Secure Banking: Should the Customer be Held Accountable?

UK Institutions Spark Debate by Putting Security Onus on Consumers
Secure Banking: Should the Customer be Held Accountable?
Imagine the scenario: Your institution has a customer who does all of his banking online -- bill pay, transfers, account balances. This customer calls after seeing an unauthorized transaction. After tracing the account transfers, which were wired overseas, you find the customer's computer loaded with crimeware. Your institution, while not directly responsible for the customer's loss, nevertheless reimburses the customer.

Which begs the question: At what point does the customer bear responsibility for online behavior and basic computer security? Should financial institutions continue to allow online customers to conduct online banking on unsecured computers, without the most up-to-date anti-virus software and operating systems?

At least one banking group says "no." The British Bankers' Association in April announced that its latest Banking Code reaffirms that UK banks will not be responsible for losses suffered by online bank accounts if those consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines.

According to Paul Ross, Director of Retail Banking at the BBA, no subscriber to the Banking Code has yet invoked the section (12.13) to hold a customer liable for losses on their online banking service. "The Code only allows a bank to find the customer liable if it can prove that the customer has acted fraudulently or unreasonably," Ross says. "The burden of proof is on the bank to show that a customer was unreasonable, and our banks take this burden of proof very seriously. A bank must also always consider the reputational impacts of the action it may or may not take."

The BBA advises banking customers to follow a number of simple precautions to protect their online banking, including using up-to-date anti-virus and spyware software.

The Bank's Burden?
This BBA announcement, along with the recent news of a crimeserver that was found in Malaysia with several thousand customer records taken from malware-infected end user computers (See related story: 'Crime Server' Found with Thousands of Bank Customer Records), adds further focus to the issue of customer responsibility.

Just how far from the front doors of a brick and mortar branch does a bank's responsibility go, asks one IT professional at a small community bank. Mark Semkiw, vice president of IT, First Heritage Bank, Snohomish, WA., says he has always struggled with the fact that the bank has no control over how an individual secures their home computer, but seems to have the responsibility to keep that data safe. "I can see a future where a version of NAP (Network Access Protection) is used to ensure that any system getting data from a financial institution, even a customer's, meets a minimum level of patching and anti-virus/malware, and doesn't have any known malicious code running on it," Semkiw says. "Customers may not like it, but they need to take some responsibility for security, or this problem will never get solved effectively."

The problem is only going to get worse, says Viveca Ware, Director, Payments and Technology Policy at the Independent Community Bankers Association (ICBA). "The younger computer users who have grown up on the Internet are the most challenging problem for financial institutions," she says. "They're not necessarily diligent in making sure their anti virus software is up to date."

Users' comfort zone with technology and lack of awareness about security may lead some institutions to offer security software or anti-virus for them to use. "This very well may be an appropriate requirement for online banking customers," Ware says. "Would you rather do business with a customer that has up-to-date software, and offer an end user agreement that is required stating that they have up-to-date software on their computer?"

Of course, then, will the online banking customer actually read the agreement, update their software and then agree to it, or will they just click "yes" to get to their account?

Financial institutions want their customers to bank online, but face the dilemma of convenience over security, notes George Tubin, Security Analyst at the Tower Group. They've faced the wild card of end users' desktop security for several years and "banks have been very reluctant to reach out and impose themselves on the consumer desktops for a lot of reasons," Tubin notes.

It Comes Back to Awareness
To counter the challenge of unsecured computers, institutions have focused on educating customers. "Some banks have offered tools to make the desktop safer, including anti-malware and anti-phishing tools to ensure the customer is safe," says Tubin. "Banks are stepping up to the plate in educating the customer not just on their online banking transactions, but their whole internet experience.

Over the past couple of years, institutions have come to realize just how important customer awareness is, says Leigh Williams, President of BITS, the Financial Services Roundtable consortium of the 100 largest financial institutions in the US. "Institutions have been at the forefront of telling customers how to make their home PCs as safe as possible so they can do their banking online," he says. Some institutions have offered free trials or discounts on anti-virus software others have close partnerships with antivirus providers.

Peter Cassidy, Secretary General of the Anti Phishing Working Group agrees that online banking customer education is the place to begin. "The criminals (including phishers) haven't really changed their attack methods. They really aren't that different -- they provoke the person and get them to admit something," Cassidy says. "Russian author Dostoyevsky said it best. Despite there being millions and millions of novels and short stories around the world, there are really only two stories in the world:

Someone takes a trip; and a stranger comes to town." The same thing is true about phishing and criminal activities on the internet. "Someone is provoked to take an action through fear, greed, opportunity or whatever reason, and they are induced to give out some data."

A strong dose of education about these types of threats for the online banking customer provides awareness to avoid them in the future, Cassidy says.

Future Direction
The future of online banking here in the US may take the same tact that online brokerages have taken over the past several years, offering customer protection guarantees, says Williams, who was Chief Risk Officer at Fidelity Investments before joining BITS. "In banking they take some responsibility and leave some of it on the customer's shoulders, unlike in the UK where they're placing it squarely on the customer's shoulders to be responsible," he says.

Institutions need to create some sense of ownership and responsibility upon their customers. "But at the end of the day, the customer needs to feel confident that their bank will help them and they will be taken care of in the event something happens," Williams says.

Requirements imposed on online banking customers such as the ones in the UK aren't likely to happen here in the US, nor will institutions begin going beyond their network to offer updates or scan a customer's PC. "Banks are reluctant to impose themselves on customers or any definitive requirements or saying 'Here are the five things you absolutely have to have on your machine in order to transact business with us,'" says Williams.

Banks and credit unions often face customers who want to access their online accounts over the Wi-Fi at Starbucks or other not-so-secure locations. The problem of the "fast food" mindset is just a problem that this industry has to face and deal with, says Ken Stasiak, President at Secure State, an information security assessment company in Cleveland, OH. "We're a fast action nation. We want our food fast, and we want our bank account access fast too. We want it our way and we want it now," says Stasiak. "Unfortunately, when you do this in security, you open yourself to the threat of attack."

The move to require all online banking customers to have anti-virus and updated software hasn't reached full consensus, but banks are encouraging customers to take this step, Williams says. "We'll see how much of a dent we put in the fraud numbers with the awareness and partnerships and encouragement to install anti-virus, and we'll see if that works or not." His sense is the industry is at some level of equilibrium, "The risk manager in me says those that create the risk should bear it," he says. Part of this is being created by the institution, and another part is created by the customers. "Both bear some of the risk."

Generally, the institution now bears some risk to its reputation and the financial risk and customers bear the risk of the exposure of their personal information and the loss of some convenience.

The possible directions that the industry could look to take may be decided upon based on the threat of more financial risks, so institutions would be "more likely to take that on voluntarily as a service to their customers," Williams notes. What is cheaper for an institution to do - offer an online user the one year of free anti-virus software or pay for the fraud that would occur as a result of the online user's machine being compromised because they didn't have up-to-date anti-virus software?

While this appears to be a budget question, it is also a strategic question about whether the bank really wants to go beyond their networks and be involved in the user's machine and reach all the way down to their desktop, setting the standards for their operating systems and possibly installing software. Williams doesn't think many institutions want to take that leap.

This also involves the question of customer confidence. Every institution wants its customers to feel safe and protected when using its online products. They can help them strengthen their machine, or pick up the losses incurred from an account being compromised. "Or they make the promise to customers that they will be covered for losses when they do occur," he adds.

However, as Williams points out, while financial institutions take security seriously, it sometimes gets lost in the shuffle when it comes to customers and their understanding of their role in keeping their information and account data safe. There was a time when institutions could take full responsibility for it, because they felt they were controlling the whole process. "But there are risks now that the customers' habits produce that can only be solved with customer awareness and customer engagement."

Institutions have to face the problems of banking in a cyber world. "It was far easier to secure files and data when the data only existed in a bank's computer servers, and we ensured access only to the appropriate individuals when a customers had to go to the branch to conduct their business," says ICBA's Ware.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.