Forgot your password?
typodupeerror
Crime Security Your Rights Online

German Court Rules That Clients Responsible For Phishing Losses 245

Posted by samzenpus
from the be-more-careful dept.
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
This discussion has been archived. No new comments can be posted.

German Court Rules That Clients Responsible For Phishing Losses

Comments Filter:
  • by GeneralTurgidson (2464452) on Thursday April 26, 2012 @05:09AM (#39804393)
    Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.
    • by BorgDrone (64343)

      My bank uses a token that require me to insert my debit card into the token, enter my PIN and type in resulting code to log in. For transferring money I need to insert my card, enter PIN, enter code from the screen into token and then type in code from token.

      Never heard of a proper bank requiring just a password.

      • by TheRaven64 (641858) on Thursday April 26, 2012 @07:07AM (#39804893) Journal

        I have a US bank account which is very much like the grandparent described. I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth. Security there is appalling and in any other vaguely civilised country would mean that they would be liable for pretty much anything bad that happened to my account.

        In contrast, my UK bank has an authentication scheme much as you describe. Any time I pay a new person (or a large amount), I need to separately authenticate that transaction, including typing the amount into the external device that generates a single-use token from the chip on my card. The debit card from my US bank doesn't even have a chip...

      • by msauve (701917)
        ...and other than relying on the user to recognize that they have a secure (HTTPS) connection to the legitimate site, with a legitimate cert, what's to stop a man-in-the-middle/proxy attack (unless your token somehow could do end-to-end secure authentication, but if you're reading a PIN and typing it in, it doesn't.

        Couldn't such a site could alter transaction data (changing amount, destination account for payments/transfers, etc), and pass that along with proxied credentials? Or simply create new transac
      • My bank uses a token that require me to insert my debit card into the token, enter my PIN and type in resulting code to log in. For transferring money I need to insert my card, enter PIN, enter code from the screen into token and then type in code from token.

        Never heard of a proper bank requiring just a password.

        (this is probably a CAP (chip authentication program) 2FA [wikipedia.org] solution) - I was a designer of a CAP 2FA solution for a large uk bank that was commissioned about 4 years ago. The customer uses an EMV card (a debit card in this case) to create a one time code that can be entered into the online system whilst performing a transaction. The CAP standard actually had three operations identify, respond and sign and any CAP reader can be used with any EMV card. (not a lot of people realise this)

        identify just respon

    • Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

      Well, it hurts the bank's customer, because the bank's customer was the one who entered ten transaction codes into a fraudulent website himself. With a token based solution, you will come back screaming when a scammer convinces a customer to hand over their token.

    • by ledow (319597)

      Shouldn't your first thought be to change bank then? And inform them WHY you've changed bank?

      Security tokens are a pain in the bum but there are banks that offer them in just about any country you want to pick.

      And, how, precisely would it have stopped this attack? He typed security information (which would also include his one-time tokens) into a website that was fraudulent. There's nothing stopping them recording those tokens and typing them into the REAL account just the same and nobody would know unti

    • Very true (Score:5, Interesting)

      by Chrisq (894406) on Thursday April 26, 2012 @05:19AM (#39804443)
      A key finding from the Security expert Ross Anderson is [cam.ac.uk]:

      Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

    • by dragisha (788)

      In the world of ultimate surveillance, like one we are becoming (and fast) - some kind of rollback mechanism is (at least to me) most logical thing to do.

      Money can be followed, to the moment when a person gets it from ATM or bank clerk. Also, it can be found later - serial numbers are there to be used and I do not doubt they are.

      On the other hand, bank can make better authentication (as GeneralTurgidson implies) but also some mechanism for keeping a customer in loop. Some banks report transactions through S

      • by arth1 (260657)

        ome banks report transactions through SMS, for example. Mechanism where transaction is delayed for some time, during which customer can take action. If I don't get SMS confirmation in 3 hours, for example - call bank hotline to stop everything.

        And many other things, other than - let customer pay.

        So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

        I know, you probably meant let the customer pay when being swindled. Which I think is very reasonable. If there's gross negligence on the side of the bank, they should pay for that, and if there's gross negligence on the side of the customer, they should pay for that. And if both, let the customer lose his money and fine the bank.

        (And, if a customer engages in what he thinks is an illegal activi

        • So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

          The bank pays for sending the sms. So unless you have internet but no cell phone, there's no additional cost for security on the customer side.

    • by thegarbz (1787294)

      Your bank being a joke does not make it the norm. Certainly every bank I dealt with uses some form of two factor authentication often combined with multiple identifiers. My previous bank went like this:

      Login: User / Password
      External Transaction: SMS an ID number to the elected phone number which is not visible nor can it be changed online.
      External transaction over $1000 or to a new account: SMS + two identification questions chosen from a pool of ~10.

      My current bank uses a RSA token:
      Login: User / Password

      • by msauve (701917)
        You do realize that SecurID-type tokens do nothing to prevent man-in-the-middle attacks? If a phisher can find a phish who doesn't check sitename/ssl info to verify they're really connected to the bank's site, they're in.
    • I noticed recently that my bank doesn't differentiate between lower and uppercase in both the username and password fields. Found out when I decided to change some of the letters in my password to uppercase and it complained that the old and new passwords were the same.
      • Eh.. just make your password longer.

        Use this formula:

        n=m*ln(s_m)/ln(s_n)

        where m is the length of your old password, s_m is the size you thought the character space was and s_n is the size the character space really is. Use conservative values for s_n if you're not certain about other characters.

        Depending on the length of your original password, you'll probably be surprised that you only need to add a couple characters to beat the original password's security, and the new password may well be easier to reme

    • Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

      I know it's customary not to read the article, but seriously, please read the article before making these kinds of assumptions. This bank actually had good 2-factor token-based security. German banks usually do. The judge made the right call in this case.

      And yes, I do realize that there are lousy banks out there. I know at least one major bank in the US that has super shitty security (even worse than your bank). Thankfully, not all US banks are that bad, it's a mixed-bag really. Sometimes, the blame can be

    • This TAN code is probably a set of codes on a card that the customer is instructed to input based on [ column, row ], when they want to do something on line. I have something similar here in France. Seems this customer was fooled into putting more than one of them, along with username & password most likely, into the fake web page and the bad guys then were able to use one of them to make the transfer.

      I have a business account in Hong Kong that they've provided me a one time token similar to Secure ID

    • by dave420 (699308)
      Maybe where you live. My bank sent me a device I put on the screen, which reads a barcode on the website, which then requires me to enter a pin to retrieve a code which I then type back into the website. I'm in Germany, however.
  • Tricky (Score:4, Insightful)

    by Spad (470073) <slashdot@sp[ ]co.uk ['ad.' in gap]> on Thursday April 26, 2012 @05:11AM (#39804401) Homepage

    I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.

    Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).

    • by rtb61 (674572)

      Duty of care by the Bank should have warranted a check of unusual transaction. Bank was too lazy and cheap to make a single phone call to check out of pattern transactions, especially in the case of the most vulnerable in the community, pensioners.

      Bank should should have been held at least 50% liable for the fraudulent transactions.

  • Even though i agree with Zappa's plan to get rid of suckers...

    All it would take was for the lawyer to ask one bank member to do one transaction. Most banks would require 2 keys.

    One for login, another to complete the transaction.

    Both with messages that the bank only asks one per session.

  • by gweihir (88907) on Thursday April 26, 2012 @05:20AM (#39804449)

    ... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.

    However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.

  • Just my two cents (Score:5, Informative)

    by timerider (14785) <(ed.oykotagem) (ta) (ymmel)> on Thursday April 26, 2012 @05:25AM (#39804471) Homepage Journal

    since noone here seems to bother to actually find out what was going on:

    german banks do use a two factor authentication scheme:
    - to log in you need your account number and a five digit pin
    - to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

    In this particular case the victim had:
    - fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
    - entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

    In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

    • You are accurate but a one time physical token (ie SecureID) would still be safer for the customer. The bank SHOULD be using these (my bank does) and as they are not then arguably they are to some degree or another responsible.

    • by AmiMoJo (196126)

      entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

      One common trick to defeat that is the fake "sorry you entered the wrong PIN, please enter a different one" scam. Admittedly doing this 10 times is a bit excessive, but of course we don't know that it was all in one transaction and may have been spread over several.

      In fact you are assuming it was all done in one go, where as it sounds like he probably made 10 separate legit transactions and each of them was hijacked and turned into a non-legit one. Maybe he paid some bills online over the course of a month

  • by PSVMOrnot (885854) on Thursday April 26, 2012 @05:35AM (#39804521)

    It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.

    The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.

    If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.

    • by Sycraft-fu (314770) on Thursday April 26, 2012 @06:08AM (#39804663)

      My bank authenticates itself in two ways:

      1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.

      2) By showing me an image and phrase I chose on the login page.

      I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.

      Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.

  • Some clarifications (Score:5, Informative)

    by bickerdyke (670000) on Thursday April 26, 2012 @05:38AM (#39804541)

    #1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.

    #2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

    #3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.

    #4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

    So there is not much relevance to this story.

    • I find it easy enough to image someone who is not an expert in computers going to the wrong web page (ie typo in the bank name www.banksrsu.com instead of www.banksrus.com) and being faced with username, login and ONE code entry...which doesn't work and so the page reloads and they're asked for ANOTHER code entry. Granted most people would give up after trying a few times but nonetheless it's trivial to get a minimum of three or four codes + username and password information.

      I have a card from one of my ba

    • by AmiMoJo (196126)

      It's the bank that save money by offering online banking instead of traditional counters

      Plus they want everyone to shop online with confidence because that means credit/debit card fees going to them. Making all purchases with plastic instead of cash is a bank's wet dream.

      A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence.

      Interesting. How do they check? Do you have to submit your PC as evidence? Also I have anti-virus software installed and up to date but not in active scanning mode, I just do on-demand scanning of downloads and a weekly full scan. Does that still count?

      Come to think of it Windows 7 ships with Windows Defender built in and acti

      • You raised a few valid points, but they haven't been decided on by the courts as far as I know.

        The attack vector from your last paragraph won't work with the security measures currently in place. Before clearing a transaction, you receive a SMS with the details of your transaction and you have to confirm it with a hash that's included in that message. Alomst all security systems require a confirmation with an externally generated hash, be it mTAN as I desecribed or TANS generated by an external device.

  • The German judicial branch's approach is often a fascinating contrast to that of US state and federal courts. Germany has specialized highest courts for specific subject matters: tax, admin, labor, social, constitutional... and the high court in TFA.

    As an example: the Bundesverfassungsgericht (the highest German conlaw court, not the highest "ordinary" court in TFA) decreed it unconstitutional to publicly print (or run big news stories about) the names of notorious, convicted criminals, once the crimina
  • by Tastecicles (1153671) on Thursday April 26, 2012 @06:15AM (#39804699)

    From some of the comments I've read, the banks are responsible for the stupidity of individuals? Am I reading that correctly?

    That it falls to a court to decide that in fact the opposite is true, and that just maybe for one tiny moment common sense kicks in and the court says "Actually, you did a dumb thing, despite the warnings all over your account literature, newspapers and broadcast media, now eat the consequences of your ill-considered actions", and the bandwagon collapses under the weight of people who bleat as one "But it's all the banks' fault! They can eat the losses!" Maybe they can, but then if one pensioner does it, and the bank eats it, how many more before it becomes too many and "too big to fail" actually... fails?

    Unbefuckinglievable.

    I'm with the court on this one. Idiot did idiot thing, idiot can reap the consequences.

    • by Anonymous Coward on Thursday April 26, 2012 @06:46AM (#39804817)

      "the banks are responsible for the stupidity of individuals"

      No, the banks are responsible for their lack of transaction security.

    • (I just lost a longer response because I followed the Options link from the preview, not knowing that if I change my options it will nuke my comment.)

      First you should keep in mind that the banks love internet banking because it saves them a lot of money. And from a purely formal point of view the fraud started with the bank transferring money abroad in the mistaken believe that their customer asked them to do that. As he didn't, he can ask for his money back *unless* they can prove it was really his fault.

      I

  • by machine321 (458769) on Thursday April 26, 2012 @08:46AM (#39805495)

    Well, it's good to see that Germany is finally sending money to Greece.

  • when it makes a mistake. Why the bank could not cancel a transaction when it is a fraudulent transaction. Transaction cancelling is not exceptional because bank employees are human. The only explanation of the fact that bank refuse to cancel fraudulent transaction is that they earn a lot with fraud. Or maybe someone knows better than me. My main source is my wife that tells me about the huge mistakes she discovers and fixes.
  • Mostly because they would have seen this 5k transfer, it would raise some flags in my account, they would stop the charge and call me.
    This has happened several times when I've lent money to a few of my friends.
  • Phishing insurance.

  • by snsh (968808) on Thursday April 26, 2012 @10:33AM (#39806837)

    nslookup of SPARDA.DE. shows no SPF record for the German bank's domain. They probably haven't implemented DKIM either.

    I'd say the bank is liable. Any bank should a security IT professional telling them that a combinationof SPF and DKIM is a necessity for any bank with customers prone to pfishing. It's not enough to tell customers to "watch out for pfishing". If the bank acknowledges pfishing, then it needs to do something to prevent it. This usually means a strict SPF setting to filter out spam, plus a DKIM/Domainkey infrastructure to distinguish false positives.

Just because he's dead is no reason to lay off work.

Working...