Hey, that’s a first. A bank
sues a customer over losing money to fraud.
It used to be the other way around. Online banking fraud got to executive level attention when in 2005 Bank of America was
sued by a customer who got infected with a Trojan and lost $90,000. This was a commercial account, but it had huge ramifications on consumer security.
The funny thing is that back then, Trojans hardly touched commercial banking. In 2005, Trojan developers looked at commercial banking defenses and said: no way are we going to attack that. All these “digital signature” and 2-factor stuff is overwhelming.
Consumer banking is so much easier!
Which started a spiraling arms race, especially in Europe. Cybercriminals attacked retail banks; they responded by introducing higher security, propelling the fraudsters to develop further. Like in antibiotics, the germs do not really go away; they just
get more resilient so the next battle with them gets more difficult. From simple keyloggers in 2005, we’re now up against Man in the Browser Trojans.
And at some point the Trojan operators take a step back and say: you know what? Our weapons are so high-grade that we can start using them against the big guys: the commercial customers. To paraphrase Willie Sutton,
That’s where the BIG money is.
Which is why the FBI recently
warned about small businesses losing $100 million to financial Trojans.
The Customer is Always Right
In the UK, banks toyed for a long while with the idea of shifting responsibility to the customer. I mean, we all grumbled, at one point or the other, “how daft can that person be” when hearing about naïve victims hit by fraud. “They should be responsible
for being this thick”.
The law is actually on the bank’s side: if a customer loses money due to fraud, the bank does not have a legal obligation to make them whole; but as I pointed out in
Limbo Dancing in the House of Lords, expecting customers to fight against online threats is failing to understand the nature of today’s cybercrime. Believe me when I say that nowadays almost
anyone can get infected with a Trojan, and get their bank account emptied in ten seconds. You don’t need to be particularly daft.
Many banks know they don’t have a lot of leeway in the matter. If consumers learn that they’re responsible for defending themselves against the unknown threats of sinister cybercriminals, and the bank isn’t going to refund their money, they’ll stop banking
online and move back to the branches.
Commercial banking isn’t that much different. Customers have a choice: if they know a certain bank isn’t making the customers whole, they can always move to another. In fact it’s their obligation to shareholders: no business wants to be left exposed to such
risk.
Just think of it from a commercial customer’s perspective. It’s difficult enough to survive in these troubled times; knowing that your funds can disappear because one of your finance people was tricked by a Trojan is too horrid for you to shrug off. You’ll
have to find a way to guarantee that if this ever happens, you’ll get your money back.
So where does that leave the banks? They can try to stand out of the crowd and put the blame on the fraud victims; I’d say that’s going to be a short lived strategy. Most commercial banks will probably decide to turn the threat into an opportunity: tell
their customers they should feel safe online because the bank implemented new visible and invisible defense such as behind-the-scenes transaction monitoring, behavioral profiling, anti-Trojan detection and interception services. Educate their customers about
the risks, but assure them that their money is safe.
What’s your take on this? Should commercial banks beef up their security or point the finger at the customers who fall for online fraud?