German Court Rules That Clients Responsible For Phishing Losses 245
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Very true (Score:5, Interesting)
Re:Lets just hope (Score:5, Interesting)
The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.
Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.
Bi-directional authentication (Score:5, Interesting)
It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.
The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.
If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.
Re:Lets just hope (Score:5, Interesting)
That security protocol isn't in use anymore.
The bank specifically issued a warning against exactly the type of attack the customer fell for.
That ruling is in line with the laws in place 2008, when that happend, Laws have been changed since then.
Re:Lets just hope (Score:4, Interesting)
Why? How should a bank discover the fraud, if everything is authenticated correctly?
Because they (possibly) enabled the fraud to take place. Quoting from the artcle:
According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website.
So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.
Or did the attacker take advantage of a fault in the user's OS or browser. ==> in that case, at first glance, the user would be responsible to run such shoddy software where this is possible. However, in the past, and possibly even now, many banks forced/are forcing their users to use such vulnerable software. If this is the case, again the bank should be responsible. The user would be well advised to go through the "General Conditions" for the web service of the last ten years, and search for any clauses such as "the user agrees to only use Windows and/or Internet Explorer to access the service". If any are found, he should clearly get his money back.
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?
Yes, if the bank habitually conducts its business in such a fashion.
They do what they can (Score:4, Interesting)
My bank authenticates itself in two ways:
1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.
2) By showing me an image and phrase I chose on the login page.
I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.
Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.
Re:Online banking uses outdated crypto (Score:4, Interesting)
I have a US bank account which is very much like the grandparent described. I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth. Security there is appalling and in any other vaguely civilised country would mean that they would be liable for pretty much anything bad that happened to my account.
In contrast, my UK bank has an authentication scheme much as you describe. Any time I pay a new person (or a large amount), I need to separately authenticate that transaction, including typing the amount into the external device that generates a single-use token from the chip on my card. The debit card from my US bank doesn't even have a chip...
Re:Lets just hope (Score:4, Interesting)
I often leave my car unlocked. Why?
Thief breaks in, I lose maybe $5 in change form the console and some 15-year old CDs. If my car were locked, I'd lose that, PLUS a $200 car window they smashed to get said items. It is not worth locking my car.