back to article Bank in the UK? Plans afoot to make YOU liable for bank fraud

Bank customers may be obliged to bear the bill for fraud against their accounts, under proposed changes mulled by banks, the UK government and GCHQ. Under the plans, individuals or companies with poor online security could be “frozen out of banking services or even excluded from the system whereby banks compensate customers …

  1. Anonymous Coward
    Anonymous Coward

    Time to switch to bitcoin.

    Same interest rate (0%). Same uncertain future. Better chance of not being defrauded.

    1. NoneSuch Silver badge
      Facepalm

      Bitcoin?

      Nawww... Just send your banking password to GCHQ and they'll vet it for strength and complexity.

      Silly me, I just realized they already have it.

    2. Sorry that handle is already taken. Silver badge

      "Better chance of not being defrauded."

      Now you're 100% responsible for the security of your money!

  2. Dwarf

    Grey area

    Surely this is a many-way thing ?

    Banks are accountable for their systems and making them secure in the first place. Not our fault if their back-end systems and applications are poorly written or don't comply with good practice.

    Conversely, customers should be a bit accountable against "stupid things" - giving out PIN numbers and personal data to people who ask for it.

    However it would be naive to expect every person of any age and intelligence to be fully up-to-date with all methods of attacking banking.

    Who's fault is it for example if someone skims my bank card at a hole in the wall, or malware gets onto a web site that I visit ?

    Is it

    - the virtually anonymous web site with all its security / defects

    - the customer who just wants to buy something

    - the bank.

    Sounds to me like its just big business trying to dump on the smaller guy again.

    I wonder what the impact on the economy would be if people don't trust the banking system any more ?

    1. ZSn

      Re: Grey area

      In addition Britain seems to be unique in my experience of not commonly using card readers. The Netherlands have had them for at least 12 years as have Germany, and these have dramatically reduced fraud of this type. I asked Lloyds if they have one to use on their normal account and they looked at me as if I had asked for a glass of unicorn milk. Perhaps the UK banks could update their systems to something at least from this century.

      1. Bronek Kozicki

        Re: Grey area

        first direct gives out OTP token to normal account users.

        1. Chris Miller

          Re: Grey area

          Both my RBS and Nationwide accounts have provided me with card readers - they appear to be identical :)

          1. Captain Badmouth
            Terminator

            Re: Grey area

            Nationwide have only recently improved their website rating from a "F" fail to a "B" rating, RBS scores an "A". (SSL labs online test https://www.ssllabs.com/ssltest/index.html).

            If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.

            Icon : Your local bank manager ( that's right, he's gone to a better place).

            1. Vic

              Re: Grey area

              If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.

              They should do a whole load to improve security.

              I'm thinking primarily of the "3D Secure"[1] system. The banks are actively promoting putting (fragments of) a password into an iframe on a website that does not come from the bank's server. IIRC, even the iframe does not come from the bank.

              This is just asking to be MiTMed...

              Vic.

              [1] Ha!

              1. BurnT'offering

                Re: 3DSecure

                The banks hate it. It's Visa and MasterCard who came up with this crap. The response from the banks was a unanimous "You cannot be serious!". Sadly, they were

      2. werdsmith Silver badge

        Re: Grey area

        In addition Britain seems to be unique in my experience of not commonly using card readers

        Who doesn't use card readers? We've had them for years.

        1. Flocke Kroes Silver badge

          Re: Who doesn't use card readers?

          I don't because I do not use online banking. When banking is possible without javascript I will re-evaluate their security practices.

          1. Jess

            Re: When banking is possible without javascript

            Lloyds bank works fine without it.

      3. Geronimo!

        Re: Grey area

        I've been a customer of at least 10 different banks here in Germany, business and private, over the last 20 years. Only 2 or 3 of those actually wrote their online banking can work with card readers. 2 even offered card readers in their shop, somewhere around € 30-35.

        Yes, in NL it's a default completely.

        Can't say if NL is more secure or pays less in total for fraud damages.

        1. Anonymous Coward
          Anonymous Coward

          Re: Grey area

          Sure card readers help, but then again one should also ask oneself whether it isn't there to just create a false sense of security. For the Netherlands specifically, the "change of liability" now suggested in the UK already happened there in 2013 (https://www.security.nl/posting/370459/Banken+stellen+nieuwe+regels+voor+internetbankieren) when the banks (were allowed to) instate policies, making the customer the main responsible in cases of fraud, and putting the obligation to prove no neglect and/ or wrong doing with the customer. I remember because of the initial outcry (which as always in the Netherlands died down, everybody forgot, while the policies are still in place) and the amusing discussion concerning standards. Ask yourself, when is your system up-to-date? Well protected? Ahhh, virus and malware protection... Closed system you say? Anybody see "opportunities" for quick issue resolvement? Oh, and don't even think of using that funny free software crap called Linux (which they use for their own servers), because that isn't recognised as a "safe OS" by Dutch banks (http://langleveeuropa.nl/2013/11/klant-nu-verantwoordelijk-voor-beveiliging-van-banken-en-aansprakelijk-voor-schade/). =0

    2. computinghomer

      Re: Grey area

      Just ask yourself why you are responsible when a bank loans money to someone who merely has your identification number. Why isn't that the banks fault. Why don't they have to PROVE that I borrowed the money.

      1. cantankerous swineherd

        Re: Grey area

        think they do have to prove it, but you've got to go to court to make them? fin ombudsman is useless. experian et al just tell everyone a pack of lies about you.

    3. Hollerithevo

      Re: Grey area

      I have a card reader I don't use because if I use it, I assume liability for fraud, or what appears to be fraud. Read the fine print of your agreement. However, if I stick to the password and security questions, there is a grey area of doubt. I also use the phone for those transactions I cant do online.

      The banks have been trying to palm off responsibility for errors for decades. I remembering arguing until I was blue in the face that some cash-point machine error had nothing to do with any personals security lapse, and finally they admitted that the machine had a glitch and al customers that day had similarly had 'sloppy personal security'. Banks are always willing to let us take the blame, knowing it's almost impossible to prove that we are innocent.

      1. Anonymous Coward
        Anonymous Coward

        Re: Grey area

        Well said! I had an argument with a bank thirty years ago about their supposedly 'unbreakable security' when I noticed a £50 withdrawl from my account that I knew I hadn't made. Given that back then I worked as a mainframe operator and was a keen computer hobbyist, I knew darned well I was being fed a load of BS, and as they wouldn't restiore the stolen funds to my account (withdrawn in a town I'd never visited, and bearing in mind I can't drive, at a time I couldn't have been there at and still been in the banks face about it the following day), I promptly changed banks.

        I've long wondered whether the move to online banking was pushed so hard at least in part with an eye to eventually trying to blame the customers for any losses. Let's face it, the internet as it currently exists and is used, is simply not fit for purpose for online banking. The banks are liable in encouraging customers to try to bank that way, IMHO.

  3. Anonymous Coward
    Anonymous Coward

    Good idea

    Sounds like a good idea. Anyone who banks online is really asking for trouble.

    1. Richard 81

      Re: Good idea

      Yeah, far better to stick all your notes in a mattress.

      1. Known Hero

        Re: Good idea

        tried it with small change, got a bad back from it :(

      2. Michael Habel

        Re: Good idea

        Yeah, far better to stick all your notes in a mattress.

        In this day, and age of negative interest, and the Banks trying to take any, and every advantage over their users.... (See this Article)

        What exactly would the difference be... At least I know that my Money would be safer with me.

  4. Anonymous Coward
    Anonymous Coward

    How do you prove who is liable?

    Is it me for not updating my operating system?

    Is it the manufacturer for not supplying an update?

    Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?

    Is it me for not running or updating anti-virus?

    Is it the anti-virus software for not spotting a zero day vuln?

    If you move liability away from the banks then does anyone really think they are going to spend money on decent security?

    Why is it that we have an elected government by the people that never actually works in the interest of the people? Change needs to happen.

    1. Anonymous Coward
      Anonymous Coward

      "Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?"

      Is it the bank for forcing you to run with outdated software or browser?

      TFTFY

    2. RedCardinal

      In the way of these things I have a sneaking suspicion that the customer will be liable by default and then have to try and prove that they weren't....

      1. VinceH

        "I have a sneaking suspicion that the customer will be liable by default"

        ^This.

        For some time, the banks I log into were trying to push Rapport, for example - and I even had conversations with banking staff in which they asked if I had it installed and suggesting I install it if not (I usually told them exactly what I thought about that piece of software).

        I can well imagine it being a case of "Didn't have Rapport installed? Definitely your fault, then."

        1. Blitheringeejit
          FAIL

          AAAARRRRGGGHHHH!

          Similar issue a coule of years ago with Rapport, and after being ceaselessly nagged by the bank website to install it, I rang their online banking tech support to try to have a sensible conversation. More fool me.

          My questions:

          "Why does your site keep nagging me to install a piece of software when I'm a linux user (as your site can tell from my browser) and you provide only Mac and Windows versions of this software? If this software is so important for online banking security, where can I get hold of a linux version?"

          Their *online banking tech support person* response:

          "What's 'linux'?"

          FFS.

    3. heyrick Silver badge

      You forgot the part where the bank expects you to run some shit that they have been paid to plug, lie about, and if you're lucky it only cocks up your machine.

      I'm thinking here of NatWest's constant nagging for my mother to install Trusteer Rapport... well... http://www.advantage77.com/2014/09/03/rapport-more-problems-than-its-worth/

      1. anthonyhegedus Silver badge

        As is common in the computer industry, Trusteer Rapport is an absolute con. They've conned the banks into buying this shit off them. The banks give it away to make people think they (the bank) cares about security. They don't. They don't understand security. They are sooner or later going to insist their users run rapport. When they do, I'm not using online banking any more, at least from a PC.

        Whenever we have a client with poor speed, intermittent network connection or just plain weirdness on their computer, first thing we look for is Rapport. Removing it usually solves the problem. At best, it slows down internet access; at worst it completely fucks up the machine, resulting in problems booting. I've seen it.

        1. Anonymous Coward
          Pirate

          Sounds like a nice little earner.

          I suspect the bank receives a direct commission from sales resulting from their referrals. Why would they care that it's snake oil their trusted partner is flogging to their hapless customers, as long as it brings in $PROFIT?

          Doubtless they'll be getting a nice little commission on the fraudulent debits they allow from your account too, once they've bought this "proposed" legislation. Just as they do in the US.

  5. Anonymous Coward
    Anonymous Coward

    Happy to be held accountable once...

    ... I get to specify hardware, software, development methods & tools, uk-based operations, staff pay and conditions at the bank it dept.

    Or to put it more simply, ill take the blame for electronic fraud once i am CTO. Otherwise, the current CTO should take responsibility.

    1. Voland's right hand Silver badge

      Re: Happy to be held accountable once...

      The reality is that:

      Bank will specify hardware: PC

      Bank will specify software: Windows with bank sponsored malware (sorry, security software) installed via a bank affiliated download so that the bank gets its marketing cut. The favorite is some crapware named after some mutt variety.

      Bank will specify development methods: Bangalore

      Bank will specify location of operations: Bangalore

      And you will have the responsibility. HSBC already tried that. More than once.

      I tried to raise with them the fact that the way the have redirected to the co-sponsored download was open to cross-site scripting so _ANYONE_ could shovel a download to a customer PC through that hole and the customer would have accepted it as verified by the bank. This gives you the idea of the competence involved.

      After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.

      1. Captain Badmouth

        Re: Happy to be held accountable once...

        See my post above about Nationwide site security.

      2. Anonymous Coward
        Anonymous Coward

        Re: Happy to be held accountable once...

        After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.

        Late last year Nationwide outsourced a load of their IT operations to CrapGemini, and signed an automation deal with TCS, so you'd better move again. Meanwhile the CEO of Nationwide paid himself £3.3m last year, an amount that has doubled in five years.

        It would seem to me that the management of Nationwide are the same talent free snout-in-the-trough types as run the rest of the financial services sector.

  6. Anonymous Coward
    Pirate

    If concious culpability can be proven by proper process of court, then fine... but that's not what this is, of course. Arbitrary shirking by the thereafter-wilfully-negligent-corporation: Just like the US. Our money grubbing twats have "identity theft" (sic) envy.

    Still... if they get their grubby little scam passed, it'll be good motivation to move my banking to a more civilised country... and I'll probably pay a bit less tax as a result :D

  7. kmac499

    Reccomended Banking security software..

    Well I have on line accounts with multiple banks (I'm not rich it's different accounts for different uses) and I won't use the suggested anti virus software from any of them.

    Their software is invariably huge, hogs the CPU and doesn't play well with other regular AV software Anyone tried Rapport?

    Let alone trying to host multiple banking security software on a single device,.that would make pyschotic ferrets in a sack look like a Buddhist Monastery at prayer by comparision.

    1. Hollerithevo

      Re: Reccomended Banking security software..

      I took Rapport off when they 'upgraded' it a few years ago. I read the new EULA and it more or less said that they were going to record everything I did, so I stripped it out of my machine. Haven't felt any less safe.

    2. anthonyhegedus Silver badge

      Re: Reccomended Banking security software..

      Rapport is shit pure and simple. At best it just makes your internet slow. At worst, it will brick your PC. I tested it once. I had made an image of a PC. I tried to take rapport off the machine and it tried to make me keep it by saying that it had protected me from 6 actual online threat instances. I reloaded the image and tried again and it said it had protected me from 4 actual online threats.

      So it seems it lies to you as well as fucks with your PC and steals your information

  8. tiggity Silver badge

    Banks encourage bad consumer IT security practices.

    Cannot comment on "modern" logging into online banking as I avoided it since the early days after initial online banking offering made to me was IE only with no solution available for a more configurable / secure browser on a more secure OS.Happily functioned without online banking so never revisited to see the current state of play in online banking logon.

    However I have encountered the dross that is 3DSecure ( Verified By Visa et al), so often used when you are asked to purchase something - lots of dubious js / traffic to site(s) totally different to the vendor website, the sort of thing that would make a security savvy user think there was some dodgy 3rd party attempt to defraud them, and people are encouraged to think this is a good security model! No wonder so many people are defrauded online.

    Despite their bad treatment of staff & tax dodging, which I dislike massively, Amazon grudgingly get some of my online purchases heading their way, precisely because they do not do verified by visa stuff (I abort transactions if VbyV stuff used).

    (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)

    1. Flocke Kroes Silver badge

      Amazon works without Javascript

      There used to be other sites that did not require javascript, but they changed and I abandoned them. I would really like Amazon to have some competition, but there are only so many times I am prepared to fail to create a new account before I go back to the site I know will work.

      If only 'Do you want a free trial of Amazon Prime' were as simple to avoid as a Windows 10 downgrade.

    2. Ogi

      That "Verified by Visa" crap is the only reason I use a credit card ( Credit cards don't prompt the verified by visa window when online shopping). Really VbV the most useless thing I have ever seen, and works so rarely that it can make a 2 minute online shop last 30+ minutes.

      Quite frankly, things are going in such a bad direction with banking, that I have switched to cash only. Apart from the credit card for online purchases, everything else is cash. No need for a card reader, a PIN, some sort of fancy in-phone-contactless-app crap or other tracking system wrapped in a security nightmare that I will be liable for. When I want to buy something I just put down the cash, with no faf.

      I also rediscovered the joy of actually going into my branch and dealing with my account with a human being. Usually I can get problems fixed quickly, and my complaints have to be dealt there and then by the manager rather than a ticket logged somewhere in Bangalore after waiting 30+ minutes on the phone. Of course, because everyone does online banking now, the branch is usually really empty as well.

      Although I concede that not everyone has a local branch nearby, I would imagine most do. Bank branches are pretty common, along with a pub and post office, even in small towns.

    3. Anonymous Coward
      Anonymous Coward

      @tiggity

      > (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)

      You can ring your card issuer and ask for VbV to be removed[1]. That was several years back now and only once since then have I had to buy using a different card because a site refused to work without VbV on.

      [1] Well, my lot did it for me. YMMV.

  9. Steve Foster

    Idiot Banks

    One of the reasons that people get caught by phishing attacks is the banks idiotic behaviour when they call you in demanding you answer "security questions" - when *they're* the unknown quantity.

    I always decline to do so, and try to explain that I'm not going to answer questions from some random stranger who's called my number, and nor am I going to call any number they give me - at least not until and unless they prove who they are to my satisfaction first.

    Another example of cretinous behaviour on their part:

    Most of my bank accounts are protected by 2FA of one sort or another. One day, using a shiny new laptop, I logged in to one of my accounts (that uses a PIN protected challenge/response key generator thingy), authenticated with multiple user codes, plus the 2FA response, arranged a regular payment _to an existing recipient_, received confirmation of payment and logged off.

    A couple of days later, I went to log in again, to be told that my account was "not initialised properly" (or some such) and I could not login. Figuring this was some temporary glitch at their end, I tried again the next day. Still no access. After a couple of days of this, I gave in and called their support number. After passing their security questions, they told me that my account had been frozen (no payments out, internet access blocked) due to "suspected fraudulent activity" (the payment that I made online [by now] a week earlier [which they'd actually cancelled]). I asked what was the point of having and using 2FA and all their other security measures if they were all going to be overridden/ignored just because I used a new computer!

    While I do appreciate that they are supposed to make efforts to prevent fraud, a single minor difference out of several test elements should not be enough for them to a) lock me out of my own account, b) cause payments to be summarily cancelled, and (most especially) c) do this all without making any sort of attempt to contact me in any way.

  10. silver fox

    My bank do it right. For any new payments that I want to set up the process is so complicated that I have to look up how to do it each time. It is so much of a faff that I just phone them instead.

    Banks have been trying to shift the onus onto customers for a while now. I get the argument that if there's no customer liability then customers won't take any care but if you're a bank, and you want me to use your online services because it saves you a ton of money, then it's your liability if that system is flawed (and that includes flaws that make it easy for the customer to make a mistake that allows fraud).

  11. Mage Silver badge
    Flame

    Chip & PIN or Contactless

    Both of these reduce Fraud. In a sense!

    Except they reduce it MORE for the bank than for the customer. Because Chip & PIN fraud is usueally deemed to be customer carelessness. Contactless was designed for warehouses. It should NEVER have been used for payments, it's not secure and people are being harvested with portable devices. Chip & PIN as implemented has a MASSIVE flaw as it doesn't depend on connection to bank to verify PIN and there is inadequate physical security of shop terminals. MITM attacks.

    All widely documented.

    Banks are also stupidly outsourcing IT when it should be a core activity.

    1. Chloe Cresswell Silver badge

      Re: Chip & PIN or Contactless

      Banks are good at conflicting information too.

      I had fraud on my chip and sign card.

      Bank told me the transaction was pin verified.

      I pointed out that surely if a C&S transaction has been pin verified, there's a very obvious bad transaction?

      They said no, it's perfectly valid to do pin verification on an account with no pin.

    2. FlatEarther
      FAIL

      Re: Chip & PIN or Contactless

      This is completely wrong. Fraud has gone down to negligible amounts where CHIP & PIN has been introduced (except of course for Card Not Present, where there is neither CHIP nor PIN).

      Why do you think the incidence of card present fraud is so high in the USA? It's because they haven't widely implemented CHIP & PIN. They're rushing to implement it now, but meanwhile fraudsters are having a field day.

      Also, any issuer (e.g. a bank) must accept a no customer liability clause if they want to issue Visa Paywave or MC PayPass cards.

      1. Tom 7

        Re: Chip & PIN or Contactless

        I avoid contactless since a friend I was with managed to spend rather a lot in pub - rather more than we could have drunk and we decided it must have been a deliberate scam in the bar in question.

        In the co-op yesterday a young lad bought a lot of stuff with a contactless card - his behaviour suggested it wasnt his card. If the co-op can show his parents the items bought he may well get his arse kicked.

      2. Ian 55

        Re: Chip & PIN or Contactless

        US card procedures have always been incredibly lax.

        Back in the 90s, we went to the US with a new credit card and forgot to sign it. It was nearly a fortnight before an Amtrack office apologised for expecting it to be signed. Everyone else hadn't bothered to compare the signature just given with anything or been bothered that the card was unsigned.

        1. Uffish

          Re: "USA Back in the 90s"

          Seems to be still true today. I had no trouble using my card even though I can never make two signatures that even look like the same name let alone similar writing. Some admittedly old banknotes left over from a much earlier visit, were only accepted with much discussion with other cashiers and checking with senior staff.

          I got the impression that plastic transactions were insured but cash was not.

  12. Sir Alien

    Hope this fails...

    I certainly hope this change fails or is re-worded correctly. I mean, clearly if the account holder was stupid and shared their details they should just be told tough.

    Like myself though, I was defrauded years ago by card skimmers messing with (Shell or Total) petrol station terminals and after a good 3 to 4 week investigation it was determined that it was not my fault. If this happened and they made me pay for it I would certainly be mighty displeased (and tell them to bugger off and move bank).

    Can you imagine the lawsuits that will happen. Hell, something like this can easily bring about a class-action style case and become the next PPI problem.

  13. Haku

    Barclays once paid Stephen Fry to tell us that Barclaycard was safe to use online.

    If this proposal goes through I don't think anyone will be paying Stephen Fry to tell us that we'll be galloping up diarrhea drive without a saddle if we get defrauded online in the future...

    1. Captain Badmouth
      Devil

      Re: Barclays once paid Stephen Fry to tell us that Barclaycard was safe to use online.

      Wasn't it Barclays that had a xss scam on their website? Ooh and HSBC too in 2009 :

      http://www.xssed.com/news/99/New_HSBC_and_Barclays_bank_XSS_and_open_redirect_bugs/

  14. Locky

    Moving with the times

    According to my bank's Interet Banking - What you need section;

    "PCs and Macs connected to Local Area Networks are not supported."

    But, it's okay;

    "modem (minimum speed 56kbp)"

    Phew

  15. dajames

    I'm all in favour of customer liability

    ... but only when the customer is actually liable.

    The bank specifies the equipment and the security measures used, the bank controls the processes by which online trading and online banking are carried out; these processes produce audit trails, and it is the bank that has access to those data. The onus MUST therefore be upon the bank to prove that a customer has done something fraudulent -- or at least negligent -- and the bank must bear the cost in cases in which it cannot demonstrate such proof.

    If the bank wishes to reduce the incidence of fraud it is the bank that is in a position to improve security, not the customer, so the bank must bear the responsibility for their security being effective.

  16. SirWired 1

    Huh? Consumers aren't liable for online fraud in the US

    "UK banks - unlike those in the US - routinely cover the costs of online fraud, at least in cases where customer negligence (such as sharing PIN codes or cards with third parties) is excluded."

    What are you talking about? There is not a single US bank I'm aware of that charges consumers one penny in the case of fraudulent purchases. (Technically the law allows up to $50 in liability, but in practice precisely zero banks do this.)

    1. Anonymous Coward
      Pirate

      Re: Huh? Consumers aren't liable for online fraud in the US

      What rock have you been living under?

      Here's an example of how it's done... once liability has been safely transferred to YOU, of course:

      1) Your bank forms a "trusted partnership" with a convicted fraudster.

      2) Your bank then sells your account details (name, address, account number, etc) to its new bestest mate evva.

      3) $$$PROFIT$$$

      4) "Trusted partner" then returns your account details to your bank, with a little note attached, saying something like "Customer has opened a £19.95 monthly debit over the telephone (Honest!) but don't attach our company name to it - mislabel it as something innocuous and official looking. Cheers mate."

      5) You bank starts slipping little bungs of "your" money to its "trusted partner"

      6) $$$PROFIT$$$

      7) You'll notice at some point and cancel further* debits... but the elderly/absent minded/otherwise vulnerable will be defrauded for the rest of their lives...

      8) $$$AWESOME$$$ENDLESS$$$$PROFIT$$$

      Google will give you specific examples if you need them. For starters you might like to try:

      "bank of america" scam "customer years" coverdell

      Another name it's been done under is "Plan Administrator"...

      Coming to Blight soon, by the sound of things - if the British political swine have their snouts stuffed firmly enough into the trough... and it certainly sounds like they do...

      *NO. You can't have any of "your" money back: IT'S YOUR RESPONSIBILITY TO STOP US GIVING "YOUR" MONEY AWAY. Sucker :P

      1. SirWired 1

        Re: Huh? Consumers aren't liable for online fraud in the US

        I won't deny that your specific example was a scam and illegal, but it is also entirely irrelevant to the topic at hand, which is liability for fraudulent online purchases.

  17. John H Woods Silver badge

    (de-)Training ...

    (as Steve Foster said above)

    ... Banks and other institutions have spent nearly two decades phoning people up and asking them to 'go through security' --- so much so that if you answer the phone and say "err, only if you can prove who you are" they are usually gobsmacked.

    One guy said, ok, let me give you a number and you can call it back. Err, hello? Was it or was it not your institution that told me not to click on links in emails purporting to be from you? So I shall not be ringing any number you give me.

    1. heyrick Silver badge

      Re: (de-)Training ...

      Several years ago, the bank called me. Dunno why. As soon as I knew it was "the bank", I asked the woman to tell me two direct debits on my account and the amounts they are for. She told me she didn't have access to that information. I told her she failed to verify that she was in fact from the bank. Then I hung up on her. A bit curt, perhaps, but how dare they repeatedly ask my my mother's favourite colour and that sort of rubbish when I call them, but expect a simple "hi, it's the bank" to work when they call me?

      My usual attitude now is to ignore any and all emails, and tell callers to put it in writing. If I have a proper headed letter I'll pay attention to it. Nothing else.

      1. Sam Liddicott

        Re: (de-)Training ...

        The co-op bank did this to me.

        They could not comprehend that repeatedly re-assuring me that they were from the bank was as useless as it was easy.

        I called them back, on a published number, got through to the extension of the person calling me, only to be told:

        We just wanted you to know that know we have merged

        with CIS we have a wider range of financial products available...

        aggghhh

        1. SImon Hobson Bronze badge

          Re: (de-)Training ...

          At least HSBC stopped calling me with sales calls after one of these "you called me, there's a fair chance that the person answering the number you dialled is me or at the very least someone with access to my phone, you could be calling from anywhere in the world, so I'm not giving you any information whatsoever until you prove who you are, and no I'm not calling you back on any number you give me - what sort of idiot do you take me for" exchanges.

          I made a right fuss about it, and how it really just blew all their security out of the water. What's the point of telling customers to "be safe" when the banks themselves ignore all their own instructions. Ditto those who repeatedly send me emails which include "you can tell this email is genuine because ...".

          The downside is that when they do actually phone you for a genuine reason (they'd detected fraudulent activity with my card), it can be hard when calling back through the contact centre number to find out who you need to speak to in order to find out what the issue is.

          BTW - if anyone is under any doubt about the supposedly unbreakable security of Chip&PIN, head over to https://www.lightbluetouchpaper.org and see their blogs on the subject. They've comprehensively proved that there are multiple flaws in the system, which are design flaws, and about which the banks have full knowledge. So next time the bank tells you it's 100% secure, you can call them a liar and be right.

          And for a bit more fun, see how easy (or otherwise) it is getting a non-contactless card next time they try and foist this on you. Responses I've had vary from "no problem" to "no way" (the latter getting a "in that case, your card doesn't get used" response).

      2. Adrian Bool

        Re: (de-)Training ...

        Ooh, letter headed paper - very secure! ;-)

  18. Snowy Silver badge

    Between banks, the UK government and GCHQ.

    What as it got to do with GCHQ?

    1. Anonymous Coward
      Big Brother

      Re: Between banks, the UK government and GCHQ.

      That's whose job it is to ensure the plebs are kept away from anything actually secure.

      You can bet your arse that with GCHQ in the loop NO bank will EVER accidentally recommend, or even accept Qubes, Tails, BSD, CyanogenMod... etc... use any those and your bank will give your savings away.

      Approved "secure" systems will be assorted trusty combinations of Microsoft Inc., Apple Inc. and Google Inc. binary crapware. Nothing more.

  19. quattroprorocked

    I don't do internet banking

    and they keep asking me why not.

    "Do you know what a trojan is?"

    "No."

    "That's why".

    I'm not a security guy or even a geek. I just know enough to know that no matter how good I think my security is, it probably isn't. And I certainly not minded to listen to people who know even less than me.

    I used to be in finance (many years ago) and I found critical errors in several companies systems - they couldn't even compute their own contract charges properly, and were stunned when a one man band outsider with no access not only told them they had errors, but also where they were and how to fix them. If they won't even build spreadsheets with quality control as standard, I really don't trust them for anything else.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't do internet banking

      Seems a reasonable response: if they make me liable for fraudulent Internet transactions then I will terminate my Internet banking. If they make me liable for frauduent telephone transactions then I will terminate my telephone banking.

      Eventually we all end up doing our transactions over-the-counter like 20 years ago, and the bank has to swallow the increased costs of doing business.

      1. werdsmith Silver badge

        Re: I don't do internet banking

        Eventually we all end up doing our transactions over-the-counter like 20 years ago, and the bank has to swallow the increased charges to cover the costs of doing business.

  20. Ashto5

    Security Is EVERYONE'S Business

    I have a friend who claimed chip and pin was fool proof, he had read the documentation on the system.

    I laughed at him at that point.

    There is only one way that we will beat / reduce fraud, and that is with participation with the banks and their security measures.

    Firstly I want to see and hear about their plans to prevent fraud, not the plan to punish me for using THEIR facilities.

    BANK’s it is YOUR system not mine, if the criminal fraternity breach it that is YOUR fault.

    We could have 2nd and 3rd part verification process, request and response phone messaging, please include a panic code for people being forced.

    Register when going abroad, include region / city.

    Then we can talk about sharing the final cost.

  21. Ashto5

    Banks its your fault

    I have a friend who claimed chip and pin was fool proof, he had read the documentation on the system.

    I laughed at him at that point.

    There is only one way that we will beat / reduce fraud, and that is with participation with the banks and their security measures.

    Firstly I want to see and hear about their plans to prevent fraud, not the plan to punish me for using THEIR facilities.

    BANK’s it is YOUR system not mine, if the criminal fraternity breach it that is YOUR fault.

    We could have 2nd and 3rd part verification process, request and response phone messaging, please include a panic code for people being forced.

    Register when going abroad, include region / city.

    Then we can talk about sharing the final cost.

    1. Swiss Anton

      Re: Banks its your fault

      The sad part about this is that any bank could consider chip & pin fool proof, they certainly aren't "lucky" fool proof.

      The chances of "winning" on a stolen card are 1 in 3333*. If your modern day Fagin and his crew steal 100+ cards a day, they are going to "win" the chip & pin lottery several times a year. Meanwhile you as a bank customer are going to have to deal with the bank's line of "Chip & Pin is secure, you MUST have given out your pin"

      *The pin can be changed on some cards. I'd bet that there's probably a statistical anomaly with the number of cards that have the pin 1234**, 1793, 2486 etc, so the odds of guessing a PIN are likely to be better than 1 in 3333.

      **Obviously if you do change your pin to 1234, then the banks should hold you 100% to blame if someone uses your card to access your account.

  22. Anonymous Coward
    Anonymous Coward

    Re: Between banks, the UK government and GCHQ.

    All your transactions are belong to us. K thx bai Cheltenham

  23. Anonymous Coward
    Anonymous Coward

    Insurance

    Sounds to me like a nice money-making opportunity for the banks - I'm sure they'll be only too happy to allow us to add insurance for a monthly fee. Who are the real fraudsters?

  24. Boris the Cockroach Silver badge
    Devil

    Due to

    recent family events, I had to setup new bank accounts

    "Do you want to use online banking?"

    "Nope, not secure"

    "What about phone banking?"

    "Not secure either"

    "Why not?"

    "Because you dont use 2 FA", Service droid looks at me as if I just spouted wings and forked tail. "But watching you log in on your bank supplied tablet , it was clear you used 2FA to log into the bank's system, but customers get 1FA"

    Service droid realises its on a loser and changes subject "Beautiful plummage on a norwegian blue"

  25. Number6

    I can see a sudden rush of people going into their bank branch for transactions again, just like it used to be.

    Except no, most people will carry on because in could never happen to them (until it does).

    There are reasons I only do banking transactions from one machine at home, and even on that one I decline their offer to 'remember me'.

    Having said that, my bank does use 2FA for on-line banking, and one of the reasons I only bank from home is because that's where the card reader is.

    1. Emperor Zarg
      FAIL

      No point going to the bank branch. Barclays have already removed the people and replaced them with ATMs - this, in a city centre branch. Already, the new automated system has "lost" two deposits. A 100% deposit loss. Interesting quality control there.

    2. Down not across

      I can see a sudden rush of people going into their bank branch for transactions again, just like it used to be.

      What branch? Oh you mean the one they closed down?

    3. qwertyuiop

      Why do you think an over the counter transaction is more secure?

      Some years ago my wife had her bag stolen while we were in a restaurant. It contained all of her bank and credit cards, and a cheque book (don't ask!). We reported the theft to the police and to the bank as soon as it was discovered - which would have been 1 hour at most after it took place. Bank took all the details, sent a "Loss Questionnaire" to complete and said the card was cancelled. A replacement card arrived within a couple of days.

      Imagine her horror two weeks later when she withdrew some cash from an ATM and checked her balance only to discover it was almost zero rather than the fairly healthy sum she expected.

      Subsequent investigation showed that somebody - either the bag thief or whoever they'd sold the cards on to - had made repeated withdrawals by cheque made out to "Self" over the counter in branches of the bank. Each withdrawal had been for more than the card limit, which means that checks should have been made each time. Not only that but more than one withdrawal had been made each day which (in the case of cheques to self) is supposed to be impossible.

      All of that in branches of the bank - so much for security!

  26. Mark Allen
    Flame

    Scammers

    Due to having a bank steal money from me previously when I used an automated paying in machine, I always do bank interactions with humans. And only Northerners and not some call centre in a random country. Have moved banks and utility accounts to all have UK Telephone based support. Makes a HUGE difference to ones sanity. (And the nice feeling of keeping someone in a job).

    This means I have never used online banking. The idea being that I can't be liable if I have never used it. Yet two months ago my online account got hacked. Which is a little clever as it had never been enabled or used by me.

    Or maybe it is just because my stupid bank has passwords, IDs and access codes as all numbers? How is that security? Especially as the numbers are too long to memorise.

    When I got my access codes for the Telephone banking re-issued I was then told these are the same details as Internet Banking. Which I don't want to use. I asked them how do I change the passwords for the telephone banking to be more secure? I can't, unless I login to the Internet banking to change them.

    So who would be liable for that? A system I never used, "protected" by a weak set of numbers that cannot be changed, yet it was still compromised by a random drive by attack which I only ever found out about when I tried to do some Telephone banking.

  27. Alan Brown Silver badge

    If this takes off

    Then the bank of "under the mattress" is going to start receiving more custom.

    Banks rely on trust to get your money, in order to sell it to other people (several times over).

    They already don't pay out in the egrarious cases where people screwed up their own security. If they start pushing it further, customers will start pushing back.

  28. Graham Triggs

    I want compensation...

    For the costs I've incurred as a result of over-zealous anti-fraud detection systems incorrectly rejecting purchases that I have authorised.

    1. Dwarf

      Re: I want compensation...

      I've had this problem several times.

      One was in early on-line purchases. Second transaction was was rejected because of the distance and time between the transactions - hence I couldn't have been at both . Trouble was it was two web sites I visited. Damn fast those IP packets.

      Also had a problem when booze cruises used to be the thing of the day.. Stood in the front of a queue in a french supermarket with a trolley of booze and it says "non". Phone rings. Interesting chat with bank droid about how much they are annoying the long line of people behind me. It may be unusual, but I do have the choice about when and where I shop without telling the bank first.

      Most recent was an on-line purchase that wouldn't go through. Phoned supplier "Bank says no". Phoned bank "something was wrong with the data your supplied", but they wouldn't say what didn't match so that I could correct it, even though I authenticated with them (but interestingly, not them with me ??)

      Turned out after several further calls and eventually speaking to a grown up that some of their new anti-fraud software had decided that my correct address was in fact wrong to the latest database they had purchased. House names were apparently no good any more. I now have to provide less information about where I live for the transaction to go through because the computer says no.

      Net result, I get delayed, it costs me time and money, so I get grumpy quicker as that seems to get you to a grown up who can do something about it. As companies hide more and more behind service centres and scripts, this only gets more and more difficult to do. I remember a ye-olde expression, it was called customer service.

      1. This post has been deleted by its author

  29. cantankerous swineherd

    Bernard hyphen hoare of the met started this hare running a while ago. I reckon a smart lawyer could come up with a form letter telling the bank to ignore any electronic instructions purporting to come from Mr a n other.

    I believe (Krebs - so perhaps not in UK) it's possible to put a stop on credit checks with the likes of the spies at experian, thereby spiking any attempts to borrow money in your name.

  30. Anonymous Coward
    Anonymous Coward

    Where do you get the idea US banks make you liable?

    I think you might be liable for $50 for debit card fraud, but there's a simple solution to that - don't use debit cards. I use credit cards, which have no liability for fraud, and you don't have to worry about not having any money if you get cleaned out while you're waiting for the bank to rectify things.

    I admit I'm not really sure what the law is if someone steals my bank login and connects directly, but since I'm not signed up for any services that would let me write electronic checks or make transfers out of my account to accounts I haven't pre-authorized, I don't have to worry about that.

  31. seacook

    2FA?

    Easy and reliable 2FA is where??

  32. ben_myers

    The answer is easy!

    Keep all your money under your mattress. Don't trust the damned banks!

  33. Anonymous Coward
    Anonymous Coward

    not under your mattress... is this an IT website?

    I am gradually moving money into bitcoins, and also keeping an eye on the other rising crypto currencies.

    Banks still have some of my custom, but it is definitely time to diversify.

    Make no mistake, i am aware of the problems with bitcoin and the unstable past.

    However, when it comes to security vs cost, the banks charge me huge fees for moving money around (internationally), unless i am willing to wait days for it. They are fairly secure with their one time password generator thingys, but the number of passwords and keys for my bitcoin account make it way more secure than a range of easily found out family information.

    Nothing is truly secure, but make me choose and i will go with technology.

  34. Disk0
    Mushroom

    Banks have been charging us for the privilege of being defrauded by them

    so it's only natural we also get the blame for any and all fraud. If we'd all just stop using banks, they could finally stop complaining.

  35. David Gosnell

    Phishing

    Banks could go a fair way to stopping phishing by refusing to serve branding images without proper referrer URLs. Phishing scams invariably link to the official web-based images, and stopping that, or (even better) replacing them with ones saying "SCAM WARNING!" would help. A little. Which is better than nothing. Of course, many people disable images in emails anyway, and the scammers may move towards embedding rather than linking images (or linking to copies elsewhere, which won't go unnoticed), but the latter will dramatically increase their data load, and in the meantime a few million gullible souls may become better educated.

  36. trevrobwhite

    Banks should take more responsibility

    Push this onto the users forget it, why not force the users to have a secure password, and allow that secure password in there systems.

    I see so many banking systems say you need over 6 characters but it has to be below 12 characters not include characters xyz, how on earth can you create a secure password with so many restrictions?

    Additionally hardly anyone does Google reCAPTCHA or two step authentication texting a code to your phone, and the memorable information, why such a small list, allow users to create there own question.

    And then the government is not forcing shopping sites to secure your card details in a secure way, just mention Talk Talk here and others.

    Banks and the government need to step up to the mark not hide behind a wall and say "not our fault".

  37. Anonymous Coward
    Anonymous Coward

    check

    "financial fraud involving payment cards, checks and remote banking"

    Did you mean 'cheques'?

  38. hatti

    No chum

    Not unless your banking system security carries any foolproof guarantees.

    cough ( SWIFT! ) cough

  39. Anonymous Coward
    Anonymous Coward

    So they make it impossible to avoid fraud by closing local branches and forcing us into a cashless society by forcing you to either use cash machines or chip and pin readers in stores which may have card skim / splitter cables / cameras attached, or shop online with static card details easily clonable by anyone who's seen your card for more than 2 seconds.

    Why should I be liable if my local petrol station's dodgy employee has done something to their chip and pin reader to capture my details?

    scumbags.

  40. BurnT'offering

    Olov Renberg, the founder of behavioural biometrics firm BehavioSec, commented:

    “Blah blah blah blah ... buy my product."

  41. Anonymous Coward
    Anonymous Coward

    The answer is to avoid loosing control by trading with gold instead.

    The fact is money is only valuable if people believe in it, with the general population having little control but required to pay all the bills for the affluent's failures and or greed perhaps it is time to return control of personal wealth to those having to work for said wealth.

    Gold whilst not as good as essentials in terms of worth is more portable and generally accepted across the world.

    I am all for taxation if it is spent on improving the safety/ environment / standard of living of me and mine but too often my tax is diverted to things I oppose without me having any say in it.

    Too often my money is diverted to people who paid towards getting the politicians elected and this has been a problem since democracy was invented.

    Personally I would make the consequences of corruption in office match the level of power they wield and apply it at all levels of government and their agents. Hopefully then only those that are seriously willing to risk all to do good will take the job for the betterment of us all. These people do exist but typically get pushed out by the "professionals" i.e. those just taking the post for money and personal power.

  42. Anonymous Coward
    Anonymous Coward

    My bank sent me a new debit card, I didn't activate it for for contactless use which was an option, recently it was scanned and yes it worked, not happy.

    One of the I.T. lecturers I know is a former bank branch assistant manager, he refuses all their attempts to get him to do internet banking, another has a portable card scan and clone unit that can read a card from several metres away he uses for teaching an I.T. security course, all bought off e-blag, banks consumer level e security is a poor joke at best.

    Banks are all about physical security, watch closely as the first staff member arrives and waits for the second before one of them enters the bank being observed from a safe distance by the other to do the first security check, only when they come out and exchange their agreed pass phrases does the second enter and do the same checks whilst the first waits outside. Only when they are both satisfied do they both go in and the daily symbol agreed beforehand goes in the agreed window, showing the main safe second key keyholder it's safe to enter, or the wrong symbol in the wrong window meaning do not to enter but to pass by and call the Police, how many computer users would be willing to wait 30 seconds or more for a verification process of at least the same strength to work? That's why the banks will get away with it...

  43. OldTimer

    BREXIT

    Thank God, it is a Brit(e) Idea.. not for us in other parts of Europe :)

  44. Wolfclaw

    What do you expect from our corrupt Tory government, if they are not caught hiding money offshore, awarding contracts to mates and then turnng up on the board of directors, they are helping the fat cat banks rip off their customers !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like