German Court Rules That Clients Responsible For Phishing Losses 245
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Re:Lets just hope (Score:5, Insightful)
Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?
Tricky (Score:4, Insightful)
I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.
Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).
Re:Lets just hope (Score:5, Insightful)
What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.
If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.
Re:Lets just hope (Score:5, Insightful)
Why ?
The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank (I have a similar bank, they clearly try to educate their users but as always most users are rather lazy than informed.) well, then there's really no way you can still blame the bank.
I know a large amount of users here are from the US and used to credit payments (as opposed to debit, which is the case here). Credit cards generally involve some (at first glance) better customer protection by laying all the risk at the seller, but debit cards almost never do this (and there's no need really).
I wouldnt go so far as to call the victim in this case an idiot, i don't know the guy, and it sounds like something that 1 in every 5 people who operate a computer would fall for at some point or another. But not following safety instructions from your bank, when they're clearly displayed EVERYWHERE, and get send to you in both real letters and as regular email updates, well i'd say the bank tried. My bank even gives free financial and online security seminars for people who aren't sure they understand what all the fuss is about.
It's always the fault of that 1% (Score:5, Insightful)
Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be
But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"
There is a maximum level of customer stupidity... (Score:5, Insightful)
... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.
However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.
Re:Lets just hope (Score:5, Insightful)
Lets just hope that it doesn't become European law. Actually I hope the judge loses a million
I'm not sure that I agree with that. Most phishing scams are rather obvious, and people really ought to look before they jump.
What feel is missing is that banks and other take it more serious and clean up their practises. Like, I have on a few occasions had my bank call me about something related to security (eg. an unusual transaction) - and bizarrely, the guy calling is reluctant or even refuses to give information about why he calls or which department he calls from - which makes it feel like yet another scam, even if it is genuine.
Ideally, they should give you a call, then let you call back on a security number posted prominently on their web-site (so that it is well-known). This ought to be basic routine.
Re:Lets just hope (Score:0, Insightful)
And yet if this ruling occurred in the US I'd be reading the usual trite comments about how this could only happen in America, the country where the rights of corporations and banks are put above the rights of citizens...
Re:Lets just hope (Score:4, Insightful)
Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.
My point is very simple: it is not the bank's fault that the client acted in a manner contrary to his own financial interest. Society as a whole operates on the principle that services are generally tailored to the majority. The majority isn't suffering from these issues. If the minority affected by these issues so desires, they're more than welcome to resume good old fashioned "drive down to the bank" methods.
What you're advocating is just another step toward a total nanny state where everyone walks around in government-mandated plastic bubbles. Have fun with that; I won't be attending your party.
Re:Lets just hope (Score:5, Insightful)
To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.
I'd love if my bank would allow me to secure my checking account to restrict outgoing payments to a list of accounts/payees confirrmed by the branch.
I'd love to opt-in to a second factor token authentication and 2nd bank card pin that has a lower withdrawl limit or one time pin that I can use in sketchy ATMs POS systems.
I pay the bank dearly to protect my money and deliver service. They have had years to spend on R&D. Luckily, I have not been affected by the lack of security or insurance from my bank.
Re:It's always the fault of that 1% (Score:5, Insightful)
Not necessarily - You can take responsibility for your actions and still believe that bankers (more precisely, many investors) are not held accountable for their losses.
That "1%" has the ability to screw things up and still get huge bonuses/payments equal to what would take someone with an average salary 50-100 years to make. Not is not being held responsible. Even someone who is responsible for their actions, ESPECIALLY someone who is responsible for their actions, can see that.
* note - I had not money lost in the meltdown, but at the same time, if I screw up like some of those people did, in my job, then I'd be fired on the spot, and rightfully so. Likewise, if I were dumb enough to enter my data to fraudulent site, then it would be my responsibility to fix the issue, and rightfully so.
Re:It's always the fault of that 1% (Score:4, Insightful)
Likewise, if I were dumb enough to enter my data to fraudulent site, then it would be my responsibility to fix the issue, and rightfully so.
Does that apply if you are unaware of the fraud? For instance DNS hijack, MITM attack, both of which ensuring the first instance of you knowing of compromise is when you check your statement or the bank freezes your account? What about if your card is skimmed? [geek.com] It's happened to me, and I only ever use ATMs on bank buildings and am meticulous about shielding my PIN.
A lot of this isn't relevant to the story, but your statement is overly vague.
Re:It's always the fault of that 1% (Score:5, Insightful)
Yes! Absolutely! Why does everyone feel so entitled to be unaware of their own finances and security to the point of blaming the BANK for a scam?
Obviously the scammer broke the law. But if you can't catch the scammer, it doesn't give you the right to go find the next convenient party and blame it on them.
In this case, the scammer made a site that looked like the banks, but if the site looked like paypal's or the state lottery, and demanded your bank information, do you blame it on paypal/lottery? Obviously not, because they had nothing to do with the scam. Same with the bank.
Welcome to the real world, where if you're unaware of a mistake, it's still your mistake (for giving out 10 TAN codes and ignoring the phishing warning). Catch the crook if you can, but don't blame the service provider for not making their service idiot-proof, especially if you have other banking options anyway.
Re:Lets just hope (Score:4, Insightful)
Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?
You mix up things.
Of course the one stealing your car commits theft, as does the one stealling the 5000 Euro from this person's bank account. And those criminals, when caught, will be held responsible.
The question here is who's liable for the damage incurred by the theft. In case of your car being stolen, you will not be able to get any damages from the car manufacturer arguing, say, not good enough locks on the doors. Just like in case of the money stolen from the bank account, the bank is not liable, and the judge ruled that the locks the bank put in place were good enough, and that the bank client should have taken better care.
And even if the criminal gets caught, that doesn't mean the victim will get their money or car back. So they still lose out.