I've been keeping a close eye on online banking as of late, as the banks slowly shift security breach liability to consumers. Being an online banking customer myself, I was surprised to see a recent change to my terms and conditions:
“We are making some changes to clarify the wording of the guarantee. With effect from 30 days after you have read this notification the new guarantee wording will be:
We promise to protect you. In the unlikely event that you innocently suffer internet fraud on your xxxxxx bank account(s), we guarantee to cover the loss – no matter what the amount taken from your account, provided:
• You have not given your security details (including your passcode or memorable word) to someone else;
• The loss was not caused by your use of an account aggregation service (ie a service provided by another company that allows you to view all of your bank details on a single website);You have not sent us incorrect payment instructions;
• You have used reasonable care when using the internet banking service (eg logging off at the end of each internet banking session and not leaving your computer unattended while logged onto the internet banking service);
• You inform us as soon as possible of any security breach or potential breach of which you are aware;
• You have not acted fraudulently;
• You have complied with the security requirements in the terms and conditions which apply to your account.
The amount we will refund to you under this guarantee is limited to the amount fraudulently taken from your account by a third party. Barclays will not be responsible for consequential losses.”
The words “innocently” and “reasonable care” stick out like sore thumbs. I don't know how anyone could claim to be “innocent” in the event of a malware infection judging just how widespread anti-malware solutions and marketing is. That might be a difficult defence to prove in a court of law. “Consequential loss” is a bit scary too. What if a fraudster uses your money on the stock market and goes short on shares that shift upwards in value? Ouch. Or the fraudster buys a gun with your money and goes on a shooting spree. Consequential loss? Hmmm…
..and how would you define “reasonable care”? Is it reasonable to expect that some consumers might be using shared computers, internet cafes or open wi-fi connections for online banking? Absolutely. Is it reasonable to expect these resources to be malware free? Absolutely not, but dare the banks be this prescriptive and just say “don't use shared computers”? No, because it would cost them money as more people would just go back to the counter or use the telephone.
To delve a little deeper, I took a look at the “security requirements” in the terms and conditions, that had also been subject to subtle change. These were:
“You agree to:
• ensure that your computer, modem or any other device you use is safe, efficient and complies with the standards and requirements we tell you from time to time;
• carry out your own regular virus checks and utilize firewall protection as well as take all actions necessary and otherwise reasonable to remove any computer viruses, worms, Trojan Horses, keylogger software or other malicious code from any computer equipment or hosted services from which you access the online electronic banking services and refrain from uploading any such malicious code to our system;
• advise us as soon as possible if you become aware of any failure, delay, malfunction, virus or error in the sending or receiving of instructions or any suspected fraud, and assist us in any remedial steps we propose.”
Brilliant. So the bank now expects consumers to remove malicious code (all actions necessary means what it says on the tin!) from any computer equipment (including shared computers that don't even belong to the consumer) and hosted services (i.e. the Cloud)? Also, if you have a virus or find one, then you're also expected to report it to the bank, which actually might be a good idea as does the consumer really know what various flavours of virus actually do? Let me find their virus reporting phone number… oh.. they don't have one.
In short this means the consumer is now effectively screwed they get malware on their system, unbeknownst to them, and money is pulled out of their accounts by fraudsters. This is putting a lot of discretionary power back to the banks, but given the spates and cost of online banking fraud, isn't it about time they admitted that the big wide open Internet just isn't a safe place to conduct online banking business, and issue some practical guidance, such as:
- Don't use shared computers for online banking.
- Don't use open wi-fi connections for online banking.
- Rebuild your PC to a known, secure state before every time you decide to access an online banking website.
That would be a far more practical way for consumers to avoid causing the banks loss… and what's scary, is that as I know this, I'm not innocent and this would fall under the reasonable care I would be expected to take, as someone who knows about these things.
It' a bit like saying – here are the keys to my Ferrari, but if it comes back with a little scratch, you'll have to buy me a new one. Actually, make that two so we can pay our banker's a bonus this year.