The bank fraud blame game

Ian G iang at systemics.com
Sun Jul 1 12:30:27 EDT 2007 

Florian Weimer wrote:
> * Jerry Leichter:
> 
>> OK, I could live with that as stated.  But:
>>
>> 	The code also adds: "We reserve the right to request access to
>> 	your computer or device in order to verify that you have taken
>> 	all reasonable steps to protect your computer or device and
>> 	safeguard your secure information in accordance with this code.
>>
>> 	"If you refuse our request for access then we may refuse your
>> 	claim."
> 
>> The delay between when you were defrauded and when they request
>> access is unspecified.
> 
> But if you don't do this, customers can repudiate *any* transaction,
> even those they have actually issued.  In other words, you run into
> tons of secondary fraud, where people claim they are victims, but they
> actually aren't.
> 
> Customers need to provide some evidence that they are actually
> victims.  Just claiming "the virus did it" can't be sufficient.


Banks are the larger and more informed party.  They need to 
provide systems that are reasonable given the situation 
(anglo courts generally take this line, when pushed, I'm 
unsure what continental courts would do with that logic). 
Customers aren't in any position to dictate security 
requirements to banks.

Unfortunately for the banks, there is a vast body of 
evidence that we knew and they knew or should have known 
that the PC was insecure [1].  So, by fielding a system -- 
online commerce -- with a known weakness, they took 
responsibility for the fraud (from all places).

Now they are in the dilemma.  The customer can't provide 
evidence of the fraud, because the system fielded doesn't 
support it (it's login authentication not transaction 
authorisation).  The NZ response above is simply not facing 
up to the facts, it is trying to create an easy way out that 
(again) shifts the liability to the customer.

They now face the question of whether to roll-back online 
access or to upgrade with some form of dual-channel 
authorisation [2].

iang

[1] To my knowledge, continental banks knew of the risks and 
acted in the 90s, then scaled it down because the risks 
proved overstated.  Brit banks knew of the risks and didn't 
care.  American banks didn't care.

[2] Again, continental banks are shifting to SMS 
authorisation (dual-channel) ... Brit banks are unsure what 
to do ... American banks apparently don't care.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list