The bank fraud blame game
Ian G
iang at systemics.com
Sun Jul 1 12:30:27 EDT 2007
Florian Weimer wrote:
> * Jerry Leichter:
>
>> OK, I could live with that as stated. But:
>>
>> The code also adds: "We reserve the right to request access to
>> your computer or device in order to verify that you have taken
>> all reasonable steps to protect your computer or device and
>> safeguard your secure information in accordance with this code.
>>
>> "If you refuse our request for access then we may refuse your
>> claim."
>
>> The delay between when you were defrauded and when they request
>> access is unspecified.
>
> But if you don't do this, customers can repudiate *any* transaction,
> even those they have actually issued. In other words, you run into
> tons of secondary fraud, where people claim they are victims, but they
> actually aren't.
>
> Customers need to provide some evidence that they are actually
> victims. Just claiming "the virus did it" can't be sufficient.
Banks are the larger and more informed party. They need to
provide systems that are reasonable given the situation
(anglo courts generally take this line, when pushed, I'm
unsure what continental courts would do with that logic).
Customers aren't in any position to dictate security
requirements to banks.
Unfortunately for the banks, there is a vast body of
evidence that we knew and they knew or should have known
that the PC was insecure [1]. So, by fielding a system --
online commerce -- with a known weakness, they took
responsibility for the fraud (from all places).
Now they are in the dilemma. The customer can't provide
evidence of the fraud, because the system fielded doesn't
support it (it's login authentication not transaction
authorisation). The NZ response above is simply not facing
up to the facts, it is trying to create an easy way out that
(again) shifts the liability to the customer.
They now face the question of whether to roll-back online
access or to upgrade with some form of dual-channel
authorisation [2].
iang
[1] To my knowledge, continental banks knew of the risks and
acted in the 90s, then scaled it down because the risks
proved overstated. Brit banks knew of the risks and didn't
care. American banks didn't care.
[2] Again, continental banks are shifting to SMS
authorisation (dual-channel) ... Brit banks are unsure what
to do ... American banks apparently don't care.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list