Thursday, September 21, 2006

Phishing Victims: Accept Financial Responsibility?

The US President's Identity Theft Task Force has released it's interim report and the final recommendations are due in November this year. The task force is co-chaired by Alberto Gonzales, US Attorney General and Federal Trade Commission Chairman Deborah Platt Majoras.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

“As with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,” said Attorney General Gonzales. “The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.”

“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”


Who pays for the loss of money stolen from your bank account as a result of ID Theft by Phishers or other Cyber Criminals using key logger trojans? Today the bank does to keep you as a customer. This is why the government and most large institutions who are the largest targets have already completed or are in the process of implementing two-factor authentication. However, will it be enough?

"The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?


When bankers realize that Online Banking is an Operational Risk that requires more proactive measures you will begin to see your customer agreements modified and you will have to accept some of the risk. Examinations and investigations are going to be a standard operating procedure if you make a claim of unauthorized withdrawls or transfers from your account. The first place to look is on your own computer for the spyware that may have been utilized to steal your login and password. It won't be too much longer before the banks will be in the business of auditing your home PC to make sure that you have the correct anti-phishing, malware and virus protections. Or even to make sure you have the correct token for access to the banking site.

At some point, the consumer might have to bear more of the burden of risk management or pay the price of accepting the fact that you may have no more recourse to recover stolen funds from your account by the institution itself. But those days are still a long way off in the future. As our new generation of "Bank Robbers" already know, you don't have to wear a mask and walk through the front door any longer. All you have to do is find a few thousand unprotected machines each day and then wait for that unsuspecting consumer to hand over the keys to their bank account.

In the end, the consumer will pay for the mounting financial losses. One way or another.

No comments: