Banks are rewarding consumers for lax internet security - Met chief

Banks should not refund customers who fall victim to cybercrime offences because it "rewards" them for poor internet security, the Metropolitan Police Commissioner has said.

Bernard Hogan-Howe made the remarks to the Times ahead of planned measures to include cybercrime statistics in official criminal figures, a change which could double official recorded cases of crime.

He says that by reimbursing customers who fall victim to online crime, the banks are effectively incentivising consumers who fail to update anti-virus software and improve passwords.

"If you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing behaviour," he told the broadsheet. "The system is not incentivising you to protect yourself. If someone said to you, ‘If you’ve not updated your software I will give you half back,’ you would do it.”

GCHQ estimates that 80% of cybercrime could be prevented by better passwords and regularly updated security software.

According to a survey by Norton Cybersecurity last year, two in five (44%) UK consumers have fallen victim to cybercrime but about the same number (42%) do not change their passwords after such an attack.

City of London Police chief Adrian Leppard last year said that up to 80% of online crime goes unreported to the authorities.

Speaking at a Tech UK conference, Leppard said that the vast gap between what is reported and the actual threat level arises "primarily because banks are happy to write off incidents as costs, thereby costing the consumer collectively and funding ongoing cyber-criminality".

Hogan-Howe's comments have been criticised by consumer group Which?. Executive director Richard Lloyd says: "With online fraud increasing, this is an astonishingly misjudged proposal from the Met Police Commissioner. The priority should be for banks to better protect their customers, rather than trying to shift blame on to the victims of fraud."

The Met has since moved to defend Hogan-Howe, arguing that although his comments were reported fairly in the Times, it is "wrong" to interpret them as proposal that fraud victims should not be compensated.

"His comments focused on consumers who don't take basic precautions such as adequate password precaution and security measures - not a blanket proposal for all online fraud victims," states the Met. "It has a parallel to insurance companies who do not pay out on claims if the front door is not secure or car left unlocked. To suggest otherwise is misleading."

Channels

Retail banking Security Payments

Keywords

Mobile & online banking

Comments: (3)

A Finextra member 24 March, 2016, 10:22

Be the first to give this comment the thumbs up

0 likes

I see his point, but I would compare this situation to that of road traffic fatalities.

Endless exhortation, propaganda and in-car safety measures have been undertaken, but only the introduction of self-driving cars will come near to eliminating fatalities. People just don't obey the law and they make mistakes.

Mastercard are right to invest heavily in biometrics and cyber protection, as the human factor needs to be minimised or eliminated if you are really serious.

Report abuse

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 March, 2016, 10:47

1 like

There's simply no way a common man can stay on top of the deluge of updates released by app developers who work on a misinterpretation of the modern day "fail fast" philosophy. I stopped using my mobile banking apps long back because of heavy login friction. Subsequently, I have also uninstalled many grocery, handymen and all but two taxi-hailing apps because they I was sick and tired of downloading, installing and troubleshooting their 2X / week updates.

Maybe I'm old fashioned but I prefer the times when police simply solved crimes reported to it.

Report abuse

A Finextra member 25 March, 2016, 12:35

0 likes

Blaming the general public (including the truck driver, the kindergarten nurse and the retired reverend) for the currently terribly poor status of IT security is just too simple. The general public has no way to cope with cybercrime, and virus scanners (even if constantly updated and thus being current all the time) cannot reliably protect against advanced polymorphic malware. Such malware is readily available in the darknet at relatively low prices. Phishing techniques have become much more effective too, even highly qualified and highly paid officers at large organisations do regularly fall victim of such practices.

The solution to this dilemma would require a change in technology. Devices that do accept software downloads are by definition vulnerable to malware downloads. Anything running Windows, Linux (including such variants like iOS and Android) or other popular general purpose OS'ses is not secure. What would be needed are hardcoded browser terminals not accepting any software downloads. Updating functionality would require to change a hardware module obtained from your trusted dealer or inhouse IT support organisation. That's not at all flexible - rather also brings a lot of stability, in addition to better IT security, into user environments.