Network News

X My Profile
View More Activity

Online Banking: Do You Know Your Rights?

The financial industry in the United Kingdom recently reaffirmed a policy that holds online banking customers liable for losses if they fail to secure their personal computers against data-stealing computer viruses. While this policy may seem surprising or even draconian to some Americans, the reality is that most U.S. consumers remain woefully uninformed as to their own security liabilities when banking online.

News of the new U.K. banking codes comes via The Register, which reported that under the new regulations "banks will not be responsible for losses on online bank accounts if consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines." The full text of the updated banking code is here (PDF). The relevant sections are 12.5 through 12.13.

This touches on a question Security Fix receives quite often from readers: "If my computer gets hacked and someone uses it to steal money from my online bank account, will I get that money back?"

The answer is that beyond the protections afforded to consumers under the law, whether or not consumers are reimbursed for online banking losses due to computer intrusions is entirely at the discretion of the banks.

By law, U.S. consumers can get reimbursed for any funds fraudulently transferred out of their accounts if they notify their financial institution of the bogus debits within 60 days of the transaction first appearing on their bank statement. Provided victims alert their banks within that time frame, their liability is generally limited to $50 (this applies only to consumers; businesses typically aren't afforded anywhere near that amount of flexibility).

Check the service agreement tied to nearly any U.S.-based online banking service and you will see roughly the same thing. Take this disclosure, from Bank of America's online banking agreement:

"If you do not notify us within these 60 days, you may not be reimbursed for subsequent transactions. Additionally, we will reverse or reimburse you for any bank or payee fees resulting from your loss. You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you, even for transactions you did not intend for them to make."

It remains to be seen whether U.K. banks will enforce the tough new policy on consumer liability. But to be fair, most banks in the U.K. have taken concrete -- albeit hardly foolproof -- steps to employ true two-factor authentication methods for verifying that the person logging into a bank account online is in fact the owner of said account.

The same is largely not true for financial institutions in the United States today, and this is principally due to the fact that U.S. banking regulators here haven't required such measures. Rather, they have left it up to the banks to determine their appropriate risk levels and which back-end and customer-facing anti-fraud technologies should be deployed.

According to APACS, the U.K. payments association that reports banking fraud and loss statistics for financial institutions there, stricter measures are helping to bring down the cost of online banking fraud. In March, APACS reported that online banking fraud losses totaled £22.6m in 2007 -- a 33 percent decrease from 2006 losses.

Unfortunately, it's not possible to correlate that figure with fraud numbers from U.S. banks, because they're not required to report those numbers, and our government sadly does not publish much of the information it does have on the subject (save for the odd internal report that leaks out to the media once in a blue moon).

If you think the U.K. rules are too strict, consider the recent actions by some banks in Brazil, a country that has a phenomenally active and organized cyber criminal element that produces some of the world's most advanced malware targeting online banking customers (mercifully, the Brazilian cyber crooks generally stick to picking on their own citizens).

I spoke recently with Tony Reyes, founder of the New York-based ARC Group, a company that has set up a shop in Brazil to help at least one financial institution there investigate customers who have had their online accounts cleaned out as a result of cyber cime. Reyes, a former cyber cop for the NYPD, said some of Brazilian banks have taken to investigating the victims of online financial crime.

"Some of these Brazilian banks are hiring investigators to visit the customer's house and look at the security of their setup, and if [the customer] doesn't have software patches, a firewall and up-to-date anti-virus on his system, in a lot of cases the banks will turn around and say it was the consumer's fault, and [the banks] don't return the money," Reyes said.

---

As for Security Fix, the wife and I primarily do our banking with two reasonably large national banks, and I recently phoned each to inquire if they could offer me some kind of token-based authentication tool -- such as a Secure ID or other kind of key fob that generates a random new six-digit code every 30 seconds that needs to be entered in addition to a user name and password in order to conduct online banking (PayPal offers such a token to all users for a nominal one-time fee of $5.) Customer service representatives from both institutions had no idea what I was asking for, and it wasn't until I got bumped up a level to a manager that I was told they did not offer such a service.

What about you, dear Security Fix readers? Does your bank offer anything like a Secure ID? Have you recently been the victim of online banking fraud and been told you would not be reimbursed for the pilfered funds? Maybe you live in a country that has more or less stringent rules for online banking customers? Sound off in the comments below, or send me an e-mail.

By Brian Krebs  |  April 10, 2008; 8:49 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Get Paid to Find 'Back Doors'
Next: Spammers Using Google, Outlook Calendars to Get Your Attention

Comments

I don't do online banking. At all.

Posted by: wiredog | April 10, 2008 9:23 AM | Report abuse

@Brian, FYI, in the first sentence, should the word "sure" be "secure"?

Posted by: TJ | April 10, 2008 9:35 AM | Report abuse

@TJ -- Yes, thanks. Fixed.

Posted by: Bk | April 10, 2008 9:40 AM | Report abuse

Both financial institutions and their users need to take responsibility in securing their respective systems.

Unfortunately, it seems too prevalent that users feel it is solely the banks responsibility to protect them. They fail to understand that typically the weakest link is their own computer. No amount of multi-tiered authentication systems will protect you if your system is compromised by malware such as a key logger. Also since you cannot be certain of its integrity, NEVER use a shared/public computer to access your bank account. The same can be said for public Wi-Fi (personally any Wi-Fi for that matter!).

While by no means do I give financial institutions a pass, many a user need to relearn the meaning of personal responsibility!

Posted by: TJ | April 10, 2008 9:51 AM | Report abuse

I use a credit union that places a cookie on the computer to identify that system as valid. If the cookie is missing (it was deleted or you use a different computer) or you chose not to enable what they call "Enhanced Security", you are sent an authentication e-mail that contains a validation code that must be entered on the banking site to continue. I chose not to enable this because I routinely delete all cookies, history and temporary internet files and also prefer the extra step of having to receive an e-mail to get into my account.

While it only prevents unauthorized access to my account, it does nothing to ensure the end users computer is secure.

Posted by: TJ | April 10, 2008 10:09 AM | Report abuse

I guess I can't fault the UK/Brazilian banks for creating disclosures laws that protect them from uninformed/careless customers. Why should they take a financial hit for people that aren't protecting themselves? Would you leave your key in your unlocked car every night?

I'm surprised that most US banks haven't started using "key fobs" to verify identity. Perhaps it's cheaper for them to pay for fraudulent losses than it is for them to implement and deploy a better system. Otherwise, I don't know why they wouldn't immediately start using a more secure system. It's a proven technology...almost all of us that use VPN have the key fobs, and they work flawlessly, at least in my experience. It's a shame that the banks are so far behind the curve.

Posted by: wilbs | April 10, 2008 10:17 AM | Report abuse

Until about 6 months ago my bank password was a 4 digit number and that was all that was allowed. Now a 6 character alphanumeric is allowed.

Posted by: Tony | April 10, 2008 10:42 AM | Report abuse

In response to an earlier comment, the cookie or other file stored on a "trusted" computer is of limited use anyway, because the password stealing trojans are becoming sophisticated enough to also steal the bank's cookie.

I like Bank of America's solution, called SafePass, which will send a text message containing a 6-digit code to your cellphone for logging in or account changes. It is surprisingly convenient and effective. The SafePass solution provides true 2-factor authentication: something you know(username/password), and something you have(cellphone). I wish my other online bank sites would be as careful with my money. (BTW, I am not a BoA employee, just a satisfied customer)

Posted by: myqlj | April 10, 2008 10:48 AM | Report abuse

I have been banking online for +3 years now, and it is great. Over the years, my bank has changed to requiring a passmark image, log-in ID, and they also require me to change my password every 4 months. I have not had any problems. I do check my account every day, though. I feel like things are very secure with my bank's website. They also lock people out of the website if they cannot remember their user id or password for 3 tries -- my kids have had this happen to them!

Posted by: rjrjj | April 10, 2008 10:52 AM | Report abuse

Massive increase in fraud crimes should make the government and banks realise that their data protection and Chip and PIN systems are diverting rather than deterring fraud crimes.

This shows that fraud will continue to grow until they exploit KEY and PIN system described on website www.xwave.co.uk which will deter BOTH identity and card fraud by making signature and PIN systems reliable and foolproof.

Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.

ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.

Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.

We hope that the government and banks will appreciate these details and exploit KEY and PIN system before it is too late to stop a fraud boom.

Posted by: Roger | April 10, 2008 11:07 AM | Report abuse

I wish the online banks would follow their own advice regarding security due diligence. I have checked out several online bank outfits like Ameriprise and Schwab, and both have a password limit of 6-8 non-case sensitive alphanumeric characters. Ameriprise switched to a larger password field last summer. But Schwab still has their 6-8 character limit.

Posted by: SpecTP | April 10, 2008 11:35 AM | Report abuse

At the same time that banks push responsibility of security onto the users, they often force the users to use Win32/IE/ActiveX.

Users who take security precautions such as using less attacked OS (eg: linux), less attacked browsers (firefox) are often shut out of the banking sites.

As professor Anderson has pointed shown, UK banks will not take responsibility for their own breaches of security, and will push liability to the user for their own mistakes.

And then they want to charge you to talk to a teller.

DA

Posted by: DA | April 10, 2008 11:49 AM | Report abuse

My bank here in Sweden, which earlier had been affected by online fraud due, at least to some degree, to an insecure system, since September last year offers a system which requires the use of both a token generator (9 digits) and one's credit card (4-digit pin code) in order to log in to one's account. Thus, even if a skilled phisherman were to discover my account number, he or she would need to gain possession of the token generator and my credit card (which is inserted into a slot on the generator) in order to access my account(s) on-line. Nothing is fool proof, but this appears to be a relatively secure system....

Henri

Posted by: M Henri Day | April 10, 2008 3:49 PM | Report abuse

I, too, am surprised and disappointed at the weak passwords required by some financial institutions (8 characters max., no special characters, etc.).

Some places allow longer and more varied usernamess than password, so I make up a 'password-like' username. I expect it's not guarded like a password in their system, but it still makes it harder for the bad guys to get in.

Chris

Posted by: Chris Viking | April 10, 2008 4:02 PM | Report abuse

Some comments from Estonia, but first a bit wider context - Ian Grigg recently wrote about The Market for Silver Bullets (http://iang.org/papers/market_for_silver_bullets.html) describing the market of security solution as one more about "due diligence" than actual security. When banks can achieve part of due diligence by finding a way to prove customers to be at fault and not the solutions they have selected... then we are expanding market of silver bullets way beyond corporate security.

Alternative way is of course much more complicated and requires cooperation, educating customers, understanding security in marketing and communications (and excellent understanding of security in risk management dept:-).

In Estonia competing banks (and telecoms and state) signed an agreement in May 2006 with a target to make Estonia the country with safest "information society" by 2009. http://www.sk.ee/pages.php/02030201,1107 is the press release and http://www.id.ee/public/Arvutikaitse2009_agreement_EN.pdf actual agreement.

Most of it is about educating both citizens and businesses, moving to solid cryptographic solutions for authentication, digital signatures etc. Practical measures include for example limiting daily internet bank transactions with unsecure authentication to 500$ this May, in fact mandated by bankers association. Secure authentication means mostly national digital IDcard, but also mobile-ID - and if somebody doesn't like these there is always option to use the token that generates unique PINs.

But more important than these is the mindset. When customers of an Estonian bank were hit by trojan this winter there was no discussion about wether to return the money. Yes this was an attack against customer, but the bank has historically the job of protecting their money and specialists to actually do the job. And when I produced a demo for TV about using browser exploit risk management of particular bank called me soon after we had finished recording (most probably I was too lousy for real phisher, but fortunate to include notice about demo and my contacts on phishing page :-).

In addition to British and Brasilian examples (and Brians experience with US banks not being able to provdie hardware token) there are also positive samples. Taking the responsibility, educating customers, real security instead silver bullets (sorry for slight inconvenience), cooperation, real metrics of security instead of due diligence...

Posted by: Peeter Marvet | April 10, 2008 4:48 PM | Report abuse

HSBC in Far East has got token authentication, but when I ask their UK branch, they said they don't.. scary..

Posted by: Steven | April 10, 2008 5:50 PM | Report abuse

Can't say anything about my online bank's security, other than I hope that it is secure. One interesting article from Yahoo Canada breaks down the basics of how to keep your computer relatively safe:

http://blog.washingtonpost.com/securityfix/2008/04/online_banking_do_you_know_you_1.html

Have you heard anything about the spyware/adware threat labeled "block-checker", refered to as "ad-blocker" by some antivirus or adware tools? Not sure if it is part of a legitimate sofware package or if it is even dangerous, but most of the av or antispyware programs recognize it but do not remove it. Anything that subverts or obfuscates a virus or spyware scan has to be bad news.

Posted by: PJ | April 10, 2008 6:28 PM | Report abuse

Lets all call our Financial Institutions and DEMAND, Open ID, or any kind of two factor authentication. Ask for the On-Line Security Department, and tell them you will move your money, if they don't get with the program :P

Posted by: Wildambition | April 11, 2008 7:01 AM | Report abuse

Here's National City Bank's policy:

"You will not be liable for any funds improperly removed from your Accounts through Personal Online Banking website only. This includes funds removed from your accounts as a result of:

Online theft of your Account numbers or password.

Unauthorized online removal of funds from your Accounts.

As between you and us, we will be liable for any Unauthorized Use for which you are not liable. "Unauthorized Use" means either any transaction through Online Banking (1) not known to you and not effectuated with your permission or (2) effectuated under physical duress.

You may be held liable for any Unauthorized Use before the time that you notify us that a User ID and/or Personal Identification Number (PIN) has been compromised, if you or any authorized signer on your Account voluntarily or negligently permits a User ID and/or PIN to come into the possession of a person who makes or causes to be made a transaction. This includes but is not limited to the use of a User ID and/or PIN on a personal computer available to individuals who are not authorized signers on the Account, such as a personal computer used by family members, at Internet cafes, or at other locations not within your reasonable control.

You will not be liable for any Unauthorized Use that occurs after the time that you notify us that a User ID and/or PIN has been compromised.

If your statement shows an Unauthorized Use, tell us at once. If you fail to notify us of an Unauthorized Use within 30 days after the receipt of the Account statement containing the Unauthorized Use, you will be held liable for any subsequent Unauthorized Use that could have been prevented by timely notification to us."

I check my accounts online every day or two, and never use a public computer for online banking.

Posted by: Heron | April 11, 2008 11:24 AM | Report abuse

I use a prepayment card for online transactions. Key-loggers can get your details however good your security.

My bank in England uses two security methods, but it's so complicated I can't even get in, without writing down all the passwords.

All the banks have to do is issue a separate card without overdraft facility for Internet transactions. If you want to buy off the Internet then load the Internet card at a cashpoint, hole in the wall to do so.

This limits the loss to what's loaded on the card, and the way I do it is if I see something on the web, I load as near as possible the exact amount for that thing getting it straight away.

Steal my card and you get the equivalent of $5 for your trouble.

Steve Davis

Posted by: Steve Davis | April 11, 2008 3:59 PM | Report abuse

No doubt American regulators are draconian under the misguided Bush Administration either having to be forced to do their jobs at all due to the Republican platform of less government or even continuing the obsolete Microsoft methodology of believing everything is good until your computer gets hosed with viruses using un-secure Microsoft software thus being kept on their electronic "security patch" lease thread mill.

Posted by: mrinternet | April 12, 2008 1:19 AM | Report abuse

Experts urge us to use a password utility, such as Password Safe in order to use strong passwords without needing to memorize them. However, a well known bank, which will go unnamed, is programmed to electronically block its customers from doing this. The "copy and paste" operation, which is critical, will not work. This bank goes WAY OUT OF ITS WAY to prevent customers from using normal security precautions.
Thomas L Jones, PhD
Silver Spring

Posted by: jones172 | April 12, 2008 4:13 PM | Report abuse

I recently relocated from Switzerland to the U.S., and the security/authentication level of a bank's web presence would have been a deciding factor in my choice of bank. "Would have" - because actually not ONE of the national banks here came even close to meeting what I was looking for. They all seem to have solved only one half of the equation - some are better at preventing the user from getting Phished (better authentication of bank website to consumer), others are marginally better at preventing the impact of a keylogger on the consumer's PC (by asking for a "second password" or some other sillyness). None solves both.

http://www.zurich.ibm.com/pdf/csc/SecureInternetBankingAuthentication.pdf has a good write-up, btw, and it is 2 years old. I really find it ironic that the strong consumer protection laws in this country did not lead to better protection, only to possible reimbursement after the fact.

Posted by: Danny | April 13, 2008 6:27 AM | Report abuse

Thanks for this very informative read!

Posted by: Mags | April 13, 2008 10:23 AM | Report abuse

I understand your points quite well. As an American living in Finland for 4 years, every time I log into my Wells Fargo or Fidelity accounts online I see the lack of security compared to online banking in Finland and much of Europe. Here is Finland, various forms of one-time-password and transaction authorization number lists have been used for many years. I wish US banks and other financial services business would adopt similar security.

I work for a company, Valimo Wireless, that provides technology for mobile signature and identity services, essentially replacing the tokens to describe with even more secure technology on the mobile phone. The mobile phone is more secure not only because of the technology used but because it is a second channel and therefore not subject man-in-the-middle type attacks. This technology is rapidly being adopted in Turkey with nearly 1 million transactions legally signed and will be launched soon Spain, Finland and Slovenia. Unfortunately, transaction security is one area where the US is falling way behind rather than leading.

Posted by: Ron Rubinstein | April 14, 2008 12:54 PM | Report abuse

Keep in mind that most banks do Nothing to educate their customers when they sign up for Electronic Online Banking. If the bank is going to require "Personal Responsibility" then the bank must tell the customer what is required of them and what is a prerequisite for opening an online banking account. If the bank fails to do this then it should be solely responsible if the customer loses money by way of online fraud of any kind. Everyone knows what a gun is used for but most people do not have a clue as to the risks and requirements involved with online banking but the bank will still make online banking available to them.

Posted by: Mark Smith | April 14, 2008 1:02 PM | Report abuse

I do all my banking online from my mortgage to all my bills. All transactions are electronicly. They need to revamp the finacial and security system all together and get with the times.

Posted by: ds | April 16, 2008 8:21 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company