Friday, April 04, 2008

Users liable for phishing and hacking

(via Out-Law) Who should be liable if a consumer is the subject of a phishing attack? At least in the UK, the common banking practice has been to assume some or all of the losses incurred by the customer. This is about to change with the new Banking Code. The Banking Code is a financial services self-regulating document which institutes a number of best practices and rules for financial services, and it is offered by the British Bankers' Association, the British Building Societies Association, and the UK Payments Association (APACS).

One of the recommendations to consumers set out by the Banking Code is to maintain one's computer secure by using updated anti-virus software. Seems like sound advice. However, this one comes with a barb. If the consumer does not fulfil this requirement, he/she may be liable for losses arising from fraud, phishing or other online scams or attacks.

The issue stems from the follwing articles:

10.3 "If we confirm a transaction is unauthorised, we will refund any interest charged, unless you have acted fraudulently or without reasonable care. [...]
12.11 "If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)"
What does section 12.9 looks like? It contains the following advice:
  • Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
  • Keep your passwords and PINs secret.
  • We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
  • Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
  • Always access internet banking sites by typing the bank or building society’s address into your web browser. Never go to an internet banking site from a link in an e-mail and then enter personal details.
  • Follow our advice – our websites are usually a good place to get help and guidance on how to stay safe online.
  • Visit www.banksafeonline.org.uk for useful information.
I am confused about the last two. Are those recommendations or requirements? Similarly, how would a bank determine that your anti-virus was out of date? How will a financial institution determine that your PIN and password are secure? Similarly, I receive an email from my credit card provider every month with a link to their website. Does that violate the requirement for accessing the website only by typing the address into the browser?

While I agree that users should be proactive in protecting their data and avoiding scams, I am not sure that this list can be enforced. Thankfully, the Banking Code is only soft law.

1 comment:

vijayashankar said...

Phishing is Hacking

The power of Indian Cyber Law is manifest in the definition of the Section 66 offence which covers a wide range of Computer and Internet Crimes including "Phishing".

Most of the time the attack ends up with a fraudulent withdrawal of money from a Bank account. In view of the end result we often see only the "Fraud Dimension" of the Phishing attack.These attacks consist of the following components.

1.Forging of e-mail headers

2.Spamming under the false name

3.Creation of pseudo websites/web page which appear similar to the better known Bank site

4. Using the stolen password for entering the real Bank system to withdraw money.

Under Section 66 of ITA 2000, these could be recognized as an offence not withstanding the offences that may be recognized under IPC. Victims would rather prefer action under ITA 2000 since it also simplifies the recovery of damages through adjudication proceedings... Naavi of Naavi.org