Online Banking: Do You Know Your Rights?
The financial industry in the United Kingdom recently reaffirmed a policy that holds online banking customers liable for losses if they fail to secure their personal computers against data-stealing computer viruses. While this policy may seem surprising or even draconian to some Americans, the reality is that most U.S. consumers remain woefully uninformed as to their own security liabilities when banking online.
News of the new U.K. banking codes comes via The Register, which reported that under the new regulations "banks will not be responsible for losses on online bank accounts if consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines." The full text of the updated banking code is here (PDF). The relevant sections are 12.5 through 12.13.
This touches on a question Security Fix receives quite often from readers: "If my computer gets hacked and someone uses it to steal money from my online bank account, will I get that money back?"
The answer is that beyond the protections afforded to consumers under the law, whether or not consumers are reimbursed for online banking losses due to computer intrusions is entirely at the discretion of the banks.
By law, U.S. consumers can get reimbursed for any funds fraudulently transferred out of their accounts if they notify their financial institution of the bogus debits within 60 days of the transaction first appearing on their bank statement. Provided victims alert their banks within that time frame, their liability is generally limited to $50 (this applies only to consumers; businesses typically aren't afforded anywhere near that amount of flexibility).
Check the service agreement tied to nearly any U.S.-based online banking service and you will see roughly the same thing. Take this disclosure, from Bank of America's online banking agreement:
"If you do not notify us within these 60 days, you may not be reimbursed for subsequent transactions. Additionally, we will reverse or reimburse you for any bank or payee fees resulting from your loss. You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you, even for transactions you did not intend for them to make."
It remains to be seen whether U.K. banks will enforce the tough new policy on consumer liability. But to be fair, most banks in the U.K. have taken concrete -- albeit hardly foolproof -- steps to employ true two-factor authentication methods for verifying that the person logging into a bank account online is in fact the owner of said account.
The same is largely not true for financial institutions in the United States today, and this is principally due to the fact that U.S. banking regulators here haven't required such measures. Rather, they have left it up to the banks to determine their appropriate risk levels and which back-end and customer-facing anti-fraud technologies should be deployed.
According to APACS, the U.K. payments association that reports banking fraud and loss statistics for financial institutions there, stricter measures are helping to bring down the cost of online banking fraud. In March, APACS reported that online banking fraud losses totaled Â£22.6m in 2007 -- a 33 percent decrease from 2006 losses.
Unfortunately, it's not possible to correlate that figure with fraud numbers from U.S. banks, because they're not required to report those numbers, and our government sadly does not publish much of the information it does have on the subject (save for the odd internal report that leaks out to the media once in a blue moon).
If you think the U.K. rules are too strict, consider the recent actions by some banks in Brazil, a country that has a phenomenally active and organized cyber criminal element that produces some of the world's most advanced malware targeting online banking customers (mercifully, the Brazilian cyber crooks generally stick to picking on their own citizens).
I spoke recently with Tony Reyes, founder of the New York-based ARC Group, a company that has set up a shop in Brazil to help at least one financial institution there investigate customers who have had their online accounts cleaned out as a result of cyber cime. Reyes, a former cyber cop for the NYPD, said some of Brazilian banks have taken to investigating the victims of online financial crime.
"Some of these Brazilian banks are hiring investigators to visit the customer's house and look at the security of their setup, and if [the customer] doesn't have software patches, a firewall and up-to-date anti-virus on his system, in a lot of cases the banks will turn around and say it was the consumer's fault, and [the banks] don't return the money," Reyes said.
As for Security Fix, the wife and I primarily do our banking with two reasonably large national banks, and I recently phoned each to inquire if they could offer me some kind of token-based authentication tool -- such as a Secure ID or other kind of key fob that generates a random new six-digit code every 30 seconds that needs to be entered in addition to a user name and password in order to conduct online banking (PayPal offers such a token to all users for a nominal one-time fee of $5.) Customer service representatives from both institutions had no idea what I was asking for, and it wasn't until I got bumped up a level to a manager that I was told they did not offer such a service.
What about you, dear Security Fix readers? Does your bank offer anything like a Secure ID? Have you recently been the victim of online banking fraud and been told you would not be reimbursed for the pilfered funds? Maybe you live in a country that has more or less stringent rules for online banking customers? Sound off in the comments below, or send me an e-mail.
April 10, 2008; 8:49 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government
Save & Share: Previous: Get Paid to Find 'Back Doors'
Next: Spammers Using Google, Outlook Calendars to Get Your Attention
Posted by: wiredog | April 10, 2008 9:23 AM | Report abuse
Posted by: TJ | April 10, 2008 9:35 AM | Report abuse
Posted by: Bk | April 10, 2008 9:40 AM | Report abuse
Posted by: TJ | April 10, 2008 9:51 AM | Report abuse
Posted by: TJ | April 10, 2008 10:09 AM | Report abuse
Posted by: wilbs | April 10, 2008 10:17 AM | Report abuse
Posted by: Tony | April 10, 2008 10:42 AM | Report abuse
Posted by: myqlj | April 10, 2008 10:48 AM | Report abuse
Posted by: rjrjj | April 10, 2008 10:52 AM | Report abuse
Posted by: Roger | April 10, 2008 11:07 AM | Report abuse
Posted by: SpecTP | April 10, 2008 11:35 AM | Report abuse
Posted by: DA | April 10, 2008 11:49 AM | Report abuse
Posted by: M Henri Day | April 10, 2008 3:49 PM | Report abuse
Posted by: Chris Viking | April 10, 2008 4:02 PM | Report abuse
Posted by: Peeter Marvet | April 10, 2008 4:48 PM | Report abuse
Posted by: Steven | April 10, 2008 5:50 PM | Report abuse
Posted by: PJ | April 10, 2008 6:28 PM | Report abuse
Posted by: Wildambition | April 11, 2008 7:01 AM | Report abuse
Posted by: Heron | April 11, 2008 11:24 AM | Report abuse
Posted by: Steve Davis | April 11, 2008 3:59 PM | Report abuse
Posted by: mrinternet | April 12, 2008 1:19 AM | Report abuse
Posted by: jones172 | April 12, 2008 4:13 PM | Report abuse
Posted by: Danny | April 13, 2008 6:27 AM | Report abuse
Posted by: Mags | April 13, 2008 10:23 AM | Report abuse
Posted by: Ron Rubinstein | April 14, 2008 12:54 PM | Report abuse
Posted by: Mark Smith | April 14, 2008 1:02 PM | Report abuse
Posted by: ds | April 16, 2008 8:21 AM | Report abuse
The comments to this entry are closed.