
How banks are refusing to shoulder responsibility for fraud - walterbell
http://www.telegraph.co.uk/personal-banking/current-accounts/how-banks-are-refusing-to-shoulder-responsibility-for-fraud/
======
slv77
Today gmail offers more account security than a typical bank. Why can I get
two factor authentication, device recognition and alerts on a free email
account but not on a bank account?

From a risk management perspective it's never a good idea to separate
liability from control. If the banks don't provide adequate security controls
to their customers why should their customers be liable?

Even though the controls that a customer has are less than what Gmail provides
the banks continue to push the the illusion that the customer is actually in
control. Even the vocabulary they use implies the customer was always in
control.

For example you were a victim of identity theft. How crazy is that? How can
somebody steal my identity? Oh, I woke up this morning and I wasn't me!!!

Nope.. Checked my identity and I'm still me. Why did you allow somebody to
steal all my money?

~~~
kalleboo
Out of my 5 banks, 3 use physical 2fa RSA tokens (and 2 support 2fa apps) and
2 use those crappy code cards for 2fa. Are American banks really that bad?

~~~
slv77
Yes US banks are that bad and they lag their European counterparts.

Fidelity is a large US brokerage with $2T under management. Only last year did
they start to offer two factor authentication as an option (had to ask). I
have accounts with one US regional bank and one US credit union which use
basic device recognition and a security question when logging in from an
unknown device.

Other anecdotes..

My account at Fidelity is a joint account. After setting up online access and
funding the account I discovered a year later that it was possible to get full
access to the account by creating online access under my wife's name using the
account number and a semi-trivial validation process.

Accounts in the US typically have all features enabled by default or can be
enabled in a trivial manner and this can't be disabled. Why should a typical
account have the ability to wire funds internationally?

It typically isn't possible to configure a second level of authentication for
higher risk transactions.

Limited ability to configure alerts based on unusual behavior. For example
access from a new device or a transfer over a threshold. No ability to alert
when those alerts are changed.

Opaque account recovery processes. Even if additional security measures are
implemented it may be possible to have them disabled trivially by phone.

Almost zero customer education around risks and ways to reduce risk. stupid
things like "Don't use your bank's password on other sites, it should be
unique!"

~~~
adrianratnapala
I never imagined that an account without the ability to wire funds
internationally even existed.

I have family oversees, I have friends oversees, I have bank accounts in three
countries.

~~~
slv77
Of course is should be an option but from a risk management perspective it
makes sense to reduce the attack surface that a fraudster has to work with.

In the US at least a typical customer will never initiate an international
wire transfer. Even those with friends and family overseas will typically
transfer funds through a money transfer service or via ATM networks to avoid
the associated high fees.

When a US customer walks into a bank asking to initiate a wire transfer its
usually a red flag they are a victim of fraud.

------
nxzero
Aside from the reference to sharing a PIN, I missed "How banks are refusing to
shoulder responsibility for fraud".

What am I missing?

More importantly, the customer referenced in the article basically wired all
the funds in her account to a scammer then asked the bank for it back. Sorry,
but that is the customer's fault, not the bank's fault.

~~~
geofft
This isn't about "fault," this is about contracts.

One of the reasons I have a contract with a bank, and that I pay the overhead
of having the money sit in a savings account instead of growing at market
rate, is that they will protect my money from fraud. If the bank is looking
into finding ways not to protect me, I'll look into ways not to keep my money
with the bank but instead invest it at market rate. That's all.

~~~
sigzero
They aren't going to cover something that is your fault. Sorry. That is just
wishful thinking.

------
siliconc0w
I suspect it's a game theory situation - until banks are unilaterally made
responsible at once (say by a new law) - none want to be the ones to make
their workflows more complex and invest in better ways to remotely
authenticate an identity.

~~~
r00fus
They at the same time lobby to fight any such legislation...

------
JumpCrisscross
Security and convenience exist on a spectrum.

For my ordinary checking account, I opt for convenience. I don't want
transactions randomly declined and I don't want to have to wait for banking
hours to authorise activity. To compensate, I limit the amount I keep in the
account.

For certain other accounts, I opt for more security. Cheques are blocked;
foreign transactions are, by default, blocked; online banking must be two-
factor authenticated every time; transfers must be authorised with a phone
call below certain amounts and in person at a branch, with ID and a passphrase
verified, above certain amounts; _et cetera_. These are flags one can have
enabled on most bank accounts. They're just debilitatingly irritating for
ordinary use.

If you make banks responsible for user-authorised fraud, _e.g._ a customer
wiring money to a scammer, you're also asking them to nanny you. Freedom and
protection from your own stupidity exist on a spectrum.

~~~
cmurf
This is asinine. Asking a bank to do their job is not asking to be nannied.
Let's pretend only stupid people get defrauded, do they deserve it? Finders
keepers losers weepers? This is a juvenile world view. Tricking people is not
a service, is not a job, does not absolve a bank of their primary
responsibility, which is safeguarding money.

~~~
JumpCrisscross
> _Asking a bank to do their job is not asking to be nannied_

The only way this transaction could have been prevented is if the bank told
the customer "you want to do X with your money but we aren't going to let you
because we find it ill-advised". Not everybody wants that level of oversight
and restriction.

You see blocking fraud as a bank's main job. There are times, however, when
one can reasonably find facilitating transactions to be their main role. When
I'm travelling, a constantly-declining debit card is more of a nuisance than
the risk of having a thousand dollars pilfered from my checking account.

There's no way to do both risk management and transactional freedom perfectly,
since the former means restricting the latter, even to the point of telling a
customer what they can and cannot do with their money.

> _a [bank 's]...primary responsibility...is safeguarding money_

As with everything, there are trade-offs. Absurdly put, a bank which refused
to allow anyone to withdraw or transact could score splendidly in terms of
"safeguarding money". They'd also be useless, because that's not a bank's only
job.

------
washadjeffmad
I've heard those banking in the US should approach these incidents as
"clerical errors" during the initial report. This terminology places the onus
on the institution to investigate and correct the matter unless or until
proved to be the fault of the client.

This is in contrast to the client reporting "identity theft" or "fraud" when
they see an unauthorized charge, which makes it an at-fault issue for fraud &
liability.

I thought it seemed believable, but can anyone confirm whether this represents
actual internal banking policy?

~~~
nxzero
Intentionally reporting a crime as an accident is fraudulent and won't change
the outcome.

Key to avoiding fraud is good security and financial controls by ALL parties
involved based on valid threat models and risk analysis.

~~~
washadjeffmad
Right, but so is relying on lack of awareness of internal policies to
misrepresent client concerns in the bank's favor, for an example.

A client doesn't know an unexpected transaction not to be a clerical error any
more than they know it to be identity theft. So it's not exactly nefarious not
to immediately and unnecessarily claim culpability by using incorrect
terminology.

The prevalence of advertisement by banks for fraud protection and identity
theft services creates a situation where people are likely to assume
unexpected (or unrecognized) transactions are always the concern of the
division of the bank that handles "identity theft", and that the correct way
to have it investigated is to call those transactions "identity theft",
whether or not they are.

From how it was explained to me, using "clerical error" passes the request
through an additional filter where the bank attempts to determine whether it
was at fault before redirecting the request. It's the difference between
starting out by saying "I made a mistake" and "a mistake was made", which
could be important later.

I hope you understand that I wasn't condoning fraud, but that people shouldn't
be quick to implicitly admit liability for what may not be their own mistakes.

------
known
Banks/Politicians have privilege; They will not be prosecuted; They can commit
crimes in the name of serving the country;
[http://cnbc.com/id/43471561](http://cnbc.com/id/43471561)

------
compil3r
None of this will change until bankers start getting prosecuted.

~~~
gozur88
Prosecuted for what? The woman in the story wired her money to a scammer, and
somehow it's the bank's fault?

~~~
cmurf
The bank is something of an accomplice in a crime of theft. When banks deny
grocery store charges for security reasons and then allow a transfer of the
entire balance of an account, they're not merely ignorant the latter is fraud,
they're sufficiently incompetent that it becomes negligence.

~~~
nxzero
Are you referring to a personal experience? The facts you're presenting appear
to be randomly pulled and without any context or related reasoning.

