back to article Will you get reimbursed if you're a bank fraud victim? Brits think not

Bank customers worldwide are often in the dark about whether or not they’ll be reimbursed for fraudulent transactions. Customers’ understanding of bank terms and conditions is often sketchy, according to a international study by academics. The researchers found that there is significant variation worldwide, and even within …

  1. tiggity Silver badge

    I just say no

    To online banking, on any device (and phone banking too) as it removes the attack vectors.

    I can understand businesses needing online banking when making many and / or complex financial transactions, but for personal banking, not worth the security hassle

    1. Voland's right hand Silver badge

      Re: I just say no

      but for personal banking, not worth the security hassle

      Try spending a few months a year abroad and/or having any or all of the following:

      1. Assets abroad (real estate, car, whatever).

      2. Relatives in need of regular financial support abroad.

      3. Having to pay tax in more than one jurisdiction

      That is not as uncommon as one would think - there are 2 million Brits according to official statistics who are in this position. In reality, the offiicial stats are probably an underestimate by at least 50%, because quite a few British pensioners pretend to be still living in Britain so they can continue drawing their state pension and benefits in Britain instead of having it transferred (to a net financial loss) to a Eu country.

    2. Anonymous Coward
      Anonymous Coward

      Re: I just say no

      It depends on what sort of authentication model the bank is using to protect the online access systems. Ones that use a simple account number (or user name) plus password are pretty prone to attack, however adding the entry of 2 or 3 letters from an addition security word does make them better. Of course if the authentication information is written down (which I suspect a lot of people do) then all bets are off.

      The best I've come across is an on-line account number coupled by an access code that is generated by a small device from my bank card; you have to enter the PIN in order to generate the code, and the device is recorded and associated with my account. Therefore someone would have to get my on-line account number (which is different from my main bank account number), my bank card, my device and my PIN (which is never, ever written down - not even my wife knows it).

    3. Lars Silver badge
      Coat

      Re: I just say no

      To say no would be too time consuming for me, but I newer use Windows for any online banking, so far so good, since 18 years. Perhaps it's more about the banks or just good luck.

      1. Anonymous Coward
        Anonymous Coward

        Re: I just say no

        I'd say it's good housekeeping as well as making an informed choice.

        It starts with analysing how safe a bank's Internet portal actually is. I don't use a bank that doesn't use decent 2 factor and less than 256bit crypto. Just say no.

    4. Anonymous Coward
      Anonymous Coward

      Re: I just say no

      I just say no to online banking, on any device (and phone banking too) as it removes the attack vectors

      I wish - I live in 3 countries and without electronics it would simply become impossible to manage. That being said, every access I have that matters is 2 factor with passwords that I change quarterly. I run my passwords through cracking software (yes, hosted locally, thanks :) ) so I have a reasonable idea of how safe they are, and I do read the details of cert alerts.

      I don't get certificate alerts with the banks I use, but I once had it with email in Ireland where a hotel WiFi tried to make me accept a cert to read my email. Yeah right..

  2. heyrick Silver badge

    And what can you do...

    ...when your bank (Crédit Mutuel) decides to "enhance" your banking app security by getting rid of an alphabetic password (nine characters long, word from an obscure language so unlikely to be in a dictionary) and replaces it with an assigned five digit number that makes a pattern on the keypad (probably intended as a memory aid but this surely reduces randomness).

    Why is it always OUR liability to follow security practice when the banks so often seem to do the opposite bare minimum?

    1. Bob Dole (tm)

      Re: And what can you do...

      I've yet to find a banking site that has actually put any thought whatsoever into passwords.

      Some boneheaded ones that reveal serious underlying issues:

      - characters such as %, &, @ and even * being blacklisted.

      - maximum limit of 10 characters

      - account lockout after 3 attempts

      The first one shows that they don't properly sanitize their inputs and certainly don't hash the passwords prior to storing them in the database. Any typeable character on a keyboard ought to be allowed. There's simply no reason in today's world to have black listed characters unless you truly have no idea what you are doing.

      The second one says that they are using an archaic database and haven't quite figured out that there are plenty of people using much more secure "pass phrases" instead.

      The third one basically shows that they don't realize that people may have a dozen or so passwords across all their service sites and often take several attempts to remember which one goes here. I can understand locking the account after say 20 attempts, but 3 is just not enough. It's worse when you have to call them to get it fixed and banking hours don't quite work with when normal people need access.

      1. viscount

        Re: And what can you do...

        It is not true that blocking special characters means the bank is not hashing or otherwise protecting passwords. More likely the banks want to avoid the confusion that occurs when people try to enter special characters on keyboards or characters sets that they do not usually use, and because it is a masked field they cannot easily tell they have made an input error. So they lock themselves out and cause havoc.

        1. Anonymous Coward
          Anonymous Coward

          Re: And what can you do...

          But you have to verify passwords, so surely (Shirley) they know what they've input.

          1. SkippyBing

            Re: And what can you do...

            'But you have to verify passwords, so surely (Shirley) they know what they've input.'

            That works if you're only ever logging on from the same computer, for instance I have a laptop with a US keyboard as well as a PC and laptop with a UK keyboard. To be extra tricky the US keyboard is set up as a UK one as I touch type which is fine but not all the characters are where I expect because it's a laptop keyboard and the layout is a bit odd at the edges.

            1. Anonymous Coward
              Anonymous Coward

              Re: And what can you do...

              That works if you're only ever logging on from the same computer, for instance I have a laptop with a US keyboard as well as a PC and laptop with a UK keyboard.

              Try having to work with US, UK, French (AZERTY) and Swiss (QUARTZ - German with a twist) layouts. Yes, I use all of them because offices have localised keyboards.

              I've resorted to typing the password in a text editor somewhere and then pasting it where I need it as especially the system passwords contain lots of non-alphanum characters..

        2. Nick Kew
          Trollface

          Re: And what can you do...

          Perhaps they should blacklist the real sources of confusion. Headed by I, l, 1, and maybe |.

      2. Lars Silver badge
        Coat

        Re: And what can you do...

        "but 3 is just not enough".

        On SCO Unix the default was 9 and we soon learned that even that was too low for many customers, and we gave up, and started to increased the default right from the beginning. SCO Unix was actually quite good, but delivered on rubbish PC hardware, compared to all the other Unix versions.

      3. veti Silver badge

        Re: And what can you do...

        The 'blacklisted characters' may be rejected by the web server, before they ever get passed to the database. That would be a practical precaution against SQL injection attacks, and applied probably to all fields in all forms.

        Not the best way to do it, by a long shot, but practical.

    2. Anonymous Coward
      Anonymous Coward

      Re: And what can you do...

      You can actually send them a registered letter in which you lay out the deficiencies and inform them that you deem them liable for any breaches as a consequence. That doesn't change your contractual liabilities (as that would require an agreement on both sides), but it ought to create all sorts of pain when it goes wrong - after all, they were informed of such a weakness and didn't act which raises the legal spectre of criminal negligence, and that's one they can't walk away from (AFAIK, IANAL but I often find ways to scare the crap out of banks in ways that prevent an escape route via drawing out civil litigation).

  3. Mike 16

    Reading the T&Cs

    is pretty pointless when, in among them, is one that typically reads

    User agrees that Bank may change any or all of these terms at any time, without notice, and the change will take effect immediately. User also waives the right to contest changes in any legal forum with the sole exception of a mediator chosen and paid by Bank.

    OK, maybe not so bluntly, but it's in there, at least in the U.S.

    1. Anonymous Coward
      Anonymous Coward

      Re: Reading the T&Cs

      I love a good moan as much as the next person, but in England I have never seen a bank T&C like that. They have specific terms covering variation and they are quite onerous to the bank.

      1. Anonymous Coward
        Anonymous Coward

        Re: Reading the T&Cs

        I love a good moan as much as the next person, but in England I have never seen a bank T&C like that. They have specific terms covering variation and they are quite onerous to the bank.

        I don't have the time to look it up right now but if I recall correctly there are rules prescribed by the FCA for that and God help the bank who tries to wriggle their way past that. Besides that you also have the unfair contract terms in consumer legislation which may come in sideways if the banks get too creative. The UK does have a couple of decent bits of protection for the consumer (which arrived, of course, after a large enough contingent of people got shafted to impact the way they vote - I'm still a cynic :) ).

    2. lorisarvendu

      Re: Reading the T&Cs

      My wife works for a certain UK High Street bank (she rides to work on a large black horse) and they always refund and reimburse in cases of debit card fraud (usually card cloning or Microsoft ringing up about your virus), even though the T&C's don't say they have to.

  4. auburnman
    Unhappy

    I'm just sad that El Reg felt it necessary to explain who Captain Mainwaring was. Yes Dad's Army was aired many decades ago, but is it really so obscure a reference?

    1. Boothy

      Especially when the film only came out a few months back!

  5. SkippyBing

    To be fair to my bank, who I know think are now called Santander, on the two occasions large sums of money have gone missing from my account they've reimbursed it all without question and seamlessly changed my account number. Oddly enough both occasions were during/after a trip to the US. The first time when I sent a little complaint about how long it was taking they even gave me an extra £50 as compensation.

  6. Anonymous Coward
    Anonymous Coward

    actually

    Pretty sure at least in the US by law if its a credit transaction the customer is only responsible for the first $50 in cases of fraud (unless I guess gross negligence by the customer can be shown). Don't think that applies to debit transactions but I could be wrong.

    1. Anonymous Coward
      Anonymous Coward

      Re: actually

      Actually it looks like you are only responsible even for the $50 if the thief actually presents your card in person otherwise you are not liable at all (such as fraud over the internet). Also it looks like even debit cards have protections by law if reported missing/stolen in a timely manner. No wonder Brits are so much more paranoid about credit card fraud. In the US its more considered a cost of doing business on the companies (as opposed to a giant risk to the individual customer) and why we are only now moving away from magnetic stripe, etc.

  7. James Anderson

    Whats the point of wading through all the legal gobbledygook when

    a). Somewhere buried in there is the "we reserve the right to change these conditions with a moments notice".

    b). Consumer and Credit law trumps most of the conditions so its mostly bluff.

  8. Anonymous Coward
    Anonymous Coward

    Prove it

    I'm an internet banking sceptic (and not a septic) and have refused to sign up for a few with dodgy terms and conditions (I'm looking at you Dansk Bank Ireland, asking me to accept liability for any losses resulting from a failure of security on YOUR side) but for some of these, I'd question how you could prove they had been violated...using the same PIN for 2 different banks accounts or writing it down in your phone contacts as Aunt Mabel 021-213-PIN#?

  9. WailingBanshee

    And a major part of the confusion is deliberate policy

    Identity theft - no such thing

    Bank fraud, yup - banks get defrauded not their customers.

    if the bank hands over any money from your account to someone else then they are 100% liable. If you make easy for someone else to defraud the bank and the bank can prove it, they'll come after you for a share/all of the amount lost.

    You are not liable for the bank's mistakes

  10. druck Silver badge
    Meh

    Re-imbursement yo-yo

    I've suffered two incidents of fraud, in each case I was initially re-reimbursed, then the bank decided to take the money back again. A strongly worded complaint to my branch manager reversed that decision in each case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like