Banks To Customers: You Have To Pay For Phishing

Good article in Australia’s BRW Magazine about phishing and banks. It makes some important points, not least that banks are still trying to talk down the problem while at the same time passing costs and risk onto the customer:

Banks are desperate to assure their customers that internet banking is safe. But their actions are not comforting. Three of the five biggest banks have increased or introduced fees for online banking. In May, Commonwealth Bank of Australia linked the introduction of fees for retail customers directly to the $100-million expense of upgrading the online system to improve security and add 20 new services.

The problem with the online banking debate is that the banks, the fraud experts and the security companies contradict each other about the extent of the phishing problem, and whether it is growing or waning. One thing is certain: bank customers need to be increasingly wary and savvy about how they conduct their banking online or they will find costs soaring and, at worst, lose their savings.

The new fees for online banking are just one of the costs that customers are expected to bear for the convenience of banking online. Banks are also educating customers to buy increasingly complex and expensive software to protect their home and business computers. These include anti-virus and anti-spyware software and firewalls, products that experts say many customers, including small-business owners, cannot install and manage without expert help. The banks now say the online banking system is not secure without this protection.

Furthermore, there are signs that the banks are hardening their attitude to reimbursing customers who are defrauded by phishing e-mails. So far, the banks collectively have maintained a generous policy on reimbursing defrauded customers. According to the Australian Bankers Association, those reimbursements are estimated to have cost the banks $25 million.

Overseas, banks seem to have run out of patience. An AOL survey of 2052 internet users released in May this year found that 53% of customers who were defrauded in phishing scams in Britain say they were not compensated by their banks.

Good hard stuff. One stark quote comes from AlienCamel’s Sydney Low, who I know is very critical of how the banks are approaching the problem:

He says online banking is so insecure as to fail the “fit for purpose” test under section 71 of the Trade Practices Act 1974. He says: “Under consumer law, a product or service that is sold must be fit for the purpose it is sold for. Experts are saying that the current state of security is unsafe. The home PC is not designed as a secure terminal; an ATM is very secure. Now the banks are relying on mums and dads to create a secure device.”

It certainly seems extraordinary to me that banks have been so quick to shift customers online, where the savings are huge, and are now reversing engines and charging them. If the banks saved money in persuading users to do online transactions, why should some of those savings not be used to pay for better protection, and, where necessary, to fund compensation?

News: Have you been brand spoofed yet?

 SurfControl, an anti-spam company, says that “brand spoofing spam” – where a spammer sends fraudulent email that pretends to be from a well-known and trusted company — is getting worse, after only a few months of its existence.
The spammer, posing as a customer service or security official, directs the unsuspecting recipient of the spam to a phony Web site. The site then requests confidential financial information or a Social Security number that allows the spammer to commit fraud or identity theft. Over the last few months, SurfControl said in a press release, Best Buy, UPS,
Bank of America, PayPal and First Union Bank have been brand spoofed. Four large Australian banks also have been brand spoofed, including the Commonwealth Bank of Australia. Last Thursday, Sony Electronics reported that it had become aware of a deceptive spam e-mail that had been sent to consumers, requesting personal information such as password and e-mail address, claiming to come from “SonyStyle Customer Service.”
SurfControl says brand spoofing spam was first seen in March and has been growing steadily since then. Brand spoofing spam has grown from zero before March to more than five a month. The increase in such dangerous spam is linked to the growth in the availability of open proxy servers, which allow spammers to send anonymous, nearly untraceable e-mail. According to a researcher at the University of Oregon Computing Center, the number of identified open proxies grew from 1,000 in October 2002, to 100,000 in April 2003.