going to be their when they need it. In order for people to keep their security in the bank, they may need to bite the bullet on some things. Even though Im pretty sure it would never happen to me, I would still lean more towards a bank that offered phishing protection, just because its an extra layer of safety net that would make me feel more secure with my money. So the question comes up, "If the banks don't pay for phishing damages, are they going to lose more money than they save?" I think the answer to that is yes, but only time will tell.

RSA keys ... (1)

AHumbleOpinion (546848) | more than 8 years ago | (#16117593)

ETrade offers little RSA dongles and you append the everchanging 6 digit number to your passord. Might be helpful if banks offered this for regular online customers. Well, maybe if emails are delayed by the timeframe the 6 digits are valid.

An option to restrict online access to an IP or subnet would be nice too.

Let Uncle Sam pay (1)

joe_n_bloe (244407) | more than 8 years ago | (#16117336)

I don't know if I can stand to hear about countless back and forth lawsuits that are coming. Why put it off. I'll just give up the rest of my money now.

Re:Let Uncle Sam pay (2, Insightful)

CrazyJim1 (809850) | more than 8 years ago | (#16117352)

As much as America funds other governments, I don't think Uncle Sam should pay for Ireland's banking debts. Maybe the banks in the FDIC...

Re:Let Uncle Sam pay (1)

Telvin_3d (855514) | more than 8 years ago | (#16117406)

As much as America funds other governments, I don't think Uncle Sam should pay for Ireland's banking debts. Maybe the banks in the FDIC...

Considering that he US national debt is currently eight and a half trillion dollars (no, not a typo or exaggeration), I would say you have more of a case for other governments funding the US.

If you want to see the current US national debt, check this out http://www.publicdebt.treas.gov/opd/opdpenny.htm [treas.gov]

Re:Let Uncle Sam pay (0)

Anonymous Coward | more than 8 years ago | (#16117515)

If you want to see the current US national debt, check this out http://www.publicdebt.treas.gov/opd/opdpenny.htm [treas.gov]
Awesome! Our debt shrunk by $2,954,104,073.76 since yesterday!!! If we can keep that up, every day for another 8 years, we'll be debt free!

I'm crossing my fingers and holding my breath...

They already do (1)

Neil Blender (555885) | more than 8 years ago | (#16117338)

It's just not so obvious to the consumer. Where do you think the money comes from? A magical treee?

Actually... (1)

Rix (54095) | more than 8 years ago | (#16117363)

Banks create much more currency than governments do, so yes, it does essentially come from a "magic tree".

Re:They already do (1)

P3NIS_CLEAVER (860022) | more than 8 years ago | (#16117385)

banks have insurance just like any other business.

Re:They already do (1)

rumblin'rabbit (711865) | more than 8 years ago | (#16117504)

And banks pass on the cost of the insurance to their customers, just like any other business.

Ain't no getting around it. There is no money tree.

Walk with your money (1)

bfmorgan (839462) | more than 8 years ago | (#16117341)

If the bank don't cover the losses of customers, the customers will find someone who will. Be they other banks or the government.

They have to learn sometime (2, Insightful)

Anonymous Coward | more than 8 years ago | (#16117357)

Phishing is no different than other scams out there. One in my area has two men dressed as workers from the water department who enter the home to "check the water pressure." While one sets to work inside the other takes the victim outside to check the faucets leaving the first to go looking for the jewlery box.

Does the water department have to cover the cost of the missing rings? No. Then why must financial institutions?

Re:They have to learn sometime (1)

El Gigante de Justic (994299) | more than 8 years ago | (#16117598)

Because in the case you present, your homeowner's insurance would likely cover the cost of whatever was stolen, and the thieves are probably easier to catch - they may leave fingerprints, and you have seen their faces.

    You can't get insurance to cover phishing scams, although it seems like it would maybe be partially covered by the FDIC.

Maybe... (1)

rpax9000 (916267) | more than 8 years ago | (#16117364)

I think if the bank does not take reasonable care to keep the phishing from happening, they should pay. Otherwise, that's like saying the post office should be responsible for mail fraud... there should still be some personal responsibility. So I guess it all revolves around the phrase "reasonable care". I'm sure it will, like all such gray areas, end up spawning lots and lots of lawsuits. The lawyers will probably collect more than the phishers.

Re:Maybe... (1)

rumblin'rabbit (711865) | more than 8 years ago | (#16117424)

How do banks take care to keep phishing from happening? What do you see as a level of "reasonable care"?

This is not a criticism - it's just curiosity. I am wondering if there is anything a bank can do to prevent or discourage phishing.

And remember the third law of sociodynamics: No matter how a dispute turns out, the lawyers always win.

Re:Maybe... (1)

rpax9000 (916267) | more than 8 years ago | (#16117452)

What immediately came to mind for me is what Paypal/Ebay have done, which is basically to say something like "If you get an e-mail from us, it will always have your registered name on it and we will never ask for your password, etc..." If the bank makes it clear what kinds of requests are likely to be phishers and which are not, I think that would qualify. Also if the bank somehow compromised security by letting private information out which was then used to phish, I think they could be held accountable.

Re:Maybe... (4, Interesting)

Todd Knarr (15451) | more than 8 years ago | (#16117605)

Well, I can think of some. For example, a friend of mine got his debit card copied. He couldn't have prevented it, Arco got their computer systems compromised and all the debit-card numbers and PINs used at their at-the-pump readers stolen, and he happened to have used his card at an affected Arco station. But the bank could've easily stopped his account from being emptied. He'd made a card-present, ID-presented, signature-obtained transaction in San Jose, CA. 4 hours later, his card was used at an ATM in Thailand and his account emptied in $100-200 increments, it took quite a few transactions to completely drain his account. Now, any basic security profiling should've raised red flags: he's never used his card outside the US, these are cash withdrawals in a country that's known as a source of financial fraud, and it's physically not possible for a person to have gotten from San Jose to Thailand in 4 hours. All the bank would've had to do is refuse that first ATM withdrawal with a message to contact his bank and that would've been the end of the theft before it began. But they allowed all those transactions without questioning them. That's definitely not reasonable care on the part of the bank.

No (2, Interesting)

4D6963 (933028) | more than 8 years ago | (#16117365)

No

If they did so, then all you'd have to do would be to set up a phishing site, be a victim of your own phishing and then be payed back by your bank.

That, and also, blah blah people blah blah stupid blah blah genetic pool blah.

Re:No (1)

Hey, Retard... (915400) | more than 8 years ago | (#16117415)

...you got it backward.

Re:No (1)

MrSquishy (916581) | more than 8 years ago | (#16117448)

I think I can trick myself into giving myself my own password, without going through the hassle of setting up a phishing site.

"Can Banks Shift Phishing Losses to Customers?" (4, Insightful)

Maxwell'sSilverLART (596756) | more than 8 years ago | (#16117369)

"Can Banks Shift Phishing Losses to Customers?" asks the headline.

Of course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?

You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

How to Lower Phishing Losses for Some (1)

G4from128k (686170) | more than 8 years ago | (#16117485)

You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

Exactly true in the short-term, but not true in the long-term because customers can chose which bank to do business with. Banks still compete and the ones that can levy the lowest fees because they have the lowest phishing related losses will get the most business. The interesting issue is that banks have three strategies for lowering phishing losses:
1) Deny claims for losses
2) Implement security
3) Screen-out phish-prone customers (e.g., preferentially market to young, tech-savy consumers with high credit scores)

Of these three, the first is a PR nightmare and may become illegal. The second is expensive and may inconvenience customers. The third is interesting but gets into nasty ethical issues if the bank tries too hard to avoid people it thinks are bad phishing risks.

Re:"Can Banks Shift Phishing Losses to Customers?" (1)

Antony-Kyre (807195) | more than 8 years ago | (#16117549)

They should lower the interest they pay out to customers. They then should create free insurance up to $50k in damages to any person who loses their money through phishing. Although the crooks win until caught, this provides a safety net. Although smart people don't get all the interest they earn, everyone, smart or ignorant, will be ensured that they will never be so devastatingly hurt.

Re:"Can Banks Shift Phishing Losses to Customers?" (0)

circletimessquare (444983) | more than 8 years ago | (#16117564)

Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.

uhhh... banks, like every other brick and mortar institution of working individuals with an office, have more resources than individuals. they also have more motivation, as it is in their pilfered name the phishers conduct their criminal enterprise

so yes: banks don't pay for anything, you are right. individuals pay for things, you are right. but you are assuming that the actions of criminals is something that can be isolated, and that no one will ever have to pay for

if the phishing victims shoulder all of the financial responsibility, you are talking about shuttered businesses and ruined families because of that. and the negative effects of those events will work its way torwards you as something you pay as a societal and economic effect. so you are going to pay for the criminal's actions somehow, no matter what you do. a single solitary crime is an act whose effects eventually victimize everyone in society. there is no avoiding the costs of crime, there is only confronting the costs of crime, and mitigating and minimizing those costs

so why not fight phishing in the most expedient way possible?: up front at the bank who is victimized as well, and has the motivation and resources to prosecute the crime. will the costs of that trickle down to you as a bank customer? of course ...and you are imagining those costs would never touch you?

Obligatory Phishing Reply (0)

Anonymous Coward | more than 8 years ago | (#16117568)

Phishing scams don't dupe people out of their money, People dupe people out of their money. Prostitution may be the oldest profession, but hucksterism and theivery are close behind.

This is just technology giving dishonest people a new way of getting "other people's money." Where neccessary, laws and policies will have to be changed to reflect this. Who's responsble? Like everything else, it depends on the situation.

Re:"Can Banks Shift Phishing Losses to Customers?" (1)

Gnavpot (708731) | more than 8 years ago | (#16117625)

f course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?

I am so tired of hearing this "Company X lost Y millions. But they will just raise their prices so the customers will pay the bill".

Ask yourself one simple question:
If the company could earn an extra Y millions by raising the prices, then why did they not do this long ago instead of waiting for a loss?

Within the given limits, a company will always try to optimize prices to maximize profit. If they have done this right, any price change within those given limits will reduce profit.

Re:"Can Banks Shift Phishing Losses to Customers?" (2, Informative)

jay2003 (668095) | more than 8 years ago | (#16117660)

Clearly, you've never any taken any economics classes or you learned nothing. Your statement is only true in market segments approaching perfect competition, and there are very few of those outside farming. In market segements where sellers or services providers have market power, which banks do evidenced by their enormous profits, it's simply false to claim that all costs are passed on to customers. Often the factor that dominates prices is the marginal revenue lost by reducing prices rather the level of marginal cost per unit.

Knowing my clients (2, Interesting)

bigattichouse (527527) | more than 8 years ago | (#16117375)

Knowing my clients, I smell a new "insurance product" ... a general "electronic age" insurance product to cover online fraud (buyer/seller problems), identity theft and now phishing. "e-Policy" or something.

My $0.02 (no pun intended) (3, Interesting)

Guppy06 (410832) | more than 8 years ago | (#16117384)

  1. It seems that the task of finding and catching phishers should be put to those best able to pursue them: the banks. If the customer is responsible for the loss, be prepared to see silly little class actions against phishers, with the only real victors being the lawyers.
  2. If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere.

Re:My $0.02 (no pun intended) (2, Insightful)

pla (258480) | more than 8 years ago | (#16117557)

If a bank doesn't want to be held responsible for what happens to my money, I'll do the responsible thing and move my money elsewhere

Damn - Here goes a wasted mod point, but I consider this point so insightful, I must reply.

I know people who, even in the current environment where banks bear the vast majority of the pain for most financial fraud, refuse to keep their money in the bank. They currently fall in the minority, but do exist. And not just fogies and Luddites - I know a 26YO EE who has no credit cards, no bank account, and buys EVERYTHING with cash or money-orders.

If banks start telling people "Aww, gee, someone emptied your account using seemingly-legit info, tough luck; I guess you'll use a bit more care next time, eh?", you can expect to see the world's economies collapse overnight as people move their life saving to their mattresses.



So no, banks will stoically take the hit, as they have always done. Not just for fear of losing customers, but for fear of losing public confidence in the the ONE thing they actually "sell" - The legal fiction of fungibility of food/goods for paper, and more recently, paper for bits. If they lose that quite literally delusional association of "value" most people have for their magical green paper, game over - They go from running the world, to owning a lot of nonmagical green paper.

Banks. (4, Insightful)

m0rph3us0 (549631) | more than 8 years ago | (#16117386)

The problem is that the banks aren't taking appropriate steps to identify the customer before handing over the customer's money. Banks are legislated/insured to only release money to the authorized account holder. When the customer takes reasonable steps to protect their information and follows the banks security procedures they are not responsible for loss.

By putting in place technology that doesn't sufficiently protect the reasonable person from fraud the banks bring the liabilty to themselves. The reason you put money into the bank and pay fees is to prevent unauthorized persons from accessing your money and to provide insurance against such a loss. It is the banks job to put in-place controls and cover the losses that arise from insufficient controls. It is a balancing act between what the consumer wants to put up with in security and what they want to pay for service. It is the banks job to find the equilibrium between the cost of increased controls and the cost of fraud. After all it is the bank not the consumer who is offering the service of withdrawl over the internet.

A good step in the right direction might be two factor authentication.

Re:Banks. (2, Interesting)

Richard_at_work (517087) | more than 8 years ago | (#16117408)

Remember, there are only so many blocks you can put in between an idiot and his money before he gets pissed off and takes it else where.

Personally, Im all for banks charging phishing victims for the losses - many dont cover fraud resulting from the customer failing to take appropriate measures to protect their card details, how is failing to protect their login details any different?

x.509 certificates . . . (2, Insightful)

rbannon (512814) | more than 8 years ago | (#16117393)

Wouldn't it be nice if customers and banks alike used secure email? [blogspot.com]

no (1)

unborracho (108756) | more than 8 years ago | (#16117397)

People that give up their info that easily deserve to have their money taken away.

Big grey area if you ask me... (1)

Zocalo (252965) | more than 8 years ago | (#16117407)

If you send all your bank account details to some Nigerian "widow" based on the contents of an email written all in block capitals, then that's hardly the bank's problem, is it? At the other end of the scale if you visit your bank's actual website only to have your account details obtained by some cracker that managed to compromise the webserver then that is very much the bank's problem. In practice though, the vast majority of fraud is going to fall somewhere in between those two extremes, so really this kind of thing should be handled on a case by case basis based on a predefined framework set out when you sign up to the account. I suspect that means we are going to start seeing a T&Cs for bank/credit accounts that resemble insurance policies though; "We will refund your money in the event of A, B and C, but not P, Q and R, although we'll cover you for those too for a monthly fee. Under no circumstances will we be liable for X, Y and Z."

incentives (3, Insightful)

brre (596949) | more than 8 years ago | (#16117411)

If you want the party that has the most control of the security system to have the incentive to fix the problem, the bank should pay.

If you want to take away the incentive to fix the problem from the party that has the most control of the security system, the customer should pay.

I say let the customers pay the price (1)

EvolvedHumanoid (181646) | more than 8 years ago | (#16117413)

... or before long we'll be expecting the banks to also cover the cost of all the idiots that send cashiers checks to Nigeria hoping to get rich.

One way or another, people are going to have to learn some lessons... and financial loss is usually a powerful lesson.

What about security? (1)

diablo-d3 (175104) | more than 8 years ago | (#16117414)

I agree that banks should be liable for what equates to theft; but where is the security for their websites in the first place? Shouldn't there be someway to prevent phishers from being able to enter the data they phished? "Oh, hey, that IP has logged in to over a hundred accounts, he must be a phisher with customer data", or something akin to that.

Bands & Customers should exercise due diligenc (3, Insightful)

sweetnjguy29 (880256) | more than 8 years ago | (#16117420)

The reason why phishing attacks work is that people are fooled into giving credit card information to what appears to be a legitimate website. This could have been avoided if the customer was more careful, but then again, we all get tricked from time to time.

Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.

By analogy, if someone forges a check, and signs my name, and the bank cashes that check, the bank is on the hook for the cash. Also, if someone lies about their identity, and the bank doesn't verify their identity, they are also on the hook for the check. The same should be true with online transactions.

If European banks and governments wont protect customers from fraud, online purchases will be doomed.

Its the Phisers who should pay! (4, Insightful)

vertinox (846076) | more than 8 years ago | (#16117423)

FTFA: 1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs.

The rational answer should be that law enforcement should persue the criminals and put a freeze on their accounts and seek retribution in monetary and jailtime punishments.

Seriously, if we can find and freeze "terrorist" accounts, how hard is it to track where this money goes?

I mean Phishers have to get it from a bank or ATM somewhere.

Why don't the bank simply reverse the process and force other banks to freeze the accounts? What is preventing them?

Won't somebody think of the children? :) (1)

Yo Grark (465041) | more than 8 years ago | (#16117429)

I have this to say about that.

It's the TYPE of phishing that should be investigated and judged. If I verify my contact info with the bank after an elaborate security hole makes it LOOK like the bank even after typing in the bank's direct web address, yes I think I should be protected under some umbrella of some insurance policy somewhere. (BTMK, in canada, our accounts are insured up to a certain limit, separate from the banks insurance)

If I GIVE authorization for someone to take the money, no, the responsibilty lies on me.

Trouble is, who can really prove either?

It depends (1)

scronline (829910) | more than 8 years ago | (#16117444)

First you need to prove where the money was lost from in the first place. You can't instantly assume that it was a user falling for a phishing scam. Particularly after so many companies have been losing backup takes, customer records through social engineering, and the list goes on.

I'm all for the victim of phishing being responsible for their own finances. After all, it was their inability to take BASIC security precautions that we have been preaching for DECADES people...not a few years, DECADES!

However, as more and more companies are being found to have lax security on their own part....

Let's just say, that if the bank can PROVE that the customer lost it via phishing and they were duped into gaving up their username and password, then sure, they should suffer for it. After all it was THEIR fault and not the bank's. HOWEVER, until the bank can prove how that information was snagged, they should be responsible.

I know that twice this year (yes, I said twice this year) I've had my debit card cut off (without warning only to find out sitting at a gas station with an empty tank) simply because of a security breach in some financial institution. While I applaud the fact that they shut it down to make sure I wasn't a victim, they could have been a bit more proactive. After all, I have no transportation without gas and that card doubles as my ATM card. If it wasn't for the fact that I make it a habit to keep $30 on me at all times in case of emergency, I could very well have been stranded 100 miles from home.

So yeah, bank's problem unless proven isn't the customer's fault.

good questoin (1)

krotkruton (967718) | more than 8 years ago | (#16117453)

This question sure is a lot better than asking whether or not its unethical to "hack" the Governor of California's website.

Part of me thinks that if someone walks up to you on the street, claims to work for your bank and then asks you for some money, you're an idiot if you take out your wallet. However, the internet is still relatively new and even though most slashdotters can recognize a phishing attempt, my mom still wonders how all those porn advertisements know where she lives...

Make the phishers pay! Double - reimburse the ban (0)

Anonymous Coward | more than 8 years ago | (#16117466)

Reimburse the bank and the victim. That may stop the phishing activity.

terms and conditions (1)

Tjp($)pjT (266360) | more than 8 years ago | (#16117474)

My online terms and conditions state that if I give out my online account and password I am responsible for their use. So if I give a phisher the information I lose. If my information is gained without my consent ot knowledge, it is their loss. So it would depend on the phishing scam. If my browser is hooked and I go directly to the real bank website I should trust the technology (sorry LOL) that I should be secure in trusting that transmitting the data of my account, password, etc. is secure. I should not be responsible for "man in the middle" schemes even if instigated by phishers. On the other hand if I go to bankofamerika.com and don't notice they swiped all of bankofamerica.com's graphics, etc. (which BofA should prevent from being used on any page but their own anyway) then I am liable. Your milage and terms of service may vary.

Re:terms and conditions (0)

Anonymous Coward | more than 8 years ago | (#16117632)

Funny that you mention BofA in particular. I'm a customer of theirs and they have some anti-phishing stuff in place. You enter only your login ID on their main page, then they display a photo that you've selected as your "site key". If the photo is the one that you're expecting, then you enter your password. (Of course this still requires that users be somewhat intelligent.) One time, for whatever reason, the site key didn't come up, and I just saw the old username/password stuff. It really disturbed me, and I could not bring myself to log in, even though I'd used the link from my own bookmarks. I had become that conditioned to seeing the site key.

Also, if I log in from an "unregistered" computer, they ask me a challenge question before displaying my site key. (Then I can "register" that computer so that my site key is displayed after I give my login ID.)

You can't fix stupid (1)

dtfinch (661405) | more than 8 years ago | (#16117481)

Banks have no way to stop foolish customers from falling into phishing traps. They could try to recover the money, but ultimately it's the customer's fault. The bank is not at fault, apart from some not using SSL on their login page to prove their identity, which customers never bother to verify anyways, and there's very little the bank can do to remedy it, unless the FDIC is willing to foot the bill.

not true: "morons get what they deserve" (4, Insightful)

circletimessquare (444983) | more than 8 years ago | (#16117489)

justice must have a compassionate edge. because if justice is as brutal and swift as crime itself, it is no longer justice

so yes, the people who fall for phishing schemes are stupid. but no: they do not deserve what happened to them. the punishment they receive (losing all of their funds) is not commensurate with the mistake they made. if i get in the car with a drunk driver, i am stupid. but do i deserve to get paralyzed for life in the accident that happens for my mistake? no. so do you laugh and call me a moron or grieve at my infirmity?

whether you laugh or grieve at me is more revelatory about your own immaturity. because god forbid you ever make a little mistake in your life and suffer drastically for the consequences, right? that can never happen to you, right? yes: stupid mistakes have negative consequences. but if the negative consequences are way out of proportion to the error, you should not be so dismissive, you should demonstrate some compassion, or justice really isn't your motivation. if drastic punishment from a simple mistake happens to you, you're just going to suck it up and move on without complaining one bit, right?

well... experience teaches me that those laughing hardest at those horribly punished for simple mistakes are also those who whine the loudest when they become victimized the same way. so yes, banks should pay for phishing schemes, and everyone here shouting "you get what you deserve" are not speaking from a position of concern for justice. they are speaking from just sort of a smug hypocritical contempt for simple human fallibility. which they apparently imagine themselves immune from, out of simple ignorance at how cruel crime can be, and how fickle fate can be

OT: remember when running Windows was illegal ... (0, Offtopic)

Mateo_LeFou (859634) | more than 8 years ago | (#16117499)

...for banks, I mean. Because whatever version of windows it was had a phoning-home function, so that using the system to store customer data was actually a felony. I can't find the story, 'cause I don't remember enough details. Is WGA in this territory, or did that law get changed? Whatever happened to that; it was funny.

Works both ways (1)

badzilla (50355) | more than 8 years ago | (#16117503)

If banks want me to be responsible for my own dealings with them online then they can give me better login security. If it were easier to be sure that I was really dealing with the bank and not a phishing site then it would be more reasonable to hold me responsible.

How about a two-way cryptographical handshake where we verify each others' keys? A one-time password gizmo such as RSA fob? But no, instead all I have is a crappy password. OK so I can at least check their SSL cert but it's not exactly convenient.

It's a Trap! (1)

mpapet (761907) | more than 8 years ago | (#16117519)

Maybe some others with merchant experience can back me up on this, but most of the fraud is actually assumed by the merchant.

The abuse the banks dole out to retailers is so bad Walmart is setting up their own bank just to get a piece of the scam. http://www.fdic.gov/regulations/laws/walmart/index .html [fdic.gov] They had to drag the banks to court just to get them to stop abusing them on transaction fees.

In the end, the merchant will pay dearly for the priviledge of accepting a payment made with phished cards. That means the consumer will end up pay slightly more overall for everything.

Of COURSE the banks should make good (5, Insightful)

cfulmer (3166) | more than 8 years ago | (#16117533)

The basic way money is stolen is this:

(1) Somebody gets your account information. (Possibly through phishing, possibly just by rummaging through your mail).
(2) They wire money out of your account.
(3) They move the money someplace where it cannot be retrieved.

The problem is in step 2. The banks make absolutely no verification that a transfer is authorized. When I walk into a branch, I can't just pull money out of my account without first verifying who I am. When I write a check, the bank (at least in theory) is supposed to verify that the signature on the check matches the one they have on file. But, there is no similar verification when my account is electronically drafted.

The banks are basically betting that they'll lose less money through fraud than it would cost them to implement security on the back end. It's a calculated risk on their end. If their customers had to pay for the fraud, there would be NO incentive for them to improve security.

Incidently, the comment that "the customers pay for it anyway" is only partially right -- customers pay for part of it through reduced interest rates and so on, but some of it also comes out of the bank's profits. Banks are generally in a competitive market and as long as there are alternatives for savings (e.g. brokerage houses), the market dictates the interest rates paid by the bank.

There is no cure for impersonation (1)

vinn01 (178295) | more than 8 years ago | (#16117539)


There is no cure for impersonation if you provide a con man all of the details required to impersonate you. If you fall for a phishing scam you did as much as dressed up a con man to look just like you and gave him your photo ID cards.

In the pre-Internet days, a con man would have to work harder. You had to withdraw the money for him (like using the old Pideon Drop scam, http://en.wikipedia.org/wiki/Pigeon_drop [wikipedia.org] ).

The bank could use things like a PIN for account access, but if you gave out our PIN, how is that the bank's fault?

whatever idiot lost the information used to obtain (1)

Locutus (9039) | more than 8 years ago | (#16117552)

the money is responsible beyond a certain point. Obviously the theifs are ultimately responsible but to blame the business? I don't think so. They could advertise indemnity or something to gain customers but that's an optional feature IMO.

The business site must have some ability to validate a customer and attempt to prevent phishing site copies.

LoB

Pressure the banks or negligent customers? (1, Interesting)

noidentity (188756) | more than 8 years ago | (#16117554)

So, if we put pressure on banks by making them pay, maybe they'll do things to make phishing attacks harder to carry out. Sounds good... but

If we put pressure on customers by making them pay, maybe they'll do things that make phishing attacks harder to carry out.

In the end, I as a customer to my own bank can entirely prevent phishing attacks on my account, through very little cost to myself. Therefore, I would like to be held responsible for phishing rather than my bank, otherwise I'll be paying for other customers' negligence.

Bank of Ireland has extremely bad security! (2, Informative)

GekkePrutser (548776) | more than 8 years ago | (#16117559)

I'm an account holder with Bank of Ireland, and have had several accounts with Dutch banks. ALL Dutch banks use two-factor authentication when making payments, either with a digital "calculator" device or a list of passwords, where for every payment a different password is requested, and the list renewed when it has been used up.

Bank of Ireland, on the other hand, uses just a lame 6-digit password, your contact phone number and a 6-digit account number. Very lousy security there. I definitely don't feel safe using their internet banking facilities. Even 8 years ago my Dutch bank modem service already used 2-factor auth.

So, yes, I feel that in this case BOI is completely to blame for this.

Advertising (2, Funny)

HTH NE1 (675604) | more than 8 years ago | (#16117561)

Phishing seems to be good advertising for banks. I'd never heard of Fifth Third Bank [53.com] until I was suddenly getting 5 phishing e-mails a day for it.

Stupidity pays? (0)

Anonymous Coward | more than 8 years ago | (#16117565)

So this is it huh? Pay people for their stupidity? Next thing you're gonna tell me is that we'll be able to sue McDonalds for not having a "Caution! Hot!" label on their coffee cups because we spilled it on our legs.

Oh wait... that did happen.

Re:Stupidity pays? (1)

Jacer (574383) | more than 8 years ago | (#16117604)

It did happen, but what what you, like most people fail to know about the coffee that burned the woman was that it was absurdly hot. McDonalds keeps their coffee close to boiling, but the coffee handed to the woman was near a whooping 240F well beyond the 180F norm, and well beyond what should be considered "safe" for serving to consumers. Most people are pretty quick to just think the woman is either greedy or mentally-inept, but she did have a fairly solid point. That coffee was *dangerously* hot.

It's not the banks' fault anyway. (0, Flamebait)

krell (896769) | more than 8 years ago | (#16117567)

The banks aren't phishing, so there is no way they should pay a dime to anyone.

I have to side with the bank on this one (1, Informative)

istartedi (132515) | more than 8 years ago | (#16117589)

Historicly, if you get conned, that's your problem.

If the bank sold phishing insurance, it would invite people to get in cahoots with the phishers.

The simple rule for ALL online banking is this:

All online banking transactions should be initiated by YOU. If someone who looks like the bank contacts you with something, even if it looks perfectly innocent, never trust them. Instead, hit the bank's web site as you ordinarily would, not by clicking on a link in an e-mail, but by going to their main site and logging in as usual. This constitutes a transaction intiated by YOU. Once logged in, you will, under many online banking systems, find something in your "message center". If it matches up with what you received via e-mail, then it really was from the bank.

It really is that simple.

Sadly, some legitimate financial institutions do put links in e-mails. Forbidding this practice would make phishing virtually impossible, so I would advocate forbidding banks to send anything containing a link in an e-mail, not even as a copy-paste. If the bank sends you a message telling you it's time to update your password, and there are no links, then you MUST initiate the transaction by their legitimate URL, and you cannot be phished unless the bank has been hacked.

If the bank is hacked, then yes, the bank is liable. This is more likely to be insurable; especially under a well-regulated banking system.

Convenient? No. But then neither is having a lock on your door.

yes, it's the bank's problem (3, Insightful)

jay2003 (668095) | more than 8 years ago | (#16117597)

If someone forged your driver's license and went to the bank to withdraw your money in person, it's the bank's fault for giving it to them. Same principle should hold for online transactions. If the bank gives the wrong person your money, it's not your problem.

If the liability moves to customers, the banks won't have any incentive to improve security. Worse, the bank will start blaming you for breeches that are completely their fault. The bank will claim you didn't protect your password when their systems are comprised and your account is drained.

The bank is in a better position to do something (4, Insightful)

DaveJay (133437) | more than 8 years ago | (#16117601)

The bank has motivation and resources to implement a solution, whereas individual customers do not. This is because banks control the technologies that phishers emulate in order to con their targets.

For example, the company I work for is concerned about phishers stealing user accounts, by emailing links to pages that look like our corporate signin page (used for many properties in many locations, so commonly encountered on various sites by our employees.) As individual users, it was extremely difficult to tell whether the page being logged into was legitimate or not; so, the company now uses a cookie to identify you as an employee, and embed your picture (from the company's internal records) into the login page. If there's no picture of you, it's not legitimate.

Is that foolproof? No, because other employees could get your photo and fake the login page. It certainly narrows it down to internal employees and contractors, however, and it's a step that individual employees could never have taken on their own.

Similarly, imagine if ATM cards didn't have PINs, and possession of the card was enough to withdraw money from remote locations. Individual users couldn't do much about this, other than hold onto their card for dear life, but the banks could easily implement PIN codes so that theft of the card did not automatically enable theft of account monies.

Again, is that foolproof? No, because some people write their PINs on their cards (duh) and some people manage to set up "fake" ATMs to collect card swipes and PINs. However, banks now use the unique identifier on the card to access the customer's name and display it before the PIN is punched -- no name means you probably shouldn't use the machine. Again, another step (still not foolproof) that individual users couldn't enact on their own.

If a bank makes a service available, they are the ones in good position to improve the security of that service, and at some point the bank actually hands over the money based on their own assurance that the person using the service is who they say they are, using whatever method the bank provides. All of this is up to the bank, not the user, and so they should carry the liability -- if not, they can always opt to avoid providing those services that they cannot successfully protect.

Does this absolve the users of all responsibility? No, but there are still lots of stupid things users can do -- and shouldn't -- that cause them to lose money that the bank doesn't -- and shouldn't -- have to reimburse.

I guess you can think of it like this: if a bank's machine gives out money to the wrong person, it's the bank's fault -- and if the bank's machine gives out money to the right person, who is then mugged within half a second of the transaction, it's the user's fault.

Joe Lopez's problems were a result of a Keylogger (1)

surata (958203) | more than 8 years ago | (#16117611)

I don't know how this guy Joe Lopez in Florida managed to get a keylogger installed on his machine, (Probably installed some warez or porn) but I would hardly classify him as a rube for having lost his banking information to some cracker in Latvia. When my credit card company notices spending on my card in a city 1000 KM away, they call me. Is it too much to ask a bank to do the same if an unusual transaction is being attempted from my bank account? Joe apperently did transfer money to South America regularly (hmm a name like Lopez... go figure) but you would think a single transaction to latvia would raise a flag somewhere.

My Mom (0, Redundant)

MrWhitefolkz (751859) | more than 8 years ago | (#16117623)

My mom actually got an email supposedly from PayPal that she was worried about. I've warned her many times in the past, but you never know if people are really listening or not. She called up PayPal (with the number off the website itself), talked to them, and had it confirmed that it wasn't a legit email. I was pretty impressed that a 54 year old woman who doesn't know hardly anything about computers, was able to do all of this on her own. If someone with very little computer experince can use common sense when it comes to personal information and avoid being ripped off, why can't everyone. It falls on the customers to police themselves. If I fell victim to one of these scams, I wouldn't look for the bank to pay me back. It wasn't their fault, it was my fault.

Nonsense (1)

Orig_Club_Soda (983823) | more than 8 years ago | (#16117637)

The person who responds to the the phishing is responsible for their own actions. Or the phisher.

rephrase (1)

Tsiangkun (746511) | more than 8 years ago | (#16117652)

Lets rephrase the question

I run a business where I hold money for people to keep it safe from thieves.

I give their money to a thief.

Who is at fault ?

Sounds like the bank is trying to skirt their responsibility, and developed an insecure method of keeping their customers money safe from theives.

but how can you confirm it was phishing? (1)

darkreaper00 (978543) | more than 8 years ago | (#16117659)

This seems scarily like insurance companies denying claims when a lock was bumped.

Granted, I want people to pay for their own mistakes, but what if that new intern in payroll made a photocopy of my direct deposit auth form for a rainy day?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?