Who is responsible for bank fraud?

A senior police commissioner in the UK stated in an interview a short time ago that customers should be held responsible for fraud and should not be able to claim compensation. Obviously everyone started to pile on him for that statement. So, should the customer be held responsible for fraud?

Disclaimer: The opinions expressed below are my own and should not be attributed to my employer or anyone else.

Sir Bernard Hogan-Howe asserted that the problem was systemic, telling The Times: “The system is not incentivised for you to protect yourself”. He claimed that 90 per cent of cyber-crime could be prevented by customers installing/updating anti-virus/anti-malware software. His stance was that if customers knew that they would not be held responsible for any losses due to fraud, they will continue to follow bad practices and the problem will never go away.

The reaction to these statements from people – politicians, consumers, etc – was very skeptical. The general consensus was that the commissioner was wrong and that he was helping banks to walk away from responsibility. He probably over-simplified the issue and people were blaming him and the banks for trying to exploit consumers. As usual, the truth is somewhere in the middle.

First of all, there are different kinds of fraud – account takeover, credit card fraud, socially engineering customers to make payments, fraudsters making payments by taking over customer computers, using information obtained from a data breach of a payment service provider, etc. The list is a long one and the ones that I have mentioned just scratch the surface. Some of attacks target the customer, some of the attacks target the service provider (bank, payment processor, retail merchant, etc).

We need to understand the context of the statement that was made. His statement seems to relate to a particular class of fraud attacks, namely compromise of the customers’ computer that results in fraudulent payments. Even within this category, there are several types of attacks. For instance, a Remote Access Trojan (RAT) could be used by the fraudster to take over the customer’s PC. Another example is when people download and install browser toolbars, some of which are malicious and inject extra code into the web pages that people visit, and possibly capture credentials. These will enable the fraudster to do one or more of the following:

  • Monitor all activity and inspect files/data on the computer
  • Take screenshots
  • Log all key strokes, including credentials to banking and other websites. This will enable the fraudster to impersonate the victim to login to the website.
  • Encrypt the contents of the hard drive (install ransomware)
  • Access any available network shares or attached devices
  • Load additional malware on to the computer that might make it part of a botnet, for instance

Below of some observations from my experience providing security consulting to organizations and also being part of organizations, trying to protect their services:

  • No organization wants to be in the news for the wrong reasons. For a vast majority of organizations I have worked with “any publicity is good publicity” does not hold true. No CEO wants to be in the news as the victim of a breach.
  • No application/technology/service is 100% foolproof or safe. There is always a way for something to be compromised. As the saying goes in the security field, if you want to have a 100% secure application, don’t build it.
  • There are shortfalls in resources (budget, people, etc), security knowledge within the organization that prevent sufficient controls from being put in place.
  • While there are counter-measures that can be put in place to most fraud attacks, it can end up making the user experience for everyone very difficult

Security is always managing risk. In simplistic terms, you weigh the likelihood of a fraud/compromise against the impact if such an event occurred and try to put in sufficient controls to manage the risk. The goal is to make the fraudster work hard, require the fraudster to have higher skill levels and, in general, keep the cost of fraud significantly lower than the cost of the controls.

Ideally, we would set up controls that completely eliminate fraud. But that is simply not possible. Service providers cannot control all aspects of the online banking process, especially end-users computers. That would mean these service providers will have to provide you a secure device, OS, browser, etc and ensure that it is you using these to access your account to prevent fraud. The costs will be prohibitive, the user experience crappy. As you can imagine, it is just not practical. The only way to eliminate all fraud and security issues is to shut down the service.

Given the landscape, it is critical for service providers and customers to work together to keep fraud under control. That means service providers have to make it easy for their customers to transact business online (or using mobile), but try and reduce fraud risk. Customer also have to contribute to this effort by making sure that they do not help the fraudsters by leaving their computers and device easy to hack into, keeping their credentials safe, regularly checking their accounts, and yes, installing and keeping their anti-virus products up to date.

While service providers should be responsible for breaches and any fault on their part, blindly compensating customers who do not care enough to even protect their own credentials/devices/networks only encourages such behavior. There is no incentive for them to use common sense if there is no consequence.