back to article Bank in the UK? Plans afoot to make YOU liable for bank fraud

Bank customers may be obliged to bear the bill for fraud against their accounts, under proposed changes mulled by banks, the UK government and GCHQ. Under the plans, individuals or companies with poor online security could be “frozen out of banking services or even excluded from the system whereby banks compensate customers …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Time to switch to bitcoin.

    Same interest rate (0%). Same uncertain future. Better chance of not being defrauded.

    1. NoneSuch Silver badge
      Facepalm

      Bitcoin?

      Nawww... Just send your banking password to GCHQ and they'll vet it for strength and complexity.

      Silly me, I just realized they already have it.

    2. Sorry that handle is already taken. Silver badge

      "Better chance of not being defrauded."

      Now you're 100% responsible for the security of your money!

  2. Dwarf

    Grey area

    Surely this is a many-way thing ?

    Banks are accountable for their systems and making them secure in the first place. Not our fault if their back-end systems and applications are poorly written or don't comply with good practice.

    Conversely, customers should be a bit accountable against "stupid things" - giving out PIN numbers and personal data to people who ask for it.

    However it would be naive to expect every person of any age and intelligence to be fully up-to-date with all methods of attacking banking.

    Who's fault is it for example if someone skims my bank card at a hole in the wall, or malware gets onto a web site that I visit ?

    Is it

    - the virtually anonymous web site with all its security / defects

    - the customer who just wants to buy something

    - the bank.

    Sounds to me like its just big business trying to dump on the smaller guy again.

    I wonder what the impact on the economy would be if people don't trust the banking system any more ?

    1. ZSn

      Re: Grey area

      In addition Britain seems to be unique in my experience of not commonly using card readers. The Netherlands have had them for at least 12 years as have Germany, and these have dramatically reduced fraud of this type. I asked Lloyds if they have one to use on their normal account and they looked at me as if I had asked for a glass of unicorn milk. Perhaps the UK banks could update their systems to something at least from this century.

      1. Bronek Kozicki

        Re: Grey area

        first direct gives out OTP token to normal account users.

        1. Chris Miller

          Re: Grey area

          Both my RBS and Nationwide accounts have provided me with card readers - they appear to be identical :)

          1. Captain Badmouth
            Terminator

            Re: Grey area

            Nationwide have only recently improved their website rating from a "F" fail to a "B" rating, RBS scores an "A". (SSL labs online test https://www.ssllabs.com/ssltest/index.html).

            If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.

            Icon : Your local bank manager ( that's right, he's gone to a better place).

            1. Vic

              Re: Grey area

              If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.

              They should do a whole load to improve security.

              I'm thinking primarily of the "3D Secure"[1] system. The banks are actively promoting putting (fragments of) a password into an iframe on a website that does not come from the bank's server. IIRC, even the iframe does not come from the bank.

              This is just asking to be MiTMed...

              Vic.

              [1] Ha!

              1. BurnT'offering

                Re: 3DSecure

                The banks hate it. It's Visa and MasterCard who came up with this crap. The response from the banks was a unanimous "You cannot be serious!". Sadly, they were

      2. werdsmith Silver badge

        Re: Grey area

        In addition Britain seems to be unique in my experience of not commonly using card readers

        Who doesn't use card readers? We've had them for years.

        1. Flocke Kroes Silver badge

          Re: Who doesn't use card readers?

          I don't because I do not use online banking. When banking is possible without javascript I will re-evaluate their security practices.

          1. Jess

            Re: When banking is possible without javascript

            Lloyds bank works fine without it.

      3. Geronimo!

        Re: Grey area

        I've been a customer of at least 10 different banks here in Germany, business and private, over the last 20 years. Only 2 or 3 of those actually wrote their online banking can work with card readers. 2 even offered card readers in their shop, somewhere around € 30-35.

        Yes, in NL it's a default completely.

        Can't say if NL is more secure or pays less in total for fraud damages.

        1. Anonymous Coward
          Anonymous Coward

          Re: Grey area

          Sure card readers help, but then again one should also ask oneself whether it isn't there to just create a false sense of security. For the Netherlands specifically, the "change of liability" now suggested in the UK already happened there in 2013 (https://www.security.nl/posting/370459/Banken+stellen+nieuwe+regels+voor+internetbankieren) when the banks (were allowed to) instate policies, making the customer the main responsible in cases of fraud, and putting the obligation to prove no neglect and/ or wrong doing with the customer. I remember because of the initial outcry (which as always in the Netherlands died down, everybody forgot, while the policies are still in place) and the amusing discussion concerning standards. Ask yourself, when is your system up-to-date? Well protected? Ahhh, virus and malware protection... Closed system you say? Anybody see "opportunities" for quick issue resolvement? Oh, and don't even think of using that funny free software crap called Linux (which they use for their own servers), because that isn't recognised as a "safe OS" by Dutch banks (http://langleveeuropa.nl/2013/11/klant-nu-verantwoordelijk-voor-beveiliging-van-banken-en-aansprakelijk-voor-schade/). =0

    2. computinghomer

      Re: Grey area

      Just ask yourself why you are responsible when a bank loans money to someone who merely has your identification number. Why isn't that the banks fault. Why don't they have to PROVE that I borrowed the money.

      1. cantankerous swineherd

        Re: Grey area

        think they do have to prove it, but you've got to go to court to make them? fin ombudsman is useless. experian et al just tell everyone a pack of lies about you.

    3. Hollerithevo

      Re: Grey area

      I have a card reader I don't use because if I use it, I assume liability for fraud, or what appears to be fraud. Read the fine print of your agreement. However, if I stick to the password and security questions, there is a grey area of doubt. I also use the phone for those transactions I cant do online.

      The banks have been trying to palm off responsibility for errors for decades. I remembering arguing until I was blue in the face that some cash-point machine error had nothing to do with any personals security lapse, and finally they admitted that the machine had a glitch and al customers that day had similarly had 'sloppy personal security'. Banks are always willing to let us take the blame, knowing it's almost impossible to prove that we are innocent.

      1. Anonymous Coward
        Anonymous Coward

        Re: Grey area

        Well said! I had an argument with a bank thirty years ago about their supposedly 'unbreakable security' when I noticed a £50 withdrawl from my account that I knew I hadn't made. Given that back then I worked as a mainframe operator and was a keen computer hobbyist, I knew darned well I was being fed a load of BS, and as they wouldn't restiore the stolen funds to my account (withdrawn in a town I'd never visited, and bearing in mind I can't drive, at a time I couldn't have been there at and still been in the banks face about it the following day), I promptly changed banks.

        I've long wondered whether the move to online banking was pushed so hard at least in part with an eye to eventually trying to blame the customers for any losses. Let's face it, the internet as it currently exists and is used, is simply not fit for purpose for online banking. The banks are liable in encouraging customers to try to bank that way, IMHO.

  3. Anonymous Coward
    Anonymous Coward

    Good idea

    Sounds like a good idea. Anyone who banks online is really asking for trouble.

    1. Richard 81

      Re: Good idea

      Yeah, far better to stick all your notes in a mattress.

      1. Known Hero

        Re: Good idea

        tried it with small change, got a bad back from it :(

      2. Michael Habel

        Re: Good idea

        Yeah, far better to stick all your notes in a mattress.

        In this day, and age of negative interest, and the Banks trying to take any, and every advantage over their users.... (See this Article)

        What exactly would the difference be... At least I know that my Money would be safer with me.

  4. Anonymous Coward
    Anonymous Coward

    How do you prove who is liable?

    Is it me for not updating my operating system?

    Is it the manufacturer for not supplying an update?

    Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?

    Is it me for not running or updating anti-virus?

    Is it the anti-virus software for not spotting a zero day vuln?

    If you move liability away from the banks then does anyone really think they are going to spend money on decent security?

    Why is it that we have an elected government by the people that never actually works in the interest of the people? Change needs to happen.

    1. Anonymous Coward
      Anonymous Coward

      "Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?"

      Is it the bank for forcing you to run with outdated software or browser?

      TFTFY

    2. RedCardinal

      In the way of these things I have a sneaking suspicion that the customer will be liable by default and then have to try and prove that they weren't....

      1. VinceH

        "I have a sneaking suspicion that the customer will be liable by default"

        ^This.

        For some time, the banks I log into were trying to push Rapport, for example - and I even had conversations with banking staff in which they asked if I had it installed and suggesting I install it if not (I usually told them exactly what I thought about that piece of software).

        I can well imagine it being a case of "Didn't have Rapport installed? Definitely your fault, then."

        1. Blitheringeejit
          FAIL

          AAAARRRRGGGHHHH!

          Similar issue a coule of years ago with Rapport, and after being ceaselessly nagged by the bank website to install it, I rang their online banking tech support to try to have a sensible conversation. More fool me.

          My questions:

          "Why does your site keep nagging me to install a piece of software when I'm a linux user (as your site can tell from my browser) and you provide only Mac and Windows versions of this software? If this software is so important for online banking security, where can I get hold of a linux version?"

          Their *online banking tech support person* response:

          "What's 'linux'?"

          FFS.

    3. heyrick Silver badge

      You forgot the part where the bank expects you to run some shit that they have been paid to plug, lie about, and if you're lucky it only cocks up your machine.

      I'm thinking here of NatWest's constant nagging for my mother to install Trusteer Rapport... well... http://www.advantage77.com/2014/09/03/rapport-more-problems-than-its-worth/

      1. anthonyhegedus Silver badge

        As is common in the computer industry, Trusteer Rapport is an absolute con. They've conned the banks into buying this shit off them. The banks give it away to make people think they (the bank) cares about security. They don't. They don't understand security. They are sooner or later going to insist their users run rapport. When they do, I'm not using online banking any more, at least from a PC.

        Whenever we have a client with poor speed, intermittent network connection or just plain weirdness on their computer, first thing we look for is Rapport. Removing it usually solves the problem. At best, it slows down internet access; at worst it completely fucks up the machine, resulting in problems booting. I've seen it.

        1. Anonymous Coward
          Pirate

          Sounds like a nice little earner.

          I suspect the bank receives a direct commission from sales resulting from their referrals. Why would they care that it's snake oil their trusted partner is flogging to their hapless customers, as long as it brings in $PROFIT?

          Doubtless they'll be getting a nice little commission on the fraudulent debits they allow from your account too, once they've bought this "proposed" legislation. Just as they do in the US.

  5. Anonymous Coward
    Anonymous Coward

    Happy to be held accountable once...

    ... I get to specify hardware, software, development methods & tools, uk-based operations, staff pay and conditions at the bank it dept.

    Or to put it more simply, ill take the blame for electronic fraud once i am CTO. Otherwise, the current CTO should take responsibility.

    1. Voland's right hand Silver badge

      Re: Happy to be held accountable once...

      The reality is that:

      Bank will specify hardware: PC

      Bank will specify software: Windows with bank sponsored malware (sorry, security software) installed via a bank affiliated download so that the bank gets its marketing cut. The favorite is some crapware named after some mutt variety.

      Bank will specify development methods: Bangalore

      Bank will specify location of operations: Bangalore

      And you will have the responsibility. HSBC already tried that. More than once.

      I tried to raise with them the fact that the way the have redirected to the co-sponsored download was open to cross-site scripting so _ANYONE_ could shovel a download to a customer PC through that hole and the customer would have accepted it as verified by the bank. This gives you the idea of the competence involved.

      After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.

      1. Captain Badmouth

        Re: Happy to be held accountable once...

        See my post above about Nationwide site security.

      2. Anonymous Coward
        Anonymous Coward

        Re: Happy to be held accountable once...

        After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.

        Late last year Nationwide outsourced a load of their IT operations to CrapGemini, and signed an automation deal with TCS, so you'd better move again. Meanwhile the CEO of Nationwide paid himself £3.3m last year, an amount that has doubled in five years.

        It would seem to me that the management of Nationwide are the same talent free snout-in-the-trough types as run the rest of the financial services sector.

  6. Anonymous Coward
    Pirate

    If concious culpability can be proven by proper process of court, then fine... but that's not what this is, of course. Arbitrary shirking by the thereafter-wilfully-negligent-corporation: Just like the US. Our money grubbing twats have "identity theft" (sic) envy.

    Still... if they get their grubby little scam passed, it'll be good motivation to move my banking to a more civilised country... and I'll probably pay a bit less tax as a result :D

  7. kmac499

    Reccomended Banking security software..

    Well I have on line accounts with multiple banks (I'm not rich it's different accounts for different uses) and I won't use the suggested anti virus software from any of them.

    Their software is invariably huge, hogs the CPU and doesn't play well with other regular AV software Anyone tried Rapport?

    Let alone trying to host multiple banking security software on a single device,.that would make pyschotic ferrets in a sack look like a Buddhist Monastery at prayer by comparision.

    1. Hollerithevo

      Re: Reccomended Banking security software..

      I took Rapport off when they 'upgraded' it a few years ago. I read the new EULA and it more or less said that they were going to record everything I did, so I stripped it out of my machine. Haven't felt any less safe.

    2. anthonyhegedus Silver badge

      Re: Reccomended Banking security software..

      Rapport is shit pure and simple. At best it just makes your internet slow. At worst, it will brick your PC. I tested it once. I had made an image of a PC. I tried to take rapport off the machine and it tried to make me keep it by saying that it had protected me from 6 actual online threat instances. I reloaded the image and tried again and it said it had protected me from 4 actual online threats.

      So it seems it lies to you as well as fucks with your PC and steals your information

  8. tiggity Silver badge

    Banks encourage bad consumer IT security practices.

    Cannot comment on "modern" logging into online banking as I avoided it since the early days after initial online banking offering made to me was IE only with no solution available for a more configurable / secure browser on a more secure OS.Happily functioned without online banking so never revisited to see the current state of play in online banking logon.

    However I have encountered the dross that is 3DSecure ( Verified By Visa et al), so often used when you are asked to purchase something - lots of dubious js / traffic to site(s) totally different to the vendor website, the sort of thing that would make a security savvy user think there was some dodgy 3rd party attempt to defraud them, and people are encouraged to think this is a good security model! No wonder so many people are defrauded online.

    Despite their bad treatment of staff & tax dodging, which I dislike massively, Amazon grudgingly get some of my online purchases heading their way, precisely because they do not do verified by visa stuff (I abort transactions if VbyV stuff used).

    (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)

    1. Flocke Kroes Silver badge

      Amazon works without Javascript

      There used to be other sites that did not require javascript, but they changed and I abandoned them. I would really like Amazon to have some competition, but there are only so many times I am prepared to fail to create a new account before I go back to the site I know will work.

      If only 'Do you want a free trial of Amazon Prime' were as simple to avoid as a Windows 10 downgrade.

    2. Ogi

      That "Verified by Visa" crap is the only reason I use a credit card ( Credit cards don't prompt the verified by visa window when online shopping). Really VbV the most useless thing I have ever seen, and works so rarely that it can make a 2 minute online shop last 30+ minutes.

      Quite frankly, things are going in such a bad direction with banking, that I have switched to cash only. Apart from the credit card for online purchases, everything else is cash. No need for a card reader, a PIN, some sort of fancy in-phone-contactless-app crap or other tracking system wrapped in a security nightmare that I will be liable for. When I want to buy something I just put down the cash, with no faf.

      I also rediscovered the joy of actually going into my branch and dealing with my account with a human being. Usually I can get problems fixed quickly, and my complaints have to be dealt there and then by the manager rather than a ticket logged somewhere in Bangalore after waiting 30+ minutes on the phone. Of course, because everyone does online banking now, the branch is usually really empty as well.

      Although I concede that not everyone has a local branch nearby, I would imagine most do. Bank branches are pretty common, along with a pub and post office, even in small towns.

    3. Anonymous Coward
      Anonymous Coward

      @tiggity

      > (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)

      You can ring your card issuer and ask for VbV to be removed[1]. That was several years back now and only once since then have I had to buy using a different card because a site refused to work without VbV on.

      [1] Well, my lot did it for me. YMMV.

  9. Steve Foster

    Idiot Banks

    One of the reasons that people get caught by phishing attacks is the banks idiotic behaviour when they call you in demanding you answer "security questions" - when *they're* the unknown quantity.

    I always decline to do so, and try to explain that I'm not going to answer questions from some random stranger who's called my number, and nor am I going to call any number they give me - at least not until and unless they prove who they are to my satisfaction first.

    Another example of cretinous behaviour on their part:

    Most of my bank accounts are protected by 2FA of one sort or another. One day, using a shiny new laptop, I logged in to one of my accounts (that uses a PIN protected challenge/response key generator thingy), authenticated with multiple user codes, plus the 2FA response, arranged a regular payment _to an existing recipient_, received confirmation of payment and logged off.

    A couple of days later, I went to log in again, to be told that my account was "not initialised properly" (or some such) and I could not login. Figuring this was some temporary glitch at their end, I tried again the next day. Still no access. After a couple of days of this, I gave in and called their support number. After passing their security questions, they told me that my account had been frozen (no payments out, internet access blocked) due to "suspected fraudulent activity" (the payment that I made online [by now] a week earlier [which they'd actually cancelled]). I asked what was the point of having and using 2FA and all their other security measures if they were all going to be overridden/ignored just because I used a new computer!

    While I do appreciate that they are supposed to make efforts to prevent fraud, a single minor difference out of several test elements should not be enough for them to a) lock me out of my own account, b) cause payments to be summarily cancelled, and (most especially) c) do this all without making any sort of attempt to contact me in any way.

  10. silver fox

    My bank do it right. For any new payments that I want to set up the process is so complicated that I have to look up how to do it each time. It is so much of a faff that I just phone them instead.

    Banks have been trying to shift the onus onto customers for a while now. I get the argument that if there's no customer liability then customers won't take any care but if you're a bank, and you want me to use your online services because it saves you a ton of money, then it's your liability if that system is flawed (and that includes flaws that make it easy for the customer to make a mistake that allows fraud).

  11. Mage Silver badge
    Flame

    Chip & PIN or Contactless

    Both of these reduce Fraud. In a sense!

    Except they reduce it MORE for the bank than for the customer. Because Chip & PIN fraud is usueally deemed to be customer carelessness. Contactless was designed for warehouses. It should NEVER have been used for payments, it's not secure and people are being harvested with portable devices. Chip & PIN as implemented has a MASSIVE flaw as it doesn't depend on connection to bank to verify PIN and there is inadequate physical security of shop terminals. MITM attacks.

    All widely documented.

    Banks are also stupidly outsourcing IT when it should be a core activity.

    1. Chloe Cresswell Silver badge

      Re: Chip & PIN or Contactless

      Banks are good at conflicting information too.

      I had fraud on my chip and sign card.

      Bank told me the transaction was pin verified.

      I pointed out that surely if a C&S transaction has been pin verified, there's a very obvious bad transaction?

      They said no, it's perfectly valid to do pin verification on an account with no pin.

    2. FlatEarther
      FAIL

      Re: Chip & PIN or Contactless

      This is completely wrong. Fraud has gone down to negligible amounts where CHIP & PIN has been introduced (except of course for Card Not Present, where there is neither CHIP nor PIN).

      Why do you think the incidence of card present fraud is so high in the USA? It's because they haven't widely implemented CHIP & PIN. They're rushing to implement it now, but meanwhile fraudsters are having a field day.

      Also, any issuer (e.g. a bank) must accept a no customer liability clause if they want to issue Visa Paywave or MC PayPass cards.

      1. Tom 7

        Re: Chip & PIN or Contactless

        I avoid contactless since a friend I was with managed to spend rather a lot in pub - rather more than we could have drunk and we decided it must have been a deliberate scam in the bar in question.

        In the co-op yesterday a young lad bought a lot of stuff with a contactless card - his behaviour suggested it wasnt his card. If the co-op can show his parents the items bought he may well get his arse kicked.

      2. Ian 55

        Re: Chip & PIN or Contactless

        US card procedures have always been incredibly lax.

        Back in the 90s, we went to the US with a new credit card and forgot to sign it. It was nearly a fortnight before an Amtrack office apologised for expecting it to be signed. Everyone else hadn't bothered to compare the signature just given with anything or been bothered that the card was unsigned.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like