German Court Rules That Clients Responsible For Phishing Losses

benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."

Online banking uses outdated crypto

[GeneralTurgidson]

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

Just my two cents

[timerider]

since noone here seems to bother to actually find out what was going on:

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

Some clarifications

[bickerdyke]

#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.

#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.

#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

So there is not much relevance to this story.

Re:Lets just hope

[Niedi]

Mod Parent up, that post is spot on. In fact, the law has been changed 2009 (if I remember rightly) to shift the liability towards the bank unless the customer acts grossly negligent (grob fahrlässig). The court did NOT decide whether the customer would have been liable according to the laws in place today.
Plus many banks in Germany phased out the iTAN system in favor of SMS-codes or TAN-generators that require the debit card to operate and are only valid for the transaction that was entered to generate the TAN (amount, target account etc...).

Re:I'm a little confused here.

[Anonymous Coward]

"the banks are responsible for the stupidity of individuals"

No, the banks are responsible for their lack of transaction security.

Re:Lets just hope

[azalin]

TAN (by now replaced by far more sensible techniques) worked like this:
You got a sealed numbered list of 100 six or eight digit codes. Whenever you wanted to transfer money you had to enter one of the numbers (later a specific one, like #74). This authorized the transfer and you crossed out the number on your list. When around 90% of the list was used up, you got a new on by mail.
The first version (unnumbered) had the obvious drawback of X numbers stolen = x transfers up the the preset transfer limit (you had to show up in person to change that one). Numbered list had the advantage that one never new in advance which number would be asked for, and a potential thief had to get his hand on the whole list.
Of course all that stuff is outdated now and replaced by code generators that work in connection with your bank card or sms codes. Both of these create codes that only work for the specific transaction (amount, receiving account number, etc which is displayed in advance) and only for a very limited time frame (15 minutes).