Are you or your bank liable for on-line fraud?

“Banks slip through virus loophole” was the headline for an article by Danny Bradbury in the Guardian last week. This began: “Is my money safe? A quiet rule change allows British banks to refuse to compensate the victims of online fraud if they do not have “up-to-date antivirus and spyware and a personal firewall”  

His article claimed that the new section 12.13 the Banking Code (which dictates how banks do business with customers) changes the balance of risk between customers and banks. 

“Since the 2005 edition of the code (which dictates how UK banks do business with customers), section 12.9 has advised customers to keep their PCs secure. “Use up-to-date antivirus and spyware software and a personal firewall,” … The contentious addition to the new version is section 12.13. “Unless you have acted fraudulently or without reasonable care (for example, by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service.”

Read the full text of his article for the arguments that follow.

The report of the House of Lords on Personal Internet Safety recommended “the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held laible for losses incurred as a result of electronic fraud”

Many users would probably stop banking on-line if they feared losing more than trivial sums as a result of their own mistakes. Some of the ramifications are indicated by the recent refusal of a bank to reimburse a customer who lost £3,670 after a phishing scam (reported Which April 2008 and also referred to the Financial Ombudsman Service) and by the growing sophistication of on-line fraud and impersonation, including that using information obtained from data “leakages”. The sharp rise in “card not present fraud” involving transactions outside the UK that bypass the domestic chip and pin controls, also adds urgency to the need to reassure users about the risks they run, or rather do not run, when they transact on-line.

The subject also came up when ministers met with the House of Lords Select Committee  last month. The trancript of that hearing indicates new and more positive thinking on the part of government. Baroness Vadeera, the minister now responsible for this area in the Department for Business. commented on the possible need to make the Financial Ombudsman better able to “decipher” the reality beneath disputes over liability. Vernon Coaker, the minister responsible at the Home Office volunteered notes to the Select Committee on progress and on the activities of the new inter-ministerial group. He also said that they would support the creation of the Internet Crime and Disorder Reduction Partnership on which the Rt Hon Alun Michael MP, chair of the EURIM E-Crime Group, has been working.   

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So who can help with this then:

1) My husband (who rarely shops online) was defrauded of £1100+ last month for an online purchase via for PC hardware that was delivered to a London address (we don't live there). He found this out on 26th May (goods purchased on 23rd May); informed his bank immediately, cancelled the card etc. The goods were not delivered until 2nd June, so there was time to stop the transaction being fulfilled. However, clearly the bank did not manage (or bother) to get through to Dell to stop it. The banks don't want to take it any further - you come across as a nuisance customer if you show any level of intelligence about the need to investigate further; the police won't treat it as a theft crime. The victim appears to have no recourse to actually ensure that the criminal pays. appear to have all the right form fields in place including the need for the 3 digit code on the back of the card so the criminal had all of those details plus our home address. That is almost of more concern as a violation.

2) My own credit card details were used in a purchase on - fraudulently to the tune of £1200+ a week later. I shop online a lot so appreciate that my risk level if significantly higher than my husbands. The worrying thing about that is that the "Verified by Visa" box that comes up on some of my online shopping accounts have someone else's details in them - so my concern is whether VbyV has been hacked or whether simultaneously both my laptop and office computers have been hacked.... no-one seems to be able to provide any helpful answers so it is very hard to know what remedies to put in place.

Rest assured, I have spyware, anti virus and firewalls running appropriately and up to date and we shred everything that poses an identity fraud risk.

Anyone got any advice?

Perhaps we will start to see disclaimers appearing on new computers or in Internet Cafes and hotels along the lines of "This computer not certified for online financial transaction use"...

So what, I wonder, would be a Banks stance if the online fraud happened against an account belonging to a person who did not own a PC?

A secondary question is what the stance would be if the person suffering an on-line fraud did own a PC but did not engage in on-line banking or on-line purchases. What measure of proof would be needed?

And what about using public PC’s for on-line banking or purchases? Should this practice be banned.........

Significant investment has already been made by the sector over the past few years in combating fraud. Real-time card fraud detection using advanced analytics; biometrics; Chip and PIN, security dongles and random generated passwords are just some of the methodologies deployed to protect customers. Behind them sit complex, sophisticated analytics and modelling engines, constantly evolving encryption engines and an entire industry dedicated to protecting the customer.

On the other side of the fence sit the fraudsters. Teams of highly intelligent computer experts, who are trying to keep pace with the developing technology – if not a team, then possibly a student without a real life! But there is a third element in this – the actual customer themselves.

We have all experienced phishing attacks. Ah yes , one thinks as one opens the mail, I bank with you therefore I will gladly share my personal details, PIN number, date of birth and mothers maiden name with you. How many times have banks stated that they, nor their employees, would seek anything as personal as a PIN number? Why should the banks always be made culpable when sometimes the actual issue may be the consumer themselves? I appreciate that this is not necessarily always the case, but on some occassions the naivety of the individual customer has to be called into question.

'Whilst out of the box, and bespoke security solutions have been designed, and applied, recent events have demonstrated that they are not always utilised to the benefit of delivering a real-time security underpin to a the business mission. Maybe, because of over complexity, or a lack of integration with the business process, some managers, users, and employees, seek ways of circumventing the controls to get the job done (FACT - look at some recent data losses where a security application was installed, but not used!).

A further issues with the security industry and provision of security solutions is, at times the security fix is procured based on a perception that it will deliver a solutions to solve the security problem, when in fact, it is the obtuse approach that would satisfy a sensible best practice - identification of the security requirements, and then purchase a solution based on that criteria.

The second flaw that is often encountered is, solutions are provisioned, be they encryption, or USB I/O control, but the intelligence of applying such solutions correctly, and sensibly is not always accommodated, and so the client is left to fathom out how best to apply their new silver-bullet solution. Again talking to one company (as I always believe that reality always works over theory) they shared with me an approach that was being taken to Single-Singe-On (SSO) - the benefit to the organisation was with SSO they would reduce cost, and fix a security issue by reducing the amount of password resets. However, the downside impact was, lack of data classification, lack of defined role based profiles, left the entire internal databases, and assets open to all for access! - is this an improvement, or a fix to the determent of security . .

I would also take issue with the suggestion of the eCriminals trying to keep up with the Security Industry - if this is the case, then let us be thankful, as with an estimated eCrime cost of a guessed amount $1.7 billion (with the real number not known), then let us be thankful they are only attempting to keep pace with our security advances. However, my own opinion is quite the opposite - looking at some of the technological approaches utilised by eCriminals, hackers, and Organised Crime, is it not they who set the scene, only for the Security Industry to design a solution to counter their attack - so just who is in the driving seat here! Also, consider Microsoft Patch Tuesday, a great idea, and it works reasonably well - but at times it is followed by Black Wednesday, when the hacking community release their latest and greatest new security exploits.

To conclude, yes I fully agree of the good guys - that there are many security engineers who are excellent at what they do, and there are also some excellent solutions to counter the issues. However, let us not loose site that the world of crime and hacking have equal ranks populated with some very very intelligent, and skilled people, and I would hope we do not fall into a trap of thinking we are winning the battle because of the skills of those in the ranks of the white hats - at such a time when we do lean toward that conclusion, then in my opinion we are only fooling ourselves to the benefit of the dark side who will silently chuckle at such gullibility - so lets attempt to keep a grip on reality please.'

Professor John Walker FBCS CITP CISM A.IISP MFSoc

Director of ISSA Expert Panel

Member of the Institute of Directors (IoD)