Phising are the banks responsible

Loschie

Hi all,

You've probably all see the bank of Ireland phishing emails that reached all of our email accounts and you've probably all heard about how BOI decided to pay back money to some of the BOI customers who had been affected.
This was apparently a gesture of good will - however this was after the customers had threatened to sue the bank for inadequate safety features on their online banking.
However since then BOI has not agreed to pay any more of their customers who have fallen victim to this fraud. Their argument is that they send out adequate warnings - slips of paper in your statement, and notices online. I'm just wondering if all of you think this is an adequate response to shun responsibility off them. Are there any other victims out there?
Even if the primary source of the problem was the victim, who unknowingly gave out their pin details to a third party, should they have to bear the brunt?
The reason we put our money into bank accounts, instead of keeping it underneath our mattresses is not our urge to pay high banking fees. Instead, we hope banks will be better able to safeguard all that money. Assuming financial responsibility for fraud is the least one should expect in support of this promise.

http://www.unison.ie/business/personalfinance/stories.php?ca=257&si=1674813
In the above article it says that the head of Rabo Direct online banking hit out at what he describes as lax security procedures for online banking in Ireland. He said that in this country were vulnerable to online banking fraud because of a failure to invest enough money to upgrade older computer servers to use more sophisticated security procedures.
He said the main problem was the two biggest banks, AIB and Bank of Ireland, use what he called "static" access codes for their online operations.
For example, an AIB customer is asked to enter numbers from the same five-figure access code every time they log into their online account.
In contrast, RaboDirect customers must use a security device new to the Irish market. The RaboDirect security device looks like a calculator and constantly generates new access codes for each customer.
It ensures that no one else can access your bank account simply by knowing your account number and access code. They would also need to be in possession of the device.


So should BOI pay out? Or should the customer? It is the customers fault by unknowingly giving away their details to a third party? Should our money be harder to access than a simple 5 to 6 digits? Should there be a maximum withdrawal of 5k a day rather than the current 25k? Should we all have a code card like AIB have so that pin numbers alone will not gain access to the account? Should you require the code card to set up another account on the internet (as this is how phishing takes place)?

I know a person who fell victim to this boi phishing scam and I’m quite annoyed and frustrated with the banks responses. Currently they are refusing to refund my friend their money saying they received ample notice with the sheet of paper that came out with the statement. They are not offering a penny in compensation even though I’m sure banks are insured for this sort of thing.
It frustrates me to think that we as customers are getting hit for this, when if the banks security measures were better - a phishing scam would be stopped in their tracks. After all I’m sure the only reason BOI were targeted by phishing fraudsters was because it was an easy target!

It's inevitable that unless the larger Irish banks upgrade their online security, their customers will continue to get caught on the net through phishing.

Ruu_Old

It goes both ways, perhaps the banks need to do a little more to highlight but imo I don't think banks should be responsible for it, people need to wise up a bit.

Paulw

It's not the bank who give out the information to these bogus websites. It's customers who don't know better. The bank has done nothing wrong, and yes, it was a gesture of good nature to refund money. They are not legally liable at all.

If someone on the street asked for your bank details, pin number etc, would you give it out? Probably not. But yet people do give out that information to bogus websites.

It's the customer's fault, pure and simple.

Cabaal

Its not the banks fault at all, totally down to the person who has not secured their PC and used common sense and/or a decent web browser or e-mail client

MrPudding

Cabaal wrote:

Its not the banks fault at all, totally down to the person who has not secured their PC and used common sense and/or a decent web browser or e-mail client

This is a difficult one for me. Gut reaction makes me think "what kind of idiot falls for this stuff." Then I think about it a bit more. My mum (not really an idiot) would probably have fallen for phishing scams had I not warned her.

When I think about the number of older people getting into computers and who are quite fearful of them I can see how it works. It's OK for us. We are computer and internet savvy we know the score, others don't.

I did one of the presentations for that "Make IT Secure" a while back. It was for about 30 teachers. About 29 of them had never heard about phishing and about 6 admitted to responding to what they now see what a phishing mail.

So for me it is not clear cut, some people simply do not know any better.

I think the Rabo guy makes a good point. There will always be people that are vunerable to this kind of scam. That is human nature. I think the banks do have some responsibility. There is no excuse for static logon in banking now. Even NIB have a reasonably secure online system now, even if you did give someone you logon info they could not logon.

MrP

Paulw

Please define "reasonably secure". These phishing scams ask customers for every possible bit of information needed. The only way to really get around this would be to use some form of secure token.

My mother would barely use her PC for an hour a week, but is wise enough not to give her details to an email address. She knows that if a bank or such wants her info then they can call her and she will call them back.

It's not about the internet, since similar types of scams have been going on since banking came about. People phone up claiming to be from the bank and ask to confirm details. This is not new and not just an internet problem.

People should always beware and not be so trusting, especially with banking/money.

rubadub

I find BOIs online service fine. I am not impressed when I hear about them refunding money to stupid customers, that money is a loss to the bank, even if insured it increases their premiums. Therefore I am paying for it either by poorer interest rates on my deposits etc to recoup their losses. I have shares in AIB, this type of action would also mean less profits that way too.

People are being financially punished for other peoples ignorance and stupidity.

I wonder if anybody has pulled a scam whereby they phished their own details, withdrew all of their own cash and then claimed to have lost it all through inadequate security and got it refunded.

Tom Dunne

Cabaal wrote:

Its not the banks fault at all, totally down to the person who has not secured their PC and used common sense and/or a decent web browser or e-mail client

I disagree.

As someone who teaches computers, I can see how easily an inexperienced user would be caught by this. These sites look convincing, they have all the logos, the "bankspeak", terms and conditions, and it is very, very easy to fool the uninitiated.

That's why I really drum home the points on Internet security and make sure they leave my class trusting nobody on the internet.

Gillo

In fairness it's not the banks fault, so why should they pay out.

Only today I get a letter from my bank (permanent TSB) warning me of phishing, it was not with a statement it was a letter by itself. There have been a massive amount of warnings sent out this year alone, if you chose not to read the mail a bank send's you than thats your problem.

Tom Dunne

gillo wrote:

if you chose not to read the mail a bank send's you than thats your problem.

I think you are missing the point.

It's all good and well getting a letter from the bank, but how many computer-illiterate users will understand it? They just want to log in and pay a few bills, move money around, whatever. A lot of people just don't get the fact that what looks like the real thing might not in fact be the real thing.

Paulw

So Tom, is it the bank's fault that some people are computer illiterate?

The letters from the banks are very clear. There's also information on the login pages for online banking, warning of phishing scams.

How many warnings do people need?

Tom Dunne

Paulw wrote:

So Tom, is it the bank's fault that some people are computer illiterate?

No, on the contrary, it's the people's own fault. They need to educate themselves.

Paulw wrote:

The letters from the banks are very clear. There's also information on the login pages for online banking, warning of phishing scams.

How many warnings do people need?

People need lots of warnings but they also need information in simple language on how not to get caught. Some kind of security-type booklet perhaps?

Paulw

So, why should the banks compensate someone who's caught out by phishing?

The banks already post information on their websites, they provide information in mail (post) to customers and also give information over the phone.

What else should the bank do??

I think the banks do enough, and that it's down to the user.

Guy:Incognito

tom dunne wrote:

People need lots of warnings but they also need information in simple language on how not to get caught. Some kind of security-type booklet perhaps?

How much simpler can it get than "We DO NOT EVER send requests for details by email or in unsolicited phone calls"? Thats as clear as it gets for me.

Tazz T

Why arent' the banks able to track down where these emails are coming from and take those responsible to court?

i would'nt have thought tracing the emails would be too difficult.

Paulw

Mostly because many of these emails come from places like Russia, Nigeria, China, US etc. Tracking down the email isn't that difficult, the problem comes trying to prosecute those responsible. Almost impossible in most cases.

MrPudding

Stekelly wrote:

How much simpler can it get than "We DO NOT EVER send requests for details by email or in unsolicited phone calls"? Thats as clear as it gets for me.

How much simpler would it be to have a system that is secure even if the customers are idiot? You know like Rabo has? Or BoSI? Or NIB?

It is very easy to blame the customers but the fact remains that no matter what you try to do some people will always fall foul of scams. They don't even need to be stupid. The teachers I delivered the presentation to were not stupid, they were unaware.

Even if you make people aware they are still open to getting scammed.

When I read this thread at first I did not really blame the banks, but the more I think about it the more I believe they actually do not have an excuse for having a system that can be broken by a combination of a mail, a website and a customer that does not know any better.

MrP

Paulw

Can you give us an example of a site that can't be broken from people scamming information? If you can, I'll be stunned.

There is no fully secure website, without the use of some secure ID feature. otherwise, it's just a combination of information that is used to log in, and which can be scammed from people.

It has to be the user - beware of emails and websites. Only type in the URL you know, and never click on a link to your bank site.

The banks are constantly providing information warning people. Nothing more they can do.

XJR

Loschie wrote:

Hi all,
So should BOI pay out? Or should the customer? phishing.

Certainly banks have a duty of care but are they obliged to protect people from their own stupidity ?