“Banks should not refund victims of online fraud”

There is a lot of conversations taking place amongst banks on whether they should refund victims of online fraud when the victim themselves should have aware they were being targeted by criminals.

The issue here is one of a Moral Hazard: if a person does not have any stake in the outcome of a decision then that person will not make the right decision or action.  For example, if I write my PIN number on the back of my bank card and my card is subsequently stolen and used by criminals, is it right for the bank to compensate me for my stupidity?  Based on this example (which is far more common than it should be as too many people keep their PINs/passwords in their wallet/purse) so the principle people should have some responsibility is a good one.

This is comparable with someone leaving their front door open and then being burgled.  The insurance company will not pay out compensation for the victim’s failure to protect themselves, so why should banks repay victims if they do not take basic security measures like: having different passwords for different accounts, with complexity varying depending on the information being safeguarded, or using two-factor authentication or unusual account activity alerts – these are security measures banks, and other online platforms, teach us.

Maybe there is a big difference between leaving your house’s front door unlocked and cyber security.  Locks on doors are something we have been familiar with for centuries and settled into a routine; it is part of our daily life now.  Whereas safeguarding our online accounts (whether its our bank account or social media account) is still in its infancy.

In cyber security there is so much innovation that security is changing for different environments which makes it difficult for customers to know what to do.  Therefore, to try and load all or a significant amount of responsibility on them is the wrong focus.

I would call to look at a different economic principle of least cost avoider as that is where banks and similar organisations are best placed to reduce loss, not the end user.

According to Financial Fraud Action UK the biggest growth in online banking fraud in 2015 was customers making legitimate transfers for fraudulent purposes.  In other words, when they receive an e-mail or text message from someone who claims to fallen on hard times and needs some money (the Nigerian prince scam) which the victim is gullible to believe.  This study implies banks should have known this was a fraudulent transfer so reimburse the victim; but how can the bank know whether a new transaction by one of their customer’s is genuine or not?

If the bank can show the customer is acting unreasonably the burden of proof falls on the bank; and if they can prove the customer was not keeping their security measures adequately safe then they are not required to pay victims (and banks know how to play this game).

Many of us are forced into using online environments we are not ready for or not comfortable with, like less tech savvy members of the community being pushed into online banking.

Certainly GCHQ claim that 80% of cyber crime can be prevented if customers use stronger and different passwords for accounts, use two factor authentication, and are more alert to suspicious messages for personal information.  However, the contradictory message is around passwords where specialists know the weakness around passwords being easily stolen by key loggers or guessed by dictionary attacks so why are we still using passwords and PINs?  Because passwords are easy to implement technically, and easy to understand and use by everyone.  Until the security architecture changes to make security obvious and intuitive then passwords and PINs are here to remain.