[Infowarrior] - Banks demand a look inside customer PCs in fraud cases

[Richard Forno]

Banks demand a look inside customer PCs in fraud cases

Customers could be liable for any loss resulting from unauthorised internet
banking transactions if their protective software is not up to date
By Stephen Bell Wellington | Monday, 25 June, 2007

http://computerworld.co.nz/news.nsf/news/FDA3CE33D73B5B82CC257302000B0EE8

Banks are seeking access to customer PCs used for online banking
transactions to verify whether they have enough security protection.

Under the terms of a new banking Code of Practice, banks may request access
in the event of a disputed transaction to see if security protection in is
place and up to date.

The code, issued by the Bankers¹ Association last week after lengthy
drafting and consultation, now has a new section dealing with internet
banking.

Liability for any loss resulting from unauthorised internet banking
transactions rests with the customer if they have ³used a computer or device
that does not have appropriate protective software and operating system
installed and up-to-date, [or] failed to take reasonable steps to ensure
that the protective systems, such as virus scanning, firewall, antispyware,
operating system and anti-spam software on [the] computer, are up-to-date.²

The code also adds: ³We reserve the right to request access to your computer
or device in order to verify that you have taken all reasonable steps to
protect your computer or device and safeguard your secure information in
accordance with this code.

³If you refuse our request for access then we may refuse your claim.²

InternetNZ was still reviewing the new code, last week, executive director
Keith Davidson told Computerworld.

³In general terms, InternetNZ has been encouraging all internet users to be
more security concious, especially Š to use up-to-date virus checkers,
spyware deletion tools and a robust firewall,² Davidson says.

³The new code now places a clear obligation on users to comply with some
pragmatic security requirements, which does seem appropriate. If fraud
continues unabated, then undoubtedly banks would need to increase fees to
cover the costs of fraud,² he says, so increasing security awareness and
compliance in advance is probably the better tactic for both banks and their
customers.

³Bank customers who are unhappy with the new rules may choose to dispense
with electronic banking altogether, and return to dealing with tellers at
the bank. But it seems that electronic banking and in particular internet
banking has become the convenient choice for consumers,² Davidson says.

The code also warns users that they could be liable for any loss if they
have chosen an obvious PIN or password, such as a consecutive sequence of
numbers, a birth date or a pet¹s name; disclosed a PIN or password to a
third party or kept a ³written or electronic record² of it. Similar warnings
are already included in the section that deals with ATM and PINs for Eftpos
that was issued in 2002.

There is nothing in this clause allowing an electronic record to be held in
a password-protected cache ‹ a facility provided by some commercial security
applications.

For their part, the banks undertake to provide information on their websites
about appropriate tools and services for ensuring security, and to tell
customers where they can find this information when they sign up for
internet banking.

³One issue we have raised with the Bankers Association in the past is that
banks should not initiate email contact with their customers,² Davidson
says.

The code allows banks to use unsolicited email among other media to advise
of changes in their arrangements with the customer, but Davidson says they
should only utilise their web-based mail systems.

³It is hardly surprising that some people fall victim to phishing email
scams when banks use email as a normal method of communication, and
therefore email can be perceived as a valid communication by end users,² he
says.