Resources
See latest resources »
Phishing failures

Phishing failures

Source: Finextra Research

UK banks are whistling in the wind if they believe they can deny compensation to customers who have fallen victim to phishing fraud.

In the first six months of the year, UK banks refunded £4.5 million to 2000 customers who had lost money in online banking scams. Now, the banking industry payments group Apacs has warned that compensation may be denied in future to consumers who ignore repeated warnings and continued to respond to rogue e-mails.
Sandra Quinn, Apacs spokeswoman, says banks may no longer automatically accept liability for future losses if they believe consumers had been sufficiently aware of fraud risks.
"We want to make sure customers know what types of frauds there are and how to avoid being a victim," she says. "While customers don't know of all the risks, the safety net exists."
But she adds: "What we have always said is that we won't forever provide a guarantee."
Taken at face value, the banks' position appears reasonable. Phishing frauds, in which consumers are directed by e-mail to bogus bank log-in pages and encouraged to update their security details, have received widespread publicity and banks have repeatedly urged their customers not to respond to unsolicited mail.
More recently, however, fraudsters have developed more sophisticated variants on the basic phishing scam. They may, for instance, target customers of banks that have recently experienced technical problems or Internet security scares. Alternatively, customers may be directed to fake courier sites to confirm shipping of non-existent goods ordered by credit card. At the top-end of the scale, consumer PCs may be infected with Trojan malware, programmed to download keystrokes at online bank sites.
Experienced PC users tend to forget how intimidating and complex computers can seem to novice users. For many, grasping the basic concepts of word processing, Internet access and file management is a triumph. Expecting these same users to also master the art of regular patch management and virus scanning is absurd.
Besides, banks have it within their gift to stop the phishers dead in their tracks. By introducing two-factor authentication, in which basic password entry is augmented with personal data exchange between bank and consumer, the banks can shut the doors on the scammers once and for all. In the international markets, some banks have experimented with SMS messaging or the issue of personal digital tokens to achieve this. In the UK, it would be possible to leverage the investment in Chip and PIN and have consumers tap their PINs into a personal card reader in return for a one-time Web log-in code.
Rather than taking a tough line with the punters, banks should look to their own standards of conduct and ask: "Have we done all that we can to protect our customers?"
In this instance, the answer is a resounding "No".

Comments: (0)

Analysis resources
See all Analysis resources »
What’s Next for Nordic Payments?
/analysis

What’s Next for Nordic Payments?

The Rise of Real-Time and cross-Border, by Peter Larsson, Principal Solutions Consultant, Real-Time Payments - Europe & North America

T2/T2S Consolidation: Can digital transformation be an opportunity for liquidity management?
/analysis

T2/T2S Consolidation: Can digital transformation be an opportunity for liquidity management?

The Eurosystem project to consolidate TARGET2 and T2S and to meet changing market needs by enabling a truly real-time 24x7 settlement infrastructure for cash, securities and collateral aims at increasing efficiencies and optimising liquidity management across all TARGET Services.

SCA exemption: the perfect storm for machine learning
/analysis

SCA exemption: the perfect storm for machine learning

The payments community is well used to the abundance of acronyms that has become its legislation of late, but less so to the grey overlaps between various directives and standards - least of all Strong Customer Authentication (SCA) within the online and e-commerce payment experience.