Banks are liable for phishing attacks on customers, says German court

A German court has ruled that banks are liable for phishing...

A German court has ruled that banks are liable for phishing attacks on customers, reports Spiegel.

A judgment of the Amtsgericht (lowest court) at Wiesloch says the banks are responsible for damages arising from unauthorised interception of confidential data (phishing).

In the case in question, the wife of an online banking customer wanted to make a payment transaction from home.

She entered the Pin and Tan (one-time authorisation code) and then the screen suddenly flared up then briefly went black. A technical glitch, she thought, and continued with the transaction.

A few days later the husband got a phone call from his bank. The official had noticed that about 4,000 euros had been paid out of the account in the context of an eBay auction - a transaction that the couple had not made.

Experts then examined the customer's PC. Although up-to-date anti-virus software was installed, they found 14 malicious programs, including keylogging software.

The bank must now pay for the resulting losses. The court based its decision on the fact that the payment demonstrably did not come from the customer.

Neither he nor his wife had given instructions for the payment. "The bank bears the forgery risk of the transfer order," the judgment said.

It was found that a person in Germany had sent the stolen money to someone in St Petersburg in Russia.

Read more on IT risk management