Bank customers face bill for lax online security

Banks could block customers from claiming money back if they are a victim of fraud and it is found they had substandard online security, according to sources at the Financial Times.

Under proposals being discussed by Britain’s big banks, the Government, Bank of England and GCHQ, customers could be frozen out of banking services and unable to claim compensation if their account has been hacked, even if they’ve lost their life savings. Any changes would take several years to put in place according to bankers and would happen in stages.

Lisa Baergen, director at NuData Security answered the following questions for @DFMag;

Is this a good or bad move?

“Whether or not this plays out as a “good” or “bad” move may depend on how much banks want to keep their customers, but it’s not unexpected. The sheer number of compromises have driven many banks to take measures to try and recover lost funds. The prevailing thought is that consumers should be in a position to protect themselves, however, we don’t give them the tools or the knowledge to protect themselves. This has sort of been the way it’s been for some time. For the most part, the merchants have very little skin in game for fraud risk and it is felt that this should be shared risk for everyone. The problem then becomes, how do you decide responsibility and who gets to decide. There aren’t any clear answers. The banks need to take some responsibility by having the right fraud solutions and authentication solutions in place. At the same time, consumers do need to be more attentive to protecting their accounts. We work with many of the largest banks in the world and, frankly, we just expect that the consumers are using the same passwords over and over again. There are ways for banks to truly know who is behind the device with great accuracy and the password issue has become just part of a multi-layered approach many banks are taking now.”

Why should consumers be accountable? 

“I think this would be disastrous for a free flowing ecosystem, and I can’t see the regulations to this effect actually taking place. The backlash would be overwhelming. We focus totally on the customer experience, and moving in this direction goes completely against that philosophy. The hackers are so sophisticated that even the most educated consumer could fall for sophisticated phishing schemes. Federal regulations in the US say that consumers are responsible for a portion of fraud, ergo $50; yet no bank enforces it, or likely ever will. I suspect this may continue being the case since most  banks are super sensitive to customer experience and loyalty.”

Is it possible to prove that the customer is to blame for fraudulent transactions?

“This would seem impossible to prove, particularly with sophisticated ransomware and phishing schemes. Also, it should be noted that customers aren’t equipped to understand their bank’s systems, don’t have access, and are legitimately required to provide their identity for transactions to occur. This legislation puts an unfair burden on the customer to understand security interfaces he can’t be expected to have a reasonable knowledge of.  Just as chargebacks are so hard to prove, this approach would add overhead and unnecessary friction to the customer experience.  Finally, it seems to divest banks of their responsibility to protect customer accounts, particularly when they have tools at their disposal that have the right layers of protection and identity verification that prevent most of the fraud they face.” 

What is considered ‘substandard online security’?

“What would be considered the minimum? Banks need, at a minimum, several layers of security. The active biometric addition to their toolset is visual, cool, and it gives consumers a sense of security they can see. Layers of behavioural biometrics are invisible to the customer, but act as a key requirement for accurate verification of the real human behind the device. It’s notable that any security layers that rely on static data, such as active biometrics (fingerprints etc.), are all spoofable and can be mimicked. For this reason, it’s absolutely necessary to look at a holistic approach to protection. Device, geo, behaviour and passive biometrics. Anything else is substandard.”

What would you recommend customers do to better protect themselves?  

“Besides the age old statement of saying to change your password regularly and to check your statements often, the answer is that there really isn’t a whole lot more an individual consumer can do to protect themselves. This game needs to be addressed by the whole ecosystem. I don’t see that our data is going to become less valuable to fraudsters any time soon; in fact the opposite is true. However, merchants with the right tool set can make it easy to protect their genuine good users while still giving them the best experience possible and we see this as the best way merchants can protect their customers and themselves.”

Is there anything more that banks and other financial institutions can do to help consumers and prevent fraud?

“Have the right identity verification and authentication tools in place so they truly know who is behind the device. This will stop the need to bring in the kind of legislation that puts the onus on the consumers who don’t have the right tools, knowledge and access at their disposal that the banks do.”