Time to switch to bitcoin.
Same interest rate (0%). Same uncertain future. Better chance of not being defrauded.
Bank customers may be obliged to bear the bill for fraud against their accounts, under proposed changes mulled by banks, the UK government and GCHQ. Under the plans, individuals or companies with poor online security could be “frozen out of banking services or even excluded from the system whereby banks compensate customers …
Surely this is a many-way thing ?
Banks are accountable for their systems and making them secure in the first place. Not our fault if their back-end systems and applications are poorly written or don't comply with good practice.
Conversely, customers should be a bit accountable against "stupid things" - giving out PIN numbers and personal data to people who ask for it.
However it would be naive to expect every person of any age and intelligence to be fully up-to-date with all methods of attacking banking.
Who's fault is it for example if someone skims my bank card at a hole in the wall, or malware gets onto a web site that I visit ?
Is it
- the virtually anonymous web site with all its security / defects
- the customer who just wants to buy something
- the bank.
Sounds to me like its just big business trying to dump on the smaller guy again.
I wonder what the impact on the economy would be if people don't trust the banking system any more ?
In addition Britain seems to be unique in my experience of not commonly using card readers. The Netherlands have had them for at least 12 years as have Germany, and these have dramatically reduced fraud of this type. I asked Lloyds if they have one to use on their normal account and they looked at me as if I had asked for a glass of unicorn milk. Perhaps the UK banks could update their systems to something at least from this century.
Nationwide have only recently improved their website rating from a "F" fail to a "B" rating, RBS scores an "A". (SSL labs online test https://www.ssllabs.com/ssltest/index.html).
If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.
Icon : Your local bank manager ( that's right, he's gone to a better place).
If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.
They should do a whole load to improve security.
I'm thinking primarily of the "3D Secure"[1] system. The banks are actively promoting putting (fragments of) a password into an iframe on a website that does not come from the bank's server. IIRC, even the iframe does not come from the bank.
This is just asking to be MiTMed...
Vic.
[1] Ha!
I've been a customer of at least 10 different banks here in Germany, business and private, over the last 20 years. Only 2 or 3 of those actually wrote their online banking can work with card readers. 2 even offered card readers in their shop, somewhere around € 30-35.
Yes, in NL it's a default completely.
Can't say if NL is more secure or pays less in total for fraud damages.
Sure card readers help, but then again one should also ask oneself whether it isn't there to just create a false sense of security. For the Netherlands specifically, the "change of liability" now suggested in the UK already happened there in 2013 (https://www.security.nl/posting/370459/Banken+stellen+nieuwe+regels+voor+internetbankieren) when the banks (were allowed to) instate policies, making the customer the main responsible in cases of fraud, and putting the obligation to prove no neglect and/ or wrong doing with the customer. I remember because of the initial outcry (which as always in the Netherlands died down, everybody forgot, while the policies are still in place) and the amusing discussion concerning standards. Ask yourself, when is your system up-to-date? Well protected? Ahhh, virus and malware protection... Closed system you say? Anybody see "opportunities" for quick issue resolvement? Oh, and don't even think of using that funny free software crap called Linux (which they use for their own servers), because that isn't recognised as a "safe OS" by Dutch banks (http://langleveeuropa.nl/2013/11/klant-nu-verantwoordelijk-voor-beveiliging-van-banken-en-aansprakelijk-voor-schade/). =0
I have a card reader I don't use because if I use it, I assume liability for fraud, or what appears to be fraud. Read the fine print of your agreement. However, if I stick to the password and security questions, there is a grey area of doubt. I also use the phone for those transactions I cant do online.
The banks have been trying to palm off responsibility for errors for decades. I remembering arguing until I was blue in the face that some cash-point machine error had nothing to do with any personals security lapse, and finally they admitted that the machine had a glitch and al customers that day had similarly had 'sloppy personal security'. Banks are always willing to let us take the blame, knowing it's almost impossible to prove that we are innocent.
Well said! I had an argument with a bank thirty years ago about their supposedly 'unbreakable security' when I noticed a £50 withdrawl from my account that I knew I hadn't made. Given that back then I worked as a mainframe operator and was a keen computer hobbyist, I knew darned well I was being fed a load of BS, and as they wouldn't restiore the stolen funds to my account (withdrawn in a town I'd never visited, and bearing in mind I can't drive, at a time I couldn't have been there at and still been in the banks face about it the following day), I promptly changed banks.
I've long wondered whether the move to online banking was pushed so hard at least in part with an eye to eventually trying to blame the customers for any losses. Let's face it, the internet as it currently exists and is used, is simply not fit for purpose for online banking. The banks are liable in encouraging customers to try to bank that way, IMHO.
Yeah, far better to stick all your notes in a mattress.
In this day, and age of negative interest, and the Banks trying to take any, and every advantage over their users.... (See this Article)
What exactly would the difference be... At least I know that my Money would be safer with me.
How do you prove who is liable?
Is it me for not updating my operating system?
Is it the manufacturer for not supplying an update?
Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?
Is it me for not running or updating anti-virus?
Is it the anti-virus software for not spotting a zero day vuln?
If you move liability away from the banks then does anyone really think they are going to spend money on decent security?
Why is it that we have an elected government by the people that never actually works in the interest of the people? Change needs to happen.
"I have a sneaking suspicion that the customer will be liable by default"
^This.
For some time, the banks I log into were trying to push Rapport, for example - and I even had conversations with banking staff in which they asked if I had it installed and suggesting I install it if not (I usually told them exactly what I thought about that piece of software).
I can well imagine it being a case of "Didn't have Rapport installed? Definitely your fault, then."
Similar issue a coule of years ago with Rapport, and after being ceaselessly nagged by the bank website to install it, I rang their online banking tech support to try to have a sensible conversation. More fool me.
My questions:
"Why does your site keep nagging me to install a piece of software when I'm a linux user (as your site can tell from my browser) and you provide only Mac and Windows versions of this software? If this software is so important for online banking security, where can I get hold of a linux version?"
Their *online banking tech support person* response:
"What's 'linux'?"
FFS.
You forgot the part where the bank expects you to run some shit that they have been paid to plug, lie about, and if you're lucky it only cocks up your machine.
I'm thinking here of NatWest's constant nagging for my mother to install Trusteer Rapport... well... http://www.advantage77.com/2014/09/03/rapport-more-problems-than-its-worth/
As is common in the computer industry, Trusteer Rapport is an absolute con. They've conned the banks into buying this shit off them. The banks give it away to make people think they (the bank) cares about security. They don't. They don't understand security. They are sooner or later going to insist their users run rapport. When they do, I'm not using online banking any more, at least from a PC.
Whenever we have a client with poor speed, intermittent network connection or just plain weirdness on their computer, first thing we look for is Rapport. Removing it usually solves the problem. At best, it slows down internet access; at worst it completely fucks up the machine, resulting in problems booting. I've seen it.
Sounds like a nice little earner.
I suspect the bank receives a direct commission from sales resulting from their referrals. Why would they care that it's snake oil their trusted partner is flogging to their hapless customers, as long as it brings in $PROFIT?
Doubtless they'll be getting a nice little commission on the fraudulent debits they allow from your account too, once they've bought this "proposed" legislation. Just as they do in the US.
... I get to specify hardware, software, development methods & tools, uk-based operations, staff pay and conditions at the bank it dept.
Or to put it more simply, ill take the blame for electronic fraud once i am CTO. Otherwise, the current CTO should take responsibility.
The reality is that:
Bank will specify hardware: PC
Bank will specify software: Windows with bank sponsored malware (sorry, security software) installed via a bank affiliated download so that the bank gets its marketing cut. The favorite is some crapware named after some mutt variety.
Bank will specify development methods: Bangalore
Bank will specify location of operations: Bangalore
And you will have the responsibility. HSBC already tried that. More than once.
I tried to raise with them the fact that the way the have redirected to the co-sponsored download was open to cross-site scripting so _ANYONE_ could shovel a download to a customer PC through that hole and the customer would have accepted it as verified by the bank. This gives you the idea of the competence involved.
After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.
After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.
Late last year Nationwide outsourced a load of their IT operations to CrapGemini, and signed an automation deal with TCS, so you'd better move again. Meanwhile the CEO of Nationwide paid himself £3.3m last year, an amount that has doubled in five years.
It would seem to me that the management of Nationwide are the same talent free snout-in-the-trough types as run the rest of the financial services sector.
If concious culpability can be proven by proper process of court, then fine... but that's not what this is, of course. Arbitrary shirking by the thereafter-wilfully-negligent-corporation: Just like the US. Our money grubbing twats have "identity theft" (sic) envy.
Still... if they get their grubby little scam passed, it'll be good motivation to move my banking to a more civilised country... and I'll probably pay a bit less tax as a result :D
Well I have on line accounts with multiple banks (I'm not rich it's different accounts for different uses) and I won't use the suggested anti virus software from any of them.
Their software is invariably huge, hogs the CPU and doesn't play well with other regular AV software Anyone tried Rapport?
Let alone trying to host multiple banking security software on a single device,.that would make pyschotic ferrets in a sack look like a Buddhist Monastery at prayer by comparision.
Rapport is shit pure and simple. At best it just makes your internet slow. At worst, it will brick your PC. I tested it once. I had made an image of a PC. I tried to take rapport off the machine and it tried to make me keep it by saying that it had protected me from 6 actual online threat instances. I reloaded the image and tried again and it said it had protected me from 4 actual online threats.
So it seems it lies to you as well as fucks with your PC and steals your information
Banks encourage bad consumer IT security practices.
Cannot comment on "modern" logging into online banking as I avoided it since the early days after initial online banking offering made to me was IE only with no solution available for a more configurable / secure browser on a more secure OS.Happily functioned without online banking so never revisited to see the current state of play in online banking logon.
However I have encountered the dross that is 3DSecure ( Verified By Visa et al), so often used when you are asked to purchase something - lots of dubious js / traffic to site(s) totally different to the vendor website, the sort of thing that would make a security savvy user think there was some dodgy 3rd party attempt to defraud them, and people are encouraged to think this is a good security model! No wonder so many people are defrauded online.
Despite their bad treatment of staff & tax dodging, which I dislike massively, Amazon grudgingly get some of my online purchases heading their way, precisely because they do not do verified by visa stuff (I abort transactions if VbyV stuff used).
(Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)
There used to be other sites that did not require javascript, but they changed and I abandoned them. I would really like Amazon to have some competition, but there are only so many times I am prepared to fail to create a new account before I go back to the site I know will work.
If only 'Do you want a free trial of Amazon Prime' were as simple to avoid as a Windows 10 downgrade.
That "Verified by Visa" crap is the only reason I use a credit card ( Credit cards don't prompt the verified by visa window when online shopping). Really VbV the most useless thing I have ever seen, and works so rarely that it can make a 2 minute online shop last 30+ minutes.
Quite frankly, things are going in such a bad direction with banking, that I have switched to cash only. Apart from the credit card for online purchases, everything else is cash. No need for a card reader, a PIN, some sort of fancy in-phone-contactless-app crap or other tracking system wrapped in a security nightmare that I will be liable for. When I want to buy something I just put down the cash, with no faf.
I also rediscovered the joy of actually going into my branch and dealing with my account with a human being. Usually I can get problems fixed quickly, and my complaints have to be dealt there and then by the manager rather than a ticket logged somewhere in Bangalore after waiting 30+ minutes on the phone. Of course, because everyone does online banking now, the branch is usually really empty as well.
Although I concede that not everyone has a local branch nearby, I would imagine most do. Bank branches are pretty common, along with a pub and post office, even in small towns.
@tiggity
> (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)
You can ring your card issuer and ask for VbV to be removed[1]. That was several years back now and only once since then have I had to buy using a different card because a site refused to work without VbV on.
[1] Well, my lot did it for me. YMMV.
One of the reasons that people get caught by phishing attacks is the banks idiotic behaviour when they call you in demanding you answer "security questions" - when *they're* the unknown quantity.
I always decline to do so, and try to explain that I'm not going to answer questions from some random stranger who's called my number, and nor am I going to call any number they give me - at least not until and unless they prove who they are to my satisfaction first.
Another example of cretinous behaviour on their part:
Most of my bank accounts are protected by 2FA of one sort or another. One day, using a shiny new laptop, I logged in to one of my accounts (that uses a PIN protected challenge/response key generator thingy), authenticated with multiple user codes, plus the 2FA response, arranged a regular payment _to an existing recipient_, received confirmation of payment and logged off.
A couple of days later, I went to log in again, to be told that my account was "not initialised properly" (or some such) and I could not login. Figuring this was some temporary glitch at their end, I tried again the next day. Still no access. After a couple of days of this, I gave in and called their support number. After passing their security questions, they told me that my account had been frozen (no payments out, internet access blocked) due to "suspected fraudulent activity" (the payment that I made online [by now] a week earlier [which they'd actually cancelled]). I asked what was the point of having and using 2FA and all their other security measures if they were all going to be overridden/ignored just because I used a new computer!
While I do appreciate that they are supposed to make efforts to prevent fraud, a single minor difference out of several test elements should not be enough for them to a) lock me out of my own account, b) cause payments to be summarily cancelled, and (most especially) c) do this all without making any sort of attempt to contact me in any way.
My bank do it right. For any new payments that I want to set up the process is so complicated that I have to look up how to do it each time. It is so much of a faff that I just phone them instead.
Banks have been trying to shift the onus onto customers for a while now. I get the argument that if there's no customer liability then customers won't take any care but if you're a bank, and you want me to use your online services because it saves you a ton of money, then it's your liability if that system is flawed (and that includes flaws that make it easy for the customer to make a mistake that allows fraud).
Both of these reduce Fraud. In a sense!
Except they reduce it MORE for the bank than for the customer. Because Chip & PIN fraud is usueally deemed to be customer carelessness. Contactless was designed for warehouses. It should NEVER have been used for payments, it's not secure and people are being harvested with portable devices. Chip & PIN as implemented has a MASSIVE flaw as it doesn't depend on connection to bank to verify PIN and there is inadequate physical security of shop terminals. MITM attacks.
All widely documented.
Banks are also stupidly outsourcing IT when it should be a core activity.
Banks are good at conflicting information too.
I had fraud on my chip and sign card.
Bank told me the transaction was pin verified.
I pointed out that surely if a C&S transaction has been pin verified, there's a very obvious bad transaction?
They said no, it's perfectly valid to do pin verification on an account with no pin.
This is completely wrong. Fraud has gone down to negligible amounts where CHIP & PIN has been introduced (except of course for Card Not Present, where there is neither CHIP nor PIN).
Why do you think the incidence of card present fraud is so high in the USA? It's because they haven't widely implemented CHIP & PIN. They're rushing to implement it now, but meanwhile fraudsters are having a field day.
Also, any issuer (e.g. a bank) must accept a no customer liability clause if they want to issue Visa Paywave or MC PayPass cards.
I avoid contactless since a friend I was with managed to spend rather a lot in pub - rather more than we could have drunk and we decided it must have been a deliberate scam in the bar in question.
In the co-op yesterday a young lad bought a lot of stuff with a contactless card - his behaviour suggested it wasnt his card. If the co-op can show his parents the items bought he may well get his arse kicked.
US card procedures have always been incredibly lax.
Back in the 90s, we went to the US with a new credit card and forgot to sign it. It was nearly a fortnight before an Amtrack office apologised for expecting it to be signed. Everyone else hadn't bothered to compare the signature just given with anything or been bothered that the card was unsigned.