Forgot your password?
typodupeerror
Crime Security Your Rights Online

German Court Rules That Clients Responsible For Phishing Losses 245

Posted by samzenpus
from the be-more-careful dept.
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
This discussion has been archived. No new comments can be posted.

German Court Rules That Clients Responsible For Phishing Losses

Comments Filter:
  • Very true (Score:5, Interesting)

    by Chrisq (894406) on Thursday April 26, 2012 @05:19AM (#39804443)
    A key finding from the Security expert Ross Anderson is [cam.ac.uk]:

    Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

  • Re:Lets just hope (Score:5, Interesting)

    by Anonymous Coward on Thursday April 26, 2012 @05:24AM (#39804461)

    The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.

    Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.

  • by PSVMOrnot (885854) on Thursday April 26, 2012 @05:35AM (#39804521)

    It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.

    The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.

    If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.

  • Re:Lets just hope (Score:5, Interesting)

    by bickerdyke (670000) on Thursday April 26, 2012 @05:41AM (#39804563)

    That security protocol isn't in use anymore.

    The bank specifically issued a warning against exactly the type of attack the customer fell for.

    That ruling is in line with the laws in place 2008, when that happend, Laws have been changed since then.

  • Re:Lets just hope (Score:4, Interesting)

    by ArsenneLupin (766289) on Thursday April 26, 2012 @06:06AM (#39804653)

    Why? How should a bank discover the fraud, if everything is authenticated correctly?

    Because they (possibly) enabled the fraud to take place. Quoting from the artcle:

    According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website.

    So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.

    Or did the attacker take advantage of a fault in the user's OS or browser. ==> in that case, at first glance, the user would be responsible to run such shoddy software where this is possible. However, in the past, and possibly even now, many banks forced/are forcing their users to use such vulnerable software. If this is the case, again the bank should be responsible. The user would be well advised to go through the "General Conditions" for the web service of the last ten years, and search for any clauses such as "the user agrees to only use Windows and/or Internet Explorer to access the service". If any are found, he should clearly get his money back.

    Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

    Yes, if the bank habitually conducts its business in such a fashion.

  • by Sycraft-fu (314770) on Thursday April 26, 2012 @06:08AM (#39804663)

    My bank authenticates itself in two ways:

    1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.

    2) By showing me an image and phrase I chose on the login page.

    I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.

    Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.

  • by TheRaven64 (641858) on Thursday April 26, 2012 @07:07AM (#39804893) Journal

    I have a US bank account which is very much like the grandparent described. I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth. Security there is appalling and in any other vaguely civilised country would mean that they would be liable for pretty much anything bad that happened to my account.

    In contrast, my UK bank has an authentication scheme much as you describe. Any time I pay a new person (or a large amount), I need to separately authenticate that transaction, including typing the amount into the external device that generates a single-use token from the chip on my card. The debit card from my US bank doesn't even have a chip...

  • Re:Lets just hope (Score:4, Interesting)

    by Tsu-na-mi (88576) on Thursday April 26, 2012 @07:54AM (#39805125) Homepage

    I often leave my car unlocked. Why?

    Thief breaks in, I lose maybe $5 in change form the console and some 15-year old CDs. If my car were locked, I'd lose that, PLUS a $200 car window they smashed to get said items. It is not worth locking my car.

Real programmers don't write in BASIC. Actually, no programmers write in BASIC after reaching puberty.

Working...