19 November 2004 | 10765 views | 0
Source: Finextra Research
UK banks are whistling in the wind if they believe they can deny compensation to customers who have fallen victim to phishing fraud.
In the first six months of the year, UK banks refunded £4.5 million to 2000 customers who had lost money in online banking scams. Now, the banking industry payments group Apacs has warned that compensation may be denied in future to consumers who ignore repeated warnings and continued to respond to rogue e-mails.
Sandra Quinn, Apacs spokeswoman, says banks may no longer automatically accept liability for future losses if they believe consumers had been sufficiently aware of fraud risks.
"We want to make sure customers know what types of frauds there are and how to avoid being a victim," she says. "While customers don't know of all the risks, the safety net exists."
But she adds: "What we have always said is that we won't forever provide a guarantee."
Taken at face value, the banks' position appears reasonable. Phishing frauds, in which consumers are directed by e-mail to bogus bank log-in pages and encouraged to update their security details, have received widespread publicity and banks have repeatedly urged their customers not to respond to unsolicited mail.
More recently, however, fraudsters have developed more sophisticated variants on the basic phishing scam. They may, for instance, target customers of banks that have recently experienced technical problems or Internet security scares. Alternatively, customers may be directed to fake courier sites to confirm shipping of non-existent goods ordered by credit card. At the top-end of the scale, consumer PCs may be infected with Trojan malware, programmed to download keystrokes at online bank sites.
Experienced PC users tend to forget how intimidating and complex computers can seem to novice users. For many, grasping the basic concepts of word processing, Internet access and file management is a triumph. Expecting these same users to also master the art of regular patch management and virus scanning is absurd.
Besides, banks have it within their gift to stop the phishers dead in their tracks. By introducing two-factor authentication, in which basic password entry is augmented with personal data exchange between bank and consumer, the banks can shut the doors on the scammers once and for all. In the international markets, some banks have experimented with SMS messaging or the issue of personal digital tokens to achieve this. In the UK, it would be possible to leverage the investment in Chip and PIN and have consumers tap their PINs into a personal card reader in return for a one-time Web log-in code.
Rather than taking a tough line with the punters, banks should look to their own standards of conduct and ask: "Have we done all that we can to protect our customers?"
In this instance, the answer is a resounding "No".