Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Editor's Blog and Industry Comments

Who should be liable for on-line banking fraud losses?

17 April, 2008
The banking code states that customers should be liable for computer based losses if their equipment is proven to be inadequately protected.
Legal proceedings are likely to be long, difficult and unlikely to pinpoint specific liability under the new code issued by the banking industry regarding losses through e-crime. In a statement which at first sight seems remarkably counter-productive for a technology that the banks want us all to use more often, the words "adequate protection" is mentioned and this kind of vague terminology is where it will all become difficult to follow.

There is some public resistance to the technology being pushed by the banks. They argue that we should use USB card readers plus PIN and password to gain access to the account but acceptance of the hardware readers has been very low especially amongst travelling users and only a small number of banks have fully deployed the technology, many of the remainder such as NatWest went as far as issuing the card readers but never followed it up by asking their customers to use them.

Biometrics is another possibility but customers don't want that either so the banks are stuck with the existing PIN and password dual authentication method. It is no wonder therefore, that they're now saying that they've done everything they can and its now up to the users to protect their end of the bargain.

But what exactly is adequate protection? Private users who are unaware of the banking code are probably quite happy that what the bank has provided is adequate but the banks would argue that this isn't the case and that at least anti-virus software is needed. A lot of the cheaper anti-virus products are based on the engine by Kasperskiy labs which, since we're using vague language, is mostly alright for some of the time and certainly wouldn't be adequate for business users.

This is where the main problem lies since it is business users who have the most to use and are least likely to succeed in their liability battles with the banks. Businesses should therefore grill their bank managers about exactly what they consider as being adequate protection before they accept these vague conditions.
Bookmark and Share