Users of online banking 'should have adequate protection'

New UK banking code says customers who keep their PCs secure will not be responsible for losses due to online theft.

A new banking code launched earlier this week by the British' Bankers Association (BBA) states that customers who 'use up-to-date anti-virus and anti-spyware software and a personal firewall' cannot be held liable for losses caused by online theft.

In the past the banking code - a voluntary arrangement upheld by most major UK banks - did not state this explicitly and while the losses of most online fraud victims were covered by their banks, the banks were not legally required to do so.

Last year customer rights group Which? called for changes to the rules regarding the compensation paid out by banks when their customers are victims of online fraud - those changes have now been implemented.

Which? also criticised banks for sending emails to customers and thus causing confusion over authenticity of communications. While the new banking code urges users to treat emails claiming to come from their bank with caution and to 'be wary of emails asking you for any personal security details', it does not go as far as to pledge that the banks themselves will not send such emails.

With phishing emails becoming increasingly stealthy these days (including some that actually warn about phishing), emails coming from the banks themselves - especially those that suggest the user clicks on a link to access their site - will only add to the confusion and give phishers a helping hand in fooling users into believing their emails are genuine.

More can be found at The Register here while the new banking code can be downloaded from the BBA website here.

4 April 2008

Tags: banking, bba, fraud, legal, phishing. del.icio.us digg this

3 comments

While I agree that users should use adequate protection and that, if they fail to do so, they have little reason to complain to their bank when crooks steal money off their account, I do think banks should have a minimum level of security too. I wonder if my bank, in the UK, does: all I need to login are my account number/sort code, a 4-digit security code that I once had to choose while at the branch, as well as the answer to some question like 'what is the last school you attended'. If someone wanted to target my account specificly -I would advice them to take someone with more money in their account- I don't think it takes rocket science to get hold of these details.

by M. Klein, 08 April 2008, 00:20

What about people who use internet cafes or who log on at their place of work to do their online banking - who would the banks deem liable then?

The new code should be accompanied by comprehensive information for users on how to secure their machines - e.g. what does 'adequate protection' look like and how does the everyday non-techie person achieve it?

by Rebecca Smith, 08 April 2008, 08:42

Someone blogging at mcafee makes some good points about this here -

http://www.avertlabs.com/research/blog/index.php/2008/04/07/unsafe-hex-about-to-get-more-costly/ - seems pretty unlikely that the banks'll be able to say 'your av was updated a week ago, you're ok, yours is a month out of date, you'll have to pay up'. Also re cybercafes etc, I'm guessing if they have a sign up saying 'we clean up our systems regularly' that'd count as a reasonable expectation of safety (not that I'd trust it myself). It's just too hard for anyone to say what is normal/reasonable security level.

Agree with the comment about slack bank sites too but some of these flaws are user-pluggable. The weak questions are only as weak as the answer - the bank's never going to check if you've told them your real last school/mother's maiden name/favourite colour, so it can act as an extra password just by making it one

by Paul Westlake, 09 April 2008, 11:16