Online banking fraud: who pays?

Online banking fraud is evolving, driven by the use of more advanced phishing techniques, more sophisticated viruses, and much better funded fraudsters. The sociopath hacker is a thing of the past, rendered almost quaint by the rise of the Cyber Cartels. The maturing of Internet fraud has seen organised crime consolidating IT and people assets to create global scale and capability. Where the motivation of the old-style hacker was to obtain notoriety, the motivation of the new attackers is, more simply, for financial gain.

Information is the new currency, and the cyber criminals are relentless in their pursuit of it, especially identity attributes and bank account details. The thieves often sell the information to others in the underground market, where it is then used it to defraud customers. For example, in the US, a complete fi nancial identify including bank account, credit card account, social security number, name, address, and date of birth, reaches approximately US$15. This buys all the information needed to conduct significant fraudulent transactions against a real customer.

To keep ahead of the criminals, banks continue to upgrade their Internet banking security by implementing better technology and stronger transaction controls. However, with deep fi nancial resources available to the criminal organisations, even relatively sophisticated technology such as two-phase authentication has been beaten. The attack vectors are also changing and becoming more oblique, with new social engineering techniques manipulating seemingly innocent and unrelated third-party websites to infect online banking customers’ computers.

Because most attacks originate from the customer’s computer, it is of course the customers themselves who are the weakest link in the chain, with online fraud most often enabled by limited customer computer protection. However, notwithstanding all the lurid publicity and growing awareness, some customers still do not make the effort to sufficiently protect their computers.

Who pays now?
As with credit card losses, most developed financial services markets limit customer liability in the event of Internet banking fraud to very low levels. The main exception to this is when the customers themselves are conducting fraud. However, the burden of proof is on the financial institution — if the customer cannot be proven to have acted in an intentionally fraudulent manner, the bank retains liability for the loss.

In Australia, under the Electronic Funds Transfer Code of Conduct, unless the bank can show that the customer has engaged in fraudulent activities or intentionally contravened bank rules, the maximum liability is AU$150 regardless of the amount of the fraud. Liability rules and practices in the USA, EU, UK and Hong Kong provide similar customer protection.

Recently, ASIC asked for opinions on potential changes to the EFT Code of Conduct, including a shifting of more liability to the customer. Initial responses from some of the banks in favour of this were quickly reversed in light of highly negative public reaction. It now appears likely that any revised EFT Code of Practice will continue as before to keep liability with the banks.

The major developed market exception occurred with the issuing in July 2007 of the New Zealand Bankers’ Association new Code of Banking Practice, which states that banks will not be responsible if the customer incurs a loss caused through circumstances beyond the bank’s reasonable control. It further states that the customers may be liable if they do not have appropriate and up-to-date protective software installed. The NZ Code puts the burden of proof on the
customer, with the banks retaining the right to examine the customer’s computer to determine level of security and protection before paying out on a claim.

Here we have two very different perspectives on the issue of liability for online banking fraud. On one side, the NZ Code makes the customer fully responsible for the protection of their endpoint of the transaction. On the other side, in the major developed markets, the banks take full responsibility for security shortfalls by the customer. While the former viewpoint may be perceived as too harsh, the latter may appear to be too lenient.

What then is the right approach and what role should the banks be playing? Symantec believes that both banks and their customers should be doing more together to combat online fraud. With improvements in customer endpoint security and transaction protection, as well as proactive customer education, online banking can be much better defended against attack, thereby reducing losses and rendering the question of liability less relevant.

Leading the way
Banks have an obligation to take the lead here as they have been promoting online banking since the channel was launched. Banks make signifi cant earnings from online banking, not least due to the much lower cost of doing business online as opposed to using a human-based channel. In terms of long-term revenue growth, most banks see online banking as a strategic enabler of customer uptake and services, and many view online banking as the key to expansion into new markets.

Of course, like everything else in the Internet world, e-business is just business. The banks need to convince the customers that maintaining up-todate protection is good for them. The key for the industry is to turn Internet banking security from a technical defense into a competitive advantage.

In terms of improving security across the whole market, the banks themselves can and should take a more active role in migrating their customers to better
protection, for example by actively scanning their customers’ computers to assess adequacy of the protection. If this is found to be inadequate, the bank can then encourage customers to upgrade their protection on the spot, in real time.

Banks should also seriously consider better enabling and even subsidising
customer security software purchases. Rather than positioning this as a
technical fix, banks should actively market increased protection as a real customer value addition and as a community service to the entire market. Spending money on migrating customers to better security will bring a big pay-off for the banks, as customers move to use the Internet for more complex transactions with higher fees and more cost savings.

Banks that use enhanced security for positive branding and work with their customers to improve overall Internet security will win greater customer uptake, higher Internet usage levels, and deeper customer relationships.

Customers also have a responsibility
Customers can no longer avoid taking some responsibility for their own protection. In the same way that no one drops their wallet on the street and expects the city to reimburse them when it is stolen, no one should leave their electronic identity exposed for others to steal and expect full compensation. Given the convenience and savings the Internet has brought to them, customers should be willing to share some of the cost of improving their protection.

As the threat imposed by identity theft becomes more real to customers, the issue of fraud liability will become far less important, to be replaced by an imperative to upgrade security as fast and cost effectively as possible.

In the end everyone wins, except the bad guys
The question of who pays for online fraud should be irrelevant. The current liability regimes work well enough provided fraud losses are reduced. The real question is: can banks and their customers work together to minimise the threat?

When all sides of the transaction are adequately secured, with each side sharing the cost of security based on the value received from the Internet, the issue of liability becomes much less important.

With real-time knowledge of inadequate customer protection, banks can act to limit transactions. In those rare cases where there is a fraud incident against a well protected customer, the banks would no doubt be happy to cover the loss, given the value generated by increased transaction throughput, improved customer trust, and greatly increased customer uptake.

The new security partnership between banks and their customers, underpinned
by the right technology, will fi nally beat the bad guys, restoring the trust and confidence necessary for a quantum leap in online financial services.

Paul Kastner FSI expert Symantec