de Phishing victims' losses are own fault - court

[+Frank B. Subscriber²]

Phishing victims' losses are own fault - court

Bank customers who give over their account details to "phishers" despite bank warnings against online scams are liable for their own losses, a top German court ruled on Tuesday.

The landmark judgement by the Federal Court of Justice is the first time that Germany?s supreme court has ruled on the question of whether banks or their clients are responsible for online-banking abuse.

It follows a case brought by a pensioner who lost ?5,000 from his Sparda Bank account to a Greek account in a transaction he claimed he had not executed himself.

According to the S?ddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank?s website. This common internet scam is known as "phishing."

Tuesday?s judgement absolved the bank of any liability for the incident, as it had expressly warned customers of such practices on its website. Instead the judges ruled that the plaintiff?s lack of care in entering his TAN codes amounted to negligence.

TAN codes are sequences of numbers that customers must enter to make online transactions.

The plaintiff argued that the bank had a duty to protect its customers from the abuse of these codes. But the federal court upheld previous judgements by the district and state courts, agreeing with the bank?s argument that the customer should bear responsibility for falling for the con.

The bank said it was widely known that being asked to input several TAN codes was a telltale sign of phishing, and pointed out that a phishing warning appeared on its login page.

The plaintiff had also agreed to keep his TAN codes safe when he signed up to the bank?s online service. The bank argued that as the correct TAN codes were entered, the customer could only have entered them himself or failed to keep them secure.

German authorities were not able to track down the holder of the Greek account, despite enlisting their Greek counterparts.

Sparda Bank is one the few remaining German banks to use the iTAN procedure, and the method is commonly thought to be susceptible to phishing. But a bank spokesman told the S?ddeutsche Zeitung, ?As far as the court was concerned, the security of the procedure is not in question.?

Most banks favour other procedures that are thought to reduce the chances of fraud, like Mobile-TAN, where the customer receives new codes by text message, or Chip-TAN, where codes are generated by a special machine that the customer keeps at home.

In 2010, the Federal Criminal Police Office of Germany received 5,300 reports of phishing ? a rise of 82 percent on the previous year. Last year?s figures are not yet available.

As many as 44 percent of German bank customers do at least some of their banking online, a survey last year found. That amounts to 27 million account holders, according to the Federal Association of German Banks.

Source: Thelocal.de

[Vykranth]

Super cynical mode set to 'on'

So, if I were to be a crook who goes from door to door and try to sell bad loans and con money out of people, this is my fault but the customers has his money insurred

But, If I set up my scam on the web, the fault is for my victim.

It is a good thing I know computers!!

[DrakeN2k]

Good thing i guess , banks cant keep bailing people out due to there stupidity.

[TheLegendOfMart]

Good thing i guess , banks cant keep bailing people out due to there stupidity.

Its easy to say that knowing about computers and the internet, not everyone is so tech savvy. Banks rake in millions and/or billions at the expense of the customer, its up to the bank to make it so fraud isn't possible, if it wasn't possible then phishing wouldn't work.

If this happened in my country I'd move my money elsewhere, see what the banks reaction is once they start losing loads of customers.

[Soldiers33]

finally someone has some sense. I always take care when it comes to online and money. I have setup mobile security everywhere I could.

[Japlabot]

Good thing i guess , banks cant keep bailing people out due to there stupidity.

No not really, it is not a pure case of stupidity, a pure case of stupidity is where a customer KNOWINGLY gave their details to a 3rd party. What is stupidity is expecting 100% of customers to be computer and scam savvy. Some people have a higher IQ than others and a customer base covers such a broad set of people that is going to range from people with a lower than average IQs and Pensioners whose minds are not as alert as they once were to Ultra genius computer experts such as yourself. This is a very BAD precident because instead of the banks implementing REAL security such as the ones mentioned which are not susceptible to phishing, they can get away with low security with no liability.

REAL Security is more than just SSL, a password and a liability disclaimer. Maybe if the banks didn't implement such crappy security mechanisms that are easily susceptible to human error, they could requiand are it fool proof and we wouldn't have this problem.

I hope this generated a hell of a lot of bad press for the bank and they have a mass exodus of customers as they obviously can't be trusted with their customers interests. It could happen to any of their customers (many could have fallen in the same trap) and they won't help. This also sets the precident when a particularly GOOD phishing attempt comes through where the scammer can actually spell properly and then hundreds of people will fall victim.

[Lovell]

People need to stop opening links from emails, it's not hard to look at the address bar and see what site your on.

[DrakeN2k]

I understand people argent tech savy like us. but there needs help out there to see the signs

[jakem1]

I understand people argent tech savy like us. but there needs help out there to see the signs

:huh:

After reading that I'm a bit concerned that you might be the sort of person who's vulnerable to phishing scams :p

[Rippleman]

banks shouldNOT be responsible for keeping YOUR actions from losing YOUR money. Their actions yes, their security yes, but not yours.

[jakem1]

banks shouldNOT be responsible for keeping YOUR actions from losing YOUR money. Their actions yes, their security yes, but not yours.

I disagree. Banks make more than enough money off our money and there's no reason why a proportion of those profits shouldn't be put towards insuring our savings.

If my debit card is cloned and then money is taken from my account the banks will protect me. If my card is stolen and money is then taken from my account the banks will protect me. I don't see any reason why I shouldn't be offered the same sort of protection if I'm a victim of electronic fraud.

As for this case, I don't see why the banks couldn't have flagged a sudden withdrawal in another country as suspicious. I always tell advise my bank before I travel abroad so they know to expect strange transactions (to stop them blocking my card preemptively). Every time I do they thank me but tell me that their fraud protection systems will block suspicious transactions regardless of whether I warn them in advance or not. It sounds to me as if the bank failed to protect this customer.

[firey]

I disagree. Banks make more than enough money off our money and there's no reason why a proportion of those profits shouldn't be put towards insuring our savings.

If my debit card is cloned and then money is taken from my account the banks will protect me. If my card is stolen and money is then taken from my account the banks will protect me. I don't see any reason why I shouldn't be offered the same sort of protection if I'm a victim of electronic fraud.

As for this case, I don't see why the banks couldn't have flagged a sudden withdrawal in another country as suspicious. I always tell advise my bank before I travel abroad so they know to expect strange transactions (to stop them blocking my card preemptively). Every time I do they thank me but tell me that their fraud protection systems will block suspicious transactions regardless of whether I warn them in advance or not. It sounds to me as if the bank failed to protect this customer.

I disagree. The bank had warned about phishing. The bank had strict guidlines on how to use the TAN codes. There was a phishing warning on the login page. The customer did this with all the warning signs, and whistles anyways. That's not the banks fault, that's on the customer.

When you have your card stolen (physically) it's not your fault, you may not have had any warning, same as if there is a card reader when you enter your card. Those are hidden and very hard to notice (if at all). So comparing phising which is in your face, warnings, etc with something that you don't know/have no prior warning of is a bad comparrison.

[Rippleman]

I disagree. Banks make more than enough money off our money and there's no reason why a proportion of those profits shouldn't be put towards insuring our savings.

If my debit card is cloned and then money is taken from my account the banks will protect me. If my card is stolen and money is then taken from my account the banks will protect me. I don't see any reason why I shouldn't be offered the same sort of protection if I'm a victim of electronic fraud.

As for this case, I don't see why the banks couldn't have flagged a sudden withdrawal in another country as suspicious. I always tell advise my bank before I travel abroad so they know to expect strange transactions (to stop them blocking my card preemptively). Every time I do they thank me but tell me that their fraud protection systems will block suspicious transactions regardless of whether I warn them in advance or not. It sounds to me as if the bank failed to protect this customer.

ok, since you don't mind, how about i send you a phishing email, you type in your credentials, i scam all your money from the account, then when the bank gives you your money back, i will give you back 1/2 of what i scammed out of your account. sound good? we both win right? silly banks make more then enough money anyways, they won't care /s

[jakem1]

ok, since you don't mind, how about i send you a phishing email, you type in your credentials, i scam all your money from the account, then when the bank gives you your money back, i will give you back 1/2 of what i scammed out of your account. sound good? we both win right? silly banks make more then enough money anyways, they won't care /s

What's to stop us from doing that right now? I clone your card, withdraw money, and then we both share the profit when the bank reimburses you.

If it's OK for the bank to protect you against one type of fraud why not another?

[jakem1]

I disagree. The bank had warned about phishing. The bank had strict guidlines on how to use the TAN codes. There was a phishing warning on the login page. The customer did this with all the warning signs, and whistles anyways. That's not the banks fault, that's on the customer.

When you have your card stolen (physically) it's not your fault, you may not have had any warning, same as if there is a card reader when you enter your card. Those are hidden and very hard to notice (if at all). So comparing phising which is in your face, warnings, etc with something that you don't know/have no prior warning of is a bad comparrison.

Banks also provide warnings about the risk of card cloning but will still cover victims of that crime. Again, why the double standard? Why should a warning be enough to absolve the banks of responsibility when fraudsters are basically exploiting loopholes in the banks own security?

[firey]

Banks also provide warnings about the risk of card cloning but will still cover victims of that crime. Again, why the double standard? Why should a warning be enough to absolve the banks of responsibility when fraudsters are basically exploiting loopholes in the banks own security?

It's not exploiting a loophole in any way. It's like walking up to a person and saying: "Hi, Im from your bank, give me your card number, pin, and TAN". As I said phishing sites give off warnings and the such, card cloners don't.

[Rudy]

I agree 100%, I don't see why this is the bank's responsibility

[jakem1]

It's not exploiting a loophole in any way. It's like walking up to a person and saying: "Hi, Im from your bank, give me your card number, pin, and TAN". As I said phishing sites give off warnings and the such, card cloners don't.

Of course it's a loophole. It may be an acceptable loophole (after all, people should have relatively easy access to their money) but internet banking is still a breach of security that has the potential to be exploited. It's the bank's responsibility to police that breach and insure customers against losses when the breach is exploited.

By the way, there are plenty of warnings about card cloners. Cash machines include pictures of what the machine should look like and descriptions of how it will look once it has been modified to include a card scanner. You're also assuming that an old man is using a modern browser that raises phishing warnings.

[Sir Topham Hatt]

Good thing i guess , banks cant keep bailing people out due to there stupidity.

Or their stupidity...

[articuno1au]

I'm tl;dr'ing this, but that isn't what the judge said at all.

He said the user was liable as the bank had sent out material about the specific scam that he fell for, and furthermore, the user entered obviously protected information into a scam site. The codes aren't meant to be entered in bulk, they are supposed to be entered one at a time to allow a transaction. The user entered 10 codes at once into a scam site allowing the scammers to just have the right code when they logged into his account :\

He further said that because the user was NEGLIGENT he was liable. This is a rather specific case in all :\

[firey]

Of course it's a loophole. It may be an acceptable loophole (after all, people should have relatively easy access to their money) but internet banking is still a breach of security that has the potential to be exploited. It's the bank's responsibility to police that breach and insure customers against losses when the breach is exploited.

Explain to me how it is a loophole? They aren't working around anything, they aren't avoiding certain rules. They are making a fake website that people are stupid enough to enter their details into. Anyone caught creating phishing sites is still breaking the law, and will still be punished.

By the way, there are plenty of warnings about card cloners. Cash machines include pictures of what the machine should look like and descriptions of how it will look once it has been modified to include a card scanner. You're also assuming that an old man is using a modern browser that raises phishing warnings.

I saw ONE and that was on engadget. Other than that, I have yet to see any warnings or anything about them. I've had it happen to me before (card cloner). My bank shut off the account, and I actually had to go and register a whole new account, at which point the money was transferred back.

My bank said the only reason they returned the money was because the bank flagged it as fraudulent uses, otherwise there is no way to verify I didn't withdraw all the money and claim it stolen.