NEWS ANALYSIS: New Zealand banking code a nasty surprise for consumers

New Zealand's new banking code will make consumers liable for internet banking fraud if they do not keep their PCs sufficiently secure, a shift in policy Patrick Gray argues represents an unfortunate and worrying precedent.

New Zealand banking code a nasty surprise for consumers

In a somewhat surprising move, New Zealand's new banking Code of Practice will place the onus on consumers to ensure their funds are kept secure.

If the bank determines a fraud was the result of negligence on behalf of the victim -- such as their failure to use up to date anti-virus protection or operating system security patches -- they will not reimburse stolen funds.

Traditionally, banks have covered losses incurred through fraud, but that's about to change. The victims of Internet banking fraud in New Zealand may lose any illegally siphoned funds if they choose an inadvisable PIN or password, have negligently disclosed their PIN or password (think phishing) or use an insecure computer.

Consumers may even be out of pocket if they use a computer which is not using antivirus or security software. The code fails to mention that several commercially available Trojan software packages available on the black market are completely undetectable to antivirus and security software, and may be stealthily installed through vulnerabilities in systems for which a patch is not available.

The banks will also reserve the right to conduct a forensic analysis of victims' machines in the event of a claim of fraud. If consumers refuse to hand over their computers, they can refuse your claim.

It is almost certain the forensic analysis of the average consumer's computer would be viewed as a gross invasion of privacy.

You can read the code here, paying particular attention to pages 36 and 37.

To some extent, two-factor authentication solutions mitigate the spookiness of the new code. However, with widespread recognition that username and password protection on banking accounts are starkly inadequate, any banking customers in New Zealand choosing to transact with organisations not yet using these extra layers of protection would do well to seek psychological help, and a prosthetics specialist who may fashion a leg for them to stand on.

The erosion of consumer rights this code introduces is a fascinating precedent. The Australian Bankers Association toyed with the idea earlier this year but sensibly dismissed it fearing a backlash.

Online fraud is booming business. Online share trading concern E*TRade reported expenses primary consisting of fraud related losses increased 97% to US$45.7 million and 55% to US$101.9 million for the three and nine months ended September 30, 2006, respectively, compared to the same periods in 2005. Most organisations -- financial institutions and other -- are reticent to publish fraud figures, so knowing the true state of play is somewhat tricky. "Fraud related losses during the third quarter of 2006 [were] US$18.1 million, of which US$10.0 million was identity theft related. The identity theft situations arose from recent computer viruses that attacked the personal computers of our customers, not from a breach of the security of our systems," the company's quarterly report disclosed.

E*Trade reimbursed customers for their losses, and tightened up fraud controls.

The new code in New Zealand hasn't received too much attention, but that is sure to change if banks start refusing to cover fraud claims. Instead of introducing such a draconian code, perhaps the banks should focus on offering out-of-band two-factor authentication such as SMS or voice recognition through an automated dialler.

We'll be watching developments across the Tasman with great anticipation.

Read more on Security policy and user awareness