A German court has ruled that banks are liable for
phishing attacks on customers, reports
Spiegel.
A judgment of the Amtsgericht (lowest court) at Wiesloch says
the banks are responsible for damages arising from unauthorised
interception of confidential data (phishing).
In the case in question, the wife of an online banking customer
wanted to make a payment transaction from home.
She entered the Pin and Tan (one-time authorisation code) and
then the screen suddenly flared up then briefly went black. A
technical glitch, she thought, and continued with the
transaction.
A few days later the husband got a phone call from his bank. The
official had noticed that about 4,000 euros had been paid out of
the account in the context of an eBay auction - a transaction that
the couple had not made.
Experts then examined the customer's PC. Although up-to-date
anti-virus software was installed, they found 14 malicious
programs, including keylogging software.
The bank must now pay for the resulting losses. The court based
its decision on the fact that the payment demonstrably did not come
from the customer.
Neither he nor his wife had given instructions for the payment.
"The bank bears the forgery risk of the transfer order," the
judgment said.
It was found that a person in Germany had sent the stolen money
to someone in St Petersburg in Russia.