Time to switch to bitcoin.
Same interest rate (0%). Same uncertain future. Better chance of not being defrauded.
Bank customers may be obliged to bear the bill for fraud against their accounts, under proposed changes mulled by banks, the UK government and GCHQ. Under the plans, individuals or companies with poor online security could be “frozen out of banking services or even excluded from the system whereby banks compensate customers …
Surely this is a many-way thing ?
Banks are accountable for their systems and making them secure in the first place. Not our fault if their back-end systems and applications are poorly written or don't comply with good practice.
Conversely, customers should be a bit accountable against "stupid things" - giving out PIN numbers and personal data to people who ask for it.
However it would be naive to expect every person of any age and intelligence to be fully up-to-date with all methods of attacking banking.
Who's fault is it for example if someone skims my bank card at a hole in the wall, or malware gets onto a web site that I visit ?
Is it
- the virtually anonymous web site with all its security / defects
- the customer who just wants to buy something
- the bank.
Sounds to me like its just big business trying to dump on the smaller guy again.
I wonder what the impact on the economy would be if people don't trust the banking system any more ?
In addition Britain seems to be unique in my experience of not commonly using card readers. The Netherlands have had them for at least 12 years as have Germany, and these have dramatically reduced fraud of this type. I asked Lloyds if they have one to use on their normal account and they looked at me as if I had asked for a glass of unicorn milk. Perhaps the UK banks could update their systems to something at least from this century.
Nationwide have only recently improved their website rating from a "F" fail to a "B" rating, RBS scores an "A". (SSL labs online test https://www.ssllabs.com/ssltest/index.html).
If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.
Icon : Your local bank manager ( that's right, he's gone to a better place).
If they're thinking of shoving fraud liability onto the customer, they should at least start by making sure all their sites are A+ at the very least.
They should do a whole load to improve security.
I'm thinking primarily of the "3D Secure"[1] system. The banks are actively promoting putting (fragments of) a password into an iframe on a website that does not come from the bank's server. IIRC, even the iframe does not come from the bank.
This is just asking to be MiTMed...
Vic.
[1] Ha!
I've been a customer of at least 10 different banks here in Germany, business and private, over the last 20 years. Only 2 or 3 of those actually wrote their online banking can work with card readers. 2 even offered card readers in their shop, somewhere around € 30-35.
Yes, in NL it's a default completely.
Can't say if NL is more secure or pays less in total for fraud damages.
Sure card readers help, but then again one should also ask oneself whether it isn't there to just create a false sense of security. For the Netherlands specifically, the "change of liability" now suggested in the UK already happened there in 2013 (https://www.security.nl/posting/370459/Banken+stellen+nieuwe+regels+voor+internetbankieren) when the banks (were allowed to) instate policies, making the customer the main responsible in cases of fraud, and putting the obligation to prove no neglect and/ or wrong doing with the customer. I remember because of the initial outcry (which as always in the Netherlands died down, everybody forgot, while the policies are still in place) and the amusing discussion concerning standards. Ask yourself, when is your system up-to-date? Well protected? Ahhh, virus and malware protection... Closed system you say? Anybody see "opportunities" for quick issue resolvement? Oh, and don't even think of using that funny free software crap called Linux (which they use for their own servers), because that isn't recognised as a "safe OS" by Dutch banks (http://langleveeuropa.nl/2013/11/klant-nu-verantwoordelijk-voor-beveiliging-van-banken-en-aansprakelijk-voor-schade/). =0
I have a card reader I don't use because if I use it, I assume liability for fraud, or what appears to be fraud. Read the fine print of your agreement. However, if I stick to the password and security questions, there is a grey area of doubt. I also use the phone for those transactions I cant do online.
The banks have been trying to palm off responsibility for errors for decades. I remembering arguing until I was blue in the face that some cash-point machine error had nothing to do with any personals security lapse, and finally they admitted that the machine had a glitch and al customers that day had similarly had 'sloppy personal security'. Banks are always willing to let us take the blame, knowing it's almost impossible to prove that we are innocent.
Well said! I had an argument with a bank thirty years ago about their supposedly 'unbreakable security' when I noticed a £50 withdrawl from my account that I knew I hadn't made. Given that back then I worked as a mainframe operator and was a keen computer hobbyist, I knew darned well I was being fed a load of BS, and as they wouldn't restiore the stolen funds to my account (withdrawn in a town I'd never visited, and bearing in mind I can't drive, at a time I couldn't have been there at and still been in the banks face about it the following day), I promptly changed banks.
I've long wondered whether the move to online banking was pushed so hard at least in part with an eye to eventually trying to blame the customers for any losses. Let's face it, the internet as it currently exists and is used, is simply not fit for purpose for online banking. The banks are liable in encouraging customers to try to bank that way, IMHO.
Yeah, far better to stick all your notes in a mattress.
In this day, and age of negative interest, and the Banks trying to take any, and every advantage over their users.... (See this Article)
What exactly would the difference be... At least I know that my Money would be safer with me.
How do you prove who is liable?
Is it me for not updating my operating system?
Is it the manufacturer for not supplying an update?
Is it the bank for allowing the software to run or install on my computer or device with outdated software or browser?
Is it me for not running or updating anti-virus?
Is it the anti-virus software for not spotting a zero day vuln?
If you move liability away from the banks then does anyone really think they are going to spend money on decent security?
Why is it that we have an elected government by the people that never actually works in the interest of the people? Change needs to happen.
"I have a sneaking suspicion that the customer will be liable by default"
^This.
For some time, the banks I log into were trying to push Rapport, for example - and I even had conversations with banking staff in which they asked if I had it installed and suggesting I install it if not (I usually told them exactly what I thought about that piece of software).
I can well imagine it being a case of "Didn't have Rapport installed? Definitely your fault, then."
Similar issue a coule of years ago with Rapport, and after being ceaselessly nagged by the bank website to install it, I rang their online banking tech support to try to have a sensible conversation. More fool me.
My questions:
"Why does your site keep nagging me to install a piece of software when I'm a linux user (as your site can tell from my browser) and you provide only Mac and Windows versions of this software? If this software is so important for online banking security, where can I get hold of a linux version?"
Their *online banking tech support person* response:
"What's 'linux'?"
FFS.
You forgot the part where the bank expects you to run some shit that they have been paid to plug, lie about, and if you're lucky it only cocks up your machine.
I'm thinking here of NatWest's constant nagging for my mother to install Trusteer Rapport... well... http://www.advantage77.com/2014/09/03/rapport-more-problems-than-its-worth/
As is common in the computer industry, Trusteer Rapport is an absolute con. They've conned the banks into buying this shit off them. The banks give it away to make people think they (the bank) cares about security. They don't. They don't understand security. They are sooner or later going to insist their users run rapport. When they do, I'm not using online banking any more, at least from a PC.
Whenever we have a client with poor speed, intermittent network connection or just plain weirdness on their computer, first thing we look for is Rapport. Removing it usually solves the problem. At best, it slows down internet access; at worst it completely fucks up the machine, resulting in problems booting. I've seen it.
Sounds like a nice little earner.
I suspect the bank receives a direct commission from sales resulting from their referrals. Why would they care that it's snake oil their trusted partner is flogging to their hapless customers, as long as it brings in $PROFIT?
Doubtless they'll be getting a nice little commission on the fraudulent debits they allow from your account too, once they've bought this "proposed" legislation. Just as they do in the US.
... I get to specify hardware, software, development methods & tools, uk-based operations, staff pay and conditions at the bank it dept.
Or to put it more simply, ill take the blame for electronic fraud once i am CTO. Otherwise, the current CTO should take responsibility.
The reality is that:
Bank will specify hardware: PC
Bank will specify software: Windows with bank sponsored malware (sorry, security software) installed via a bank affiliated download so that the bank gets its marketing cut. The favorite is some crapware named after some mutt variety.
Bank will specify development methods: Bangalore
Bank will specify location of operations: Bangalore
And you will have the responsibility. HSBC already tried that. More than once.
I tried to raise with them the fact that the way the have redirected to the co-sponsored download was open to cross-site scripting so _ANYONE_ could shovel a download to a customer PC through that hole and the customer would have accepted it as verified by the bank. This gives you the idea of the competence involved.
After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.
After spending 10 minutes trying to parse Bangalorian into English I gave up, close the account and moved to Nationwide.
Late last year Nationwide outsourced a load of their IT operations to CrapGemini, and signed an automation deal with TCS, so you'd better move again. Meanwhile the CEO of Nationwide paid himself £3.3m last year, an amount that has doubled in five years.
It would seem to me that the management of Nationwide are the same talent free snout-in-the-trough types as run the rest of the financial services sector.
If concious culpability can be proven by proper process of court, then fine... but that's not what this is, of course. Arbitrary shirking by the thereafter-wilfully-negligent-corporation: Just like the US. Our money grubbing twats have "identity theft" (sic) envy.
Still... if they get their grubby little scam passed, it'll be good motivation to move my banking to a more civilised country... and I'll probably pay a bit less tax as a result :D
Well I have on line accounts with multiple banks (I'm not rich it's different accounts for different uses) and I won't use the suggested anti virus software from any of them.
Their software is invariably huge, hogs the CPU and doesn't play well with other regular AV software Anyone tried Rapport?
Let alone trying to host multiple banking security software on a single device,.that would make pyschotic ferrets in a sack look like a Buddhist Monastery at prayer by comparision.
Rapport is shit pure and simple. At best it just makes your internet slow. At worst, it will brick your PC. I tested it once. I had made an image of a PC. I tried to take rapport off the machine and it tried to make me keep it by saying that it had protected me from 6 actual online threat instances. I reloaded the image and tried again and it said it had protected me from 4 actual online threats.
So it seems it lies to you as well as fucks with your PC and steals your information
Banks encourage bad consumer IT security practices.
Cannot comment on "modern" logging into online banking as I avoided it since the early days after initial online banking offering made to me was IE only with no solution available for a more configurable / secure browser on a more secure OS.Happily functioned without online banking so never revisited to see the current state of play in online banking logon.
However I have encountered the dross that is 3DSecure ( Verified By Visa et al), so often used when you are asked to purchase something - lots of dubious js / traffic to site(s) totally different to the vendor website, the sort of thing that would make a security savvy user think there was some dodgy 3rd party attempt to defraud them, and people are encouraged to think this is a good security model! No wonder so many people are defrauded online.
Despite their bad treatment of staff & tax dodging, which I dislike massively, Amazon grudgingly get some of my online purchases heading their way, precisely because they do not do verified by visa stuff (I abort transactions if VbyV stuff used).
(Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)
There used to be other sites that did not require javascript, but they changed and I abandoned them. I would really like Amazon to have some competition, but there are only so many times I am prepared to fail to create a new account before I go back to the site I know will work.
If only 'Do you want a free trial of Amazon Prime' were as simple to avoid as a Windows 10 downgrade.
That "Verified by Visa" crap is the only reason I use a credit card ( Credit cards don't prompt the verified by visa window when online shopping). Really VbV the most useless thing I have ever seen, and works so rarely that it can make a 2 minute online shop last 30+ minutes.
Quite frankly, things are going in such a bad direction with banking, that I have switched to cash only. Apart from the credit card for online purchases, everything else is cash. No need for a card reader, a PIN, some sort of fancy in-phone-contactless-app crap or other tracking system wrapped in a security nightmare that I will be liable for. When I want to buy something I just put down the cash, with no faf.
I also rediscovered the joy of actually going into my branch and dealing with my account with a human being. Usually I can get problems fixed quickly, and my complaints have to be dealt there and then by the manager rather than a ticket logged somewhere in Bangalore after waiting 30+ minutes on the phone. Of course, because everyone does online banking now, the branch is usually really empty as well.
Although I concede that not everyone has a local branch nearby, I would imagine most do. Bank branches are pretty common, along with a pub and post office, even in small towns.
@tiggity
> (Amazon get my cash in cases when other places I have tried to buy from have gone all VbyV on me, & I have lost will to live in trying & failing to find a non VbyV vendor that is not Amazon for that item)
You can ring your card issuer and ask for VbV to be removed[1]. That was several years back now and only once since then have I had to buy using a different card because a site refused to work without VbV on.
[1] Well, my lot did it for me. YMMV.
One of the reasons that people get caught by phishing attacks is the banks idiotic behaviour when they call you in demanding you answer "security questions" - when *they're* the unknown quantity.
I always decline to do so, and try to explain that I'm not going to answer questions from some random stranger who's called my number, and nor am I going to call any number they give me - at least not until and unless they prove who they are to my satisfaction first.
Another example of cretinous behaviour on their part:
Most of my bank accounts are protected by 2FA of one sort or another. One day, using a shiny new laptop, I logged in to one of my accounts (that uses a PIN protected challenge/response key generator thingy), authenticated with multiple user codes, plus the 2FA response, arranged a regular payment _to an existing recipient_, received confirmation of payment and logged off.
A couple of days later, I went to log in again, to be told that my account was "not initialised properly" (or some such) and I could not login. Figuring this was some temporary glitch at their end, I tried again the next day. Still no access. After a couple of days of this, I gave in and called their support number. After passing their security questions, they told me that my account had been frozen (no payments out, internet access blocked) due to "suspected fraudulent activity" (the payment that I made online [by now] a week earlier [which they'd actually cancelled]). I asked what was the point of having and using 2FA and all their other security measures if they were all going to be overridden/ignored just because I used a new computer!
While I do appreciate that they are supposed to make efforts to prevent fraud, a single minor difference out of several test elements should not be enough for them to a) lock me out of my own account, b) cause payments to be summarily cancelled, and (most especially) c) do this all without making any sort of attempt to contact me in any way.
My bank do it right. For any new payments that I want to set up the process is so complicated that I have to look up how to do it each time. It is so much of a faff that I just phone them instead.
Banks have been trying to shift the onus onto customers for a while now. I get the argument that if there's no customer liability then customers won't take any care but if you're a bank, and you want me to use your online services because it saves you a ton of money, then it's your liability if that system is flawed (and that includes flaws that make it easy for the customer to make a mistake that allows fraud).
Both of these reduce Fraud. In a sense!
Except they reduce it MORE for the bank than for the customer. Because Chip & PIN fraud is usueally deemed to be customer carelessness. Contactless was designed for warehouses. It should NEVER have been used for payments, it's not secure and people are being harvested with portable devices. Chip & PIN as implemented has a MASSIVE flaw as it doesn't depend on connection to bank to verify PIN and there is inadequate physical security of shop terminals. MITM attacks.
All widely documented.
Banks are also stupidly outsourcing IT when it should be a core activity.
Banks are good at conflicting information too.
I had fraud on my chip and sign card.
Bank told me the transaction was pin verified.
I pointed out that surely if a C&S transaction has been pin verified, there's a very obvious bad transaction?
They said no, it's perfectly valid to do pin verification on an account with no pin.
This is completely wrong. Fraud has gone down to negligible amounts where CHIP & PIN has been introduced (except of course for Card Not Present, where there is neither CHIP nor PIN).
Why do you think the incidence of card present fraud is so high in the USA? It's because they haven't widely implemented CHIP & PIN. They're rushing to implement it now, but meanwhile fraudsters are having a field day.
Also, any issuer (e.g. a bank) must accept a no customer liability clause if they want to issue Visa Paywave or MC PayPass cards.
I avoid contactless since a friend I was with managed to spend rather a lot in pub - rather more than we could have drunk and we decided it must have been a deliberate scam in the bar in question.
In the co-op yesterday a young lad bought a lot of stuff with a contactless card - his behaviour suggested it wasnt his card. If the co-op can show his parents the items bought he may well get his arse kicked.
US card procedures have always been incredibly lax.
Back in the 90s, we went to the US with a new credit card and forgot to sign it. It was nearly a fortnight before an Amtrack office apologised for expecting it to be signed. Everyone else hadn't bothered to compare the signature just given with anything or been bothered that the card was unsigned.
Seems to be still true today. I had no trouble using my card even though I can never make two signatures that even look like the same name let alone similar writing. Some admittedly old banknotes left over from a much earlier visit, were only accepted with much discussion with other cashiers and checking with senior staff.
I got the impression that plastic transactions were insured but cash was not.
I certainly hope this change fails or is re-worded correctly. I mean, clearly if the account holder was stupid and shared their details they should just be told tough.
Like myself though, I was defrauded years ago by card skimmers messing with (Shell or Total) petrol station terminals and after a good 3 to 4 week investigation it was determined that it was not my fault. If this happened and they made me pay for it I would certainly be mighty displeased (and tell them to bugger off and move bank).
Can you imagine the lawsuits that will happen. Hell, something like this can easily bring about a class-action style case and become the next PPI problem.
... but only when the customer is actually liable.
The bank specifies the equipment and the security measures used, the bank controls the processes by which online trading and online banking are carried out; these processes produce audit trails, and it is the bank that has access to those data. The onus MUST therefore be upon the bank to prove that a customer has done something fraudulent -- or at least negligent -- and the bank must bear the cost in cases in which it cannot demonstrate such proof.
If the bank wishes to reduce the incidence of fraud it is the bank that is in a position to improve security, not the customer, so the bank must bear the responsibility for their security being effective.
"UK banks - unlike those in the US - routinely cover the costs of online fraud, at least in cases where customer negligence (such as sharing PIN codes or cards with third parties) is excluded."
What are you talking about? There is not a single US bank I'm aware of that charges consumers one penny in the case of fraudulent purchases. (Technically the law allows up to $50 in liability, but in practice precisely zero banks do this.)
What rock have you been living under?
Here's an example of how it's done... once liability has been safely transferred to YOU, of course:
1) Your bank forms a "trusted partnership" with a convicted fraudster.
2) Your bank then sells your account details (name, address, account number, etc) to its new bestest mate evva.
3) $$$PROFIT$$$
4) "Trusted partner" then returns your account details to your bank, with a little note attached, saying something like "Customer has opened a £19.95 monthly debit over the telephone (Honest!) but don't attach our company name to it - mislabel it as something innocuous and official looking. Cheers mate."
5) You bank starts slipping little bungs of "your" money to its "trusted partner"
6) $$$PROFIT$$$
7) You'll notice at some point and cancel further* debits... but the elderly/absent minded/otherwise vulnerable will be defrauded for the rest of their lives...
8) $$$AWESOME$$$ENDLESS$$$$PROFIT$$$
Google will give you specific examples if you need them. For starters you might like to try:
"bank of america" scam "customer years" coverdell
Another name it's been done under is "Plan Administrator"...
Coming to Blight soon, by the sound of things - if the British political swine have their snouts stuffed firmly enough into the trough... and it certainly sounds like they do...
*NO. You can't have any of "your" money back: IT'S YOUR RESPONSIBILITY TO STOP US GIVING "YOUR" MONEY AWAY. Sucker :P
(as Steve Foster said above)
... Banks and other institutions have spent nearly two decades phoning people up and asking them to 'go through security' --- so much so that if you answer the phone and say "err, only if you can prove who you are" they are usually gobsmacked.
One guy said, ok, let me give you a number and you can call it back. Err, hello? Was it or was it not your institution that told me not to click on links in emails purporting to be from you? So I shall not be ringing any number you give me.
Several years ago, the bank called me. Dunno why. As soon as I knew it was "the bank", I asked the woman to tell me two direct debits on my account and the amounts they are for. She told me she didn't have access to that information. I told her she failed to verify that she was in fact from the bank. Then I hung up on her. A bit curt, perhaps, but how dare they repeatedly ask my my mother's favourite colour and that sort of rubbish when I call them, but expect a simple "hi, it's the bank" to work when they call me?
My usual attitude now is to ignore any and all emails, and tell callers to put it in writing. If I have a proper headed letter I'll pay attention to it. Nothing else.
The co-op bank did this to me.
They could not comprehend that repeatedly re-assuring me that they were from the bank was as useless as it was easy.
I called them back, on a published number, got through to the extension of the person calling me, only to be told:
We just wanted you to know that know we have merged
with CIS we have a wider range of financial products available...
aggghhh
At least HSBC stopped calling me with sales calls after one of these "you called me, there's a fair chance that the person answering the number you dialled is me or at the very least someone with access to my phone, you could be calling from anywhere in the world, so I'm not giving you any information whatsoever until you prove who you are, and no I'm not calling you back on any number you give me - what sort of idiot do you take me for" exchanges.
I made a right fuss about it, and how it really just blew all their security out of the water. What's the point of telling customers to "be safe" when the banks themselves ignore all their own instructions. Ditto those who repeatedly send me emails which include "you can tell this email is genuine because ...".
The downside is that when they do actually phone you for a genuine reason (they'd detected fraudulent activity with my card), it can be hard when calling back through the contact centre number to find out who you need to speak to in order to find out what the issue is.
BTW - if anyone is under any doubt about the supposedly unbreakable security of Chip&PIN, head over to https://www.lightbluetouchpaper.org and see their blogs on the subject. They've comprehensively proved that there are multiple flaws in the system, which are design flaws, and about which the banks have full knowledge. So next time the bank tells you it's 100% secure, you can call them a liar and be right.
And for a bit more fun, see how easy (or otherwise) it is getting a non-contactless card next time they try and foist this on you. Responses I've had vary from "no problem" to "no way" (the latter getting a "in that case, your card doesn't get used" response).
That's whose job it is to ensure the plebs are kept away from anything actually secure.
You can bet your arse that with GCHQ in the loop NO bank will EVER accidentally recommend, or even accept Qubes, Tails, BSD, CyanogenMod... etc... use any those and your bank will give your savings away.
Approved "secure" systems will be assorted trusty combinations of Microsoft Inc., Apple Inc. and Google Inc. binary crapware. Nothing more.
and they keep asking me why not.
"Do you know what a trojan is?"
"No."
"That's why".
I'm not a security guy or even a geek. I just know enough to know that no matter how good I think my security is, it probably isn't. And I certainly not minded to listen to people who know even less than me.
I used to be in finance (many years ago) and I found critical errors in several companies systems - they couldn't even compute their own contract charges properly, and were stunned when a one man band outsider with no access not only told them they had errors, but also where they were and how to fix them. If they won't even build spreadsheets with quality control as standard, I really don't trust them for anything else.
Seems a reasonable response: if they make me liable for fraudulent Internet transactions then I will terminate my Internet banking. If they make me liable for frauduent telephone transactions then I will terminate my telephone banking.
Eventually we all end up doing our transactions over-the-counter like 20 years ago, and the bank has to swallow the increased costs of doing business.
I have a friend who claimed chip and pin was fool proof, he had read the documentation on the system.
I laughed at him at that point.
There is only one way that we will beat / reduce fraud, and that is with participation with the banks and their security measures.
Firstly I want to see and hear about their plans to prevent fraud, not the plan to punish me for using THEIR facilities.
BANK’s it is YOUR system not mine, if the criminal fraternity breach it that is YOUR fault.
We could have 2nd and 3rd part verification process, request and response phone messaging, please include a panic code for people being forced.
Register when going abroad, include region / city.
Then we can talk about sharing the final cost.
I have a friend who claimed chip and pin was fool proof, he had read the documentation on the system.
I laughed at him at that point.
There is only one way that we will beat / reduce fraud, and that is with participation with the banks and their security measures.
Firstly I want to see and hear about their plans to prevent fraud, not the plan to punish me for using THEIR facilities.
BANK’s it is YOUR system not mine, if the criminal fraternity breach it that is YOUR fault.
We could have 2nd and 3rd part verification process, request and response phone messaging, please include a panic code for people being forced.
Register when going abroad, include region / city.
Then we can talk about sharing the final cost.
The sad part about this is that any bank could consider chip & pin fool proof, they certainly aren't "lucky" fool proof.
The chances of "winning" on a stolen card are 1 in 3333*. If your modern day Fagin and his crew steal 100+ cards a day, they are going to "win" the chip & pin lottery several times a year. Meanwhile you as a bank customer are going to have to deal with the bank's line of "Chip & Pin is secure, you MUST have given out your pin"
*The pin can be changed on some cards. I'd bet that there's probably a statistical anomaly with the number of cards that have the pin 1234**, 1793, 2486 etc, so the odds of guessing a PIN are likely to be better than 1 in 3333.
**Obviously if you do change your pin to 1234, then the banks should hold you 100% to blame if someone uses your card to access your account.
recent family events, I had to setup new bank accounts
"Do you want to use online banking?"
"Nope, not secure"
"What about phone banking?"
"Not secure either"
"Why not?"
"Because you dont use 2 FA", Service droid looks at me as if I just spouted wings and forked tail. "But watching you log in on your bank supplied tablet , it was clear you used 2FA to log into the bank's system, but customers get 1FA"
Service droid realises its on a loser and changes subject "Beautiful plummage on a norwegian blue"
I can see a sudden rush of people going into their bank branch for transactions again, just like it used to be.
Except no, most people will carry on because in could never happen to them (until it does).
There are reasons I only do banking transactions from one machine at home, and even on that one I decline their offer to 'remember me'.
Having said that, my bank does use 2FA for on-line banking, and one of the reasons I only bank from home is because that's where the card reader is.
Why do you think an over the counter transaction is more secure?
Some years ago my wife had her bag stolen while we were in a restaurant. It contained all of her bank and credit cards, and a cheque book (don't ask!). We reported the theft to the police and to the bank as soon as it was discovered - which would have been 1 hour at most after it took place. Bank took all the details, sent a "Loss Questionnaire" to complete and said the card was cancelled. A replacement card arrived within a couple of days.
Imagine her horror two weeks later when she withdrew some cash from an ATM and checked her balance only to discover it was almost zero rather than the fairly healthy sum she expected.
Subsequent investigation showed that somebody - either the bag thief or whoever they'd sold the cards on to - had made repeated withdrawals by cheque made out to "Self" over the counter in branches of the bank. Each withdrawal had been for more than the card limit, which means that checks should have been made each time. Not only that but more than one withdrawal had been made each day which (in the case of cheques to self) is supposed to be impossible.
All of that in branches of the bank - so much for security!
Due to having a bank steal money from me previously when I used an automated paying in machine, I always do bank interactions with humans. And only Northerners and not some call centre in a random country. Have moved banks and utility accounts to all have UK Telephone based support. Makes a HUGE difference to ones sanity. (And the nice feeling of keeping someone in a job).
This means I have never used online banking. The idea being that I can't be liable if I have never used it. Yet two months ago my online account got hacked. Which is a little clever as it had never been enabled or used by me.
Or maybe it is just because my stupid bank has passwords, IDs and access codes as all numbers? How is that security? Especially as the numbers are too long to memorise.
When I got my access codes for the Telephone banking re-issued I was then told these are the same details as Internet Banking. Which I don't want to use. I asked them how do I change the passwords for the telephone banking to be more secure? I can't, unless I login to the Internet banking to change them.
So who would be liable for that? A system I never used, "protected" by a weak set of numbers that cannot be changed, yet it was still compromised by a random drive by attack which I only ever found out about when I tried to do some Telephone banking.
Then the bank of "under the mattress" is going to start receiving more custom.
Banks rely on trust to get your money, in order to sell it to other people (several times over).
They already don't pay out in the egrarious cases where people screwed up their own security. If they start pushing it further, customers will start pushing back.
I've had this problem several times.
One was in early on-line purchases. Second transaction was was rejected because of the distance and time between the transactions - hence I couldn't have been at both . Trouble was it was two web sites I visited. Damn fast those IP packets.
Also had a problem when booze cruises used to be the thing of the day.. Stood in the front of a queue in a french supermarket with a trolley of booze and it says "non". Phone rings. Interesting chat with bank droid about how much they are annoying the long line of people behind me. It may be unusual, but I do have the choice about when and where I shop without telling the bank first.
Most recent was an on-line purchase that wouldn't go through. Phoned supplier "Bank says no". Phoned bank "something was wrong with the data your supplied", but they wouldn't say what didn't match so that I could correct it, even though I authenticated with them (but interestingly, not them with me ??)
Turned out after several further calls and eventually speaking to a grown up that some of their new anti-fraud software had decided that my correct address was in fact wrong to the latest database they had purchased. House names were apparently no good any more. I now have to provide less information about where I live for the transaction to go through because the computer says no.
Net result, I get delayed, it costs me time and money, so I get grumpy quicker as that seems to get you to a grown up who can do something about it. As companies hide more and more behind service centres and scripts, this only gets more and more difficult to do. I remember a ye-olde expression, it was called customer service.
This post has been deleted by its author
Bernard hyphen hoare of the met started this hare running a while ago. I reckon a smart lawyer could come up with a form letter telling the bank to ignore any electronic instructions purporting to come from Mr a n other.
I believe (Krebs - so perhaps not in UK) it's possible to put a stop on credit checks with the likes of the spies at experian, thereby spiking any attempts to borrow money in your name.
I think you might be liable for $50 for debit card fraud, but there's a simple solution to that - don't use debit cards. I use credit cards, which have no liability for fraud, and you don't have to worry about not having any money if you get cleaned out while you're waiting for the bank to rectify things.
I admit I'm not really sure what the law is if someone steals my bank login and connects directly, but since I'm not signed up for any services that would let me write electronic checks or make transfers out of my account to accounts I haven't pre-authorized, I don't have to worry about that.
I am gradually moving money into bitcoins, and also keeping an eye on the other rising crypto currencies.
Banks still have some of my custom, but it is definitely time to diversify.
Make no mistake, i am aware of the problems with bitcoin and the unstable past.
However, when it comes to security vs cost, the banks charge me huge fees for moving money around (internationally), unless i am willing to wait days for it. They are fairly secure with their one time password generator thingys, but the number of passwords and keys for my bitcoin account make it way more secure than a range of easily found out family information.
Nothing is truly secure, but make me choose and i will go with technology.
Banks could go a fair way to stopping phishing by refusing to serve branding images without proper referrer URLs. Phishing scams invariably link to the official web-based images, and stopping that, or (even better) replacing them with ones saying "SCAM WARNING!" would help. A little. Which is better than nothing. Of course, many people disable images in emails anyway, and the scammers may move towards embedding rather than linking images (or linking to copies elsewhere, which won't go unnoticed), but the latter will dramatically increase their data load, and in the meantime a few million gullible souls may become better educated.
Push this onto the users forget it, why not force the users to have a secure password, and allow that secure password in there systems.
I see so many banking systems say you need over 6 characters but it has to be below 12 characters not include characters xyz, how on earth can you create a secure password with so many restrictions?
Additionally hardly anyone does Google reCAPTCHA or two step authentication texting a code to your phone, and the memorable information, why such a small list, allow users to create there own question.
And then the government is not forcing shopping sites to secure your card details in a secure way, just mention Talk Talk here and others.
Banks and the government need to step up to the mark not hide behind a wall and say "not our fault".
So they make it impossible to avoid fraud by closing local branches and forcing us into a cashless society by forcing you to either use cash machines or chip and pin readers in stores which may have card skim / splitter cables / cameras attached, or shop online with static card details easily clonable by anyone who's seen your card for more than 2 seconds.
Why should I be liable if my local petrol station's dodgy employee has done something to their chip and pin reader to capture my details?
scumbags.
The fact is money is only valuable if people believe in it, with the general population having little control but required to pay all the bills for the affluent's failures and or greed perhaps it is time to return control of personal wealth to those having to work for said wealth.
Gold whilst not as good as essentials in terms of worth is more portable and generally accepted across the world.
I am all for taxation if it is spent on improving the safety/ environment / standard of living of me and mine but too often my tax is diverted to things I oppose without me having any say in it.
Too often my money is diverted to people who paid towards getting the politicians elected and this has been a problem since democracy was invented.
Personally I would make the consequences of corruption in office match the level of power they wield and apply it at all levels of government and their agents. Hopefully then only those that are seriously willing to risk all to do good will take the job for the betterment of us all. These people do exist but typically get pushed out by the "professionals" i.e. those just taking the post for money and personal power.
My bank sent me a new debit card, I didn't activate it for for contactless use which was an option, recently it was scanned and yes it worked, not happy.
One of the I.T. lecturers I know is a former bank branch assistant manager, he refuses all their attempts to get him to do internet banking, another has a portable card scan and clone unit that can read a card from several metres away he uses for teaching an I.T. security course, all bought off e-blag, banks consumer level e security is a poor joke at best.
Banks are all about physical security, watch closely as the first staff member arrives and waits for the second before one of them enters the bank being observed from a safe distance by the other to do the first security check, only when they come out and exchange their agreed pass phrases does the second enter and do the same checks whilst the first waits outside. Only when they are both satisfied do they both go in and the daily symbol agreed beforehand goes in the agreed window, showing the main safe second key keyholder it's safe to enter, or the wrong symbol in the wrong window meaning do not to enter but to pass by and call the Police, how many computer users would be willing to wait 30 seconds or more for a verification process of at least the same strength to work? That's why the banks will get away with it...