‘Unsafe Hex’ About to Get More Costly?
Monday April 7, 2008 at 4:29 pm CST
Posted by Allysa Myers
A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.
From the Banking Code of the British Bankers’ Association
-
12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)
These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.
- 12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.
- 12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.
But wait, there’s a caveat: They won’t invoke this willy-nilly:
-
12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.
This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.
Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.
April 7th, 2008 at 7:56 pm
Massive increase in fraud crimes should make the government and banks realise that their data protection and Chip and PIN systems are diverting rather than deterring fraud crimes.
This shows that fraud will continue to grow until they exploit KEY and PIN system described on website http://www.xwave.co.uk which will deter BOTH identity and card fraud by making signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.
We hope that the government and banks will appreciate these details and exploit KEY and PIN system before it is too late to stop a fraud boom.
April 8th, 2008 at 7:26 am
British Bankers’ Association here. Our last intention was to spread FUD: it is still the case that customers are not responsible for losses on any of their bank accounts unless they have acted fraudulently or without reasonable care.
Yes we do advise customers to keep their computers secure by using up to date security software. And we also warn against responding to suspicious emails (as do banks).
But the key point is that failure to follow this advice will not necessarily result in a customer being asked to foot the bill for losses. Each bank will have its own approach and will assess each case on its merits. And the burden of proof will always lie with the bank to prove the customer has behaved unreasonably or fraudulently.
April 8th, 2008 at 9:15 am
To clarify, I don’t believe BBA has spread FUD. The FUD is the implication that this will suddenly mean everyone’s liable if they don’t update their AV software.
I think the advice put forth in the BBA document was extraordinarily helpful, and that people do need more incentive to take security seriously. Perhaps financial motivation will help. I don’t think that those who are making scare tactics out of this document are doing anyone a service.
April 9th, 2008 at 10:09 am
I think that the implication was that the Register’s article was spreading FUD, not the BBA. And, the BBA is right to request this - many people are too lax when it comes to securing their systems. Perhaps if a few were held responsible it would be a heads-up for everyone else. This would result in less fraud for a start.