X
Tech
Home Tech Security

Banks to blame users for Web fraud?

commentary When Sydney resident Tim Ireland returned home from a trip down the NSW South Coast, he was horrified to find that his entire savings account had been cleaned out.Reporting the anomaly to his bank, Ireland was told he "must have given his Internet banking password to someone".
Written by Brett Winterford, Contributor

commentary When Sydney resident Tim Ireland returned home from a trip down the NSW South Coast, he was horrified to find that his entire savings account had been cleaned out.

Reporting the anomaly to his bank, Ireland was told he "must have given his Internet banking password to someone". He replied that it definitely wasn't the case. An investigation ensued -- and with the help of the Federal Police it was discovered that Ireland's account had been depleted courtesy of a keystroke-logging Trojan lurking on a PC he had used in a South Coast café during his trip.

The bank eventually refunded the money, wiped the resulting overdraft fees and -- after some wrangling -- waived the interest he'd paid on his credit card while the investigation took place.

To date, victims of Internet fraud in Australia have had much the same experience -- banks provide a guarantee that they will make up for any losses caused by the compromising of user accounts.

But in recent years, fraud-related losses have grown -- to at least AU$25 million a year according to the Australian Securities and Investment Commission (ASIC). There's a lot more financial pressure on banks to mitigate this risk.

So much so that across the Tasman, the New Zealand Banker's Association has revised its code of practice to make users potentially liable for amounts they are defrauded should the bank prove the user's defences (OS and security software) weren't up to scratch.

The Australian Bankers' Association (ABA) has assured customers that such a scenario won't happen here. The banking industry's position on liability has never changed, the association said, and the banks plan to continue to wear the risk.

But recent developments raise some questions about their commitment to staying this course.

The ABA reacted angrily earlier in the year after press reports suggested banks were responsible for lobbying ASIC to consider changes to liability in its pending review of the EFT (Electronic Funds Transfer) Code of Practice in Australia.

In its consultation paper, ASIC stated that "some industry representatives have proposed that users could potentially be made liable under the EFT Code for the full amount of losses from malicious code compromises of account access data unless they have 'minimum' (or sometimes 'adequate') equipment security."

Who might these "industry representatives" be? Banks, perhaps? Are there any other parties that would have something to gain from this scenario?

The language of this proposal is strikingly similar to the code approved in New Zealand.

A quick glance at the member base of both the NZ Banker's Association and ABA is also telling.

The ABA is made of up 25 banks -- the largest of which are Westpac, the ANZ, The Commonwealth Bank of Australia and National Australia Bank.

The member companies of New Zealand's Bankers' Association include Westpac, ANZ, The National Bank of NZ (also owned by the ANZ), ASB Bank (wholly owned by The Commonwealth Bank) and The Bank of New Zealand (wholly owned by National Australia Bank).

Aside from locally-owned Kiwibank and TSB Bank and a handful of internationals, it's an Aussie-owned affair across the Tasman.

This makes the ABA's position look somewhat compromised. Yes, its member banks say they won't make online banking users liable in Australia, but they are more than happy to try it out in New Zealand.

Security getting too expensive?
Clearly, Internet banking fraud is a problem that needs to be contended with.

For some high-value banking customers, the solution is two-factor authentication -- a token-based system which strengthens the security of online banking by exponential degrees.

But the present thinking within the banking sector is that transferring liability to the user is an easier solution. Or perhaps a cheaper one -- as ASIC plainly states in its consultation paper, enhanced security measures such as two-factor authentication involves "significant costs" for banks. Distributing tokens to their whole online customer base is a cost the banks just won't wear.

In the meantime, it looks like our Kiwi neighbours are being used as lab rats in terms of passing liability on to the user.

Ireland is just one who hopes local banks don't follow their Kiwi counterparts. He said that if his bank hadn't eventually come to the party and covered the loss, he would have been in a "nightmare situation".

"It was just prior to Christmas and the amount taken was all the money I had in the world," he said. "I would have been left with absolutely no cash."

"What irked me most is that the banks don't make it clear to you that the onus is on you to [transact securely]," he said. "You assume that your bank is insured if someone walks in and holds the place up, why should online theft be any different?"

Editorial standards
Show Comments

Related

The Apple Watch Ultra 2 with an Atlantic Blue Nomad Rugged Band.

6 reasons to buy an Apple Watch, according to a wearables expert

Placeholder product image alt text

The best AI image generators to try right now

penguin holding an apple on Sonoma background

6 features I wish MacOS would copy from Linux