Today gmail offers more account security than a typical bank. Why can I get two factor authentication, device recognition and alerts on a free email account but not on a bank account?
From a risk management perspective it's never a good idea to separate liability from control. If the banks don't provide adequate security controls to their customers why should their customers be liable?
Even though the controls that a customer has are less than what Gmail provides the banks continue to push the the illusion that the customer is actually in control. Even the vocabulary they use implies the customer was always in control.
For example you were a victim of identity theft. How crazy is that? How can somebody steal my identity? Oh, I woke up this morning and I wasn't me!!!
Nope.. Checked my identity and I'm still me. Why did you allow somebody to steal all my money?
> Today gmail offers more account security than a typical bank. Why can I get two factor authentication, device recognition and alerts on a free email account but not on a bank account?
Barclays UK does device identification. Barclays is actually very sophisticated technologically speaking. Source: I reverse engineered their app to implement my own API client.
> Today gmail offers more account security than a typical bank
This could be one of the reasons why Google is seen as biggest threat by retails banks. If Google starts providing retail banking service, I would prefer them to sluggish retails banks which sees technology as a cost center and most are embarrassingly lagging in technical advancements.
Out of my 5 banks, 3 use physical 2fa RSA tokens (and 2 support 2fa apps) and 2 use those crappy code cards for 2fa. Are American banks really that bad?
Yes US banks are that bad and they lag their European counterparts.
Fidelity is a large US brokerage with $2T under management. Only last year did they start to offer two factor authentication as an option (had to ask). I have accounts with one US regional bank and one US credit union which use basic device recognition and a security question when logging in from an unknown device.
Other anecdotes..
My account at Fidelity is a joint account. After setting up online access and funding the account I discovered a year later that it was possible to get full access to the account by creating online access under my wife's name using the account number and a semi-trivial validation process.
Accounts in the US typically have all features enabled by default or can be enabled in a trivial manner and this can't be disabled. Why should a typical account have the ability to wire funds internationally?
It typically isn't possible to configure a second level of authentication for higher risk transactions.
Limited ability to configure alerts based on unusual behavior. For example access from a new device or a transfer over a threshold. No ability to alert when those alerts are changed.
Opaque account recovery processes. Even if additional security measures are implemented it may be possible to have them disabled trivially by phone.
Almost zero customer education around risks and ways to reduce risk. stupid things like "Don't use your bank's password on other sites, it should be unique!"
Of course is should be an option but from a risk management perspective it makes sense to reduce the attack surface that a fraudster has to work with.
In the US at least a typical customer will never initiate an international wire transfer. Even those with friends and family overseas will typically transfer funds through a money transfer service or via ATM networks to avoid the associated high fees.
When a US customer walks into a bank asking to initiate a wire transfer its usually a red flag they are a victim of fraud.
I just read the original referenced story about the woman who got defrauded.
It definitely couldn't happen with my former main bank - they will not allow any kind of ID aside from in-person photo ID or 2FA, to the point where my parents are actually locked out of their account since the battery ran out in their 2FA device, they never set up a mobile app 2FA, and they live abroad so they can't go into an office. The bank actually told them "tough luck, you're going to have to fly across half the planet to get the 2FA device replaced". My parents are obviously upset, but I thought it was pretty impressive.
Unless these bank people know you personally, it's just a way to make certain frauds a little harder while making other, very common frauds much easier.
Is this also coming from a US perspective, where photo ID is basically useless and everyone relies on a "secret" number (SSN) that was specifically not meant to be used for identification?
Yeah it's insane, hence the scare quotes around secret.
All the ideologic resistance against a properly designed and handled ID number means that a number that was never meant to be used for ID is used instead. Madness.
I don't think that it's really accurate to say that SSN is how you are identified by most banks today.
SSN is a component, but they are no longer accepting it blindly for transactions with higher assigned risk. It needs to be correlated against other data to authenticate.
For higher assurance transactions (TSA pre-check, access to criminal data, privileged account access, etc), biometrics and photos are used establish who you are. You don't need that for common banking transactions.
Where you see it used blindly, its generally scenarios where fraud is low risk and low impact activity.
In the US, you pay businesses by sharing your account number(s) with them. They initiate pulls from their infrastructure, which your bank responds to without consulting you. (You may call them after the fact if you disagree).
Your account number is a "secret" shared among potentially hundreds of merchants and all it takes is one of them to leak it.
Online banking webapps are mostly a read-only view of your transaction history. Sometimes they are capable of pushing money out, but for a new payee this generally requires phone verification, and in all cases it sends a lot of emails and takes a few days.
But even just by virtue of having a password (which you have not shared with every store you've ever visited) it's already much harder to attack online banking than it is to make fraudulent credit card or ACH transactions.
Not to give banks any wiggle room, but I would argue that gaining access to random Gmail accounts poses a greater risk to most people than gaining access to random bank accounts, because the former is a superset of the latter.
Since email is used as the focal point of trust in most online transactions, it should be the most secure.
> Today gmail offers more account security than a typical bank. Why can I get two factor authentication, device recognition and alerts on a free email account but not on a bank account?
I have all of those things with a standard checking account from Chase. I do wish that I could use Google Authenticator/TOTP for 2FA rather than texts/emails, though.
Aside from the reference to sharing a PIN, I missed "How banks are refusing to shoulder responsibility for fraud".
What am I missing?
More importantly, the customer referenced in the article basically wired all the funds in her account to a scammer then asked the bank for it back. Sorry, but that is the customer's fault, not the bank's fault.
Thinly reported, but banks are finding ways to make you responsible for fraud, putting it in fine print, and then refusing to be a party to stopping that fraud.
One example given is if you admit you had written your banking pin down somewhere, the bank can say "well there you go, it's your fault" and stop helping you there.
Another is that some bank fraud departments have worse hours than banks themselves. In a fun little phrase "Friday afternoon fraud" you'll find the explanation that much bank transfer fraud happens on Friday afternoons after fraud departments have gone home for the weekend, giving criminals ample time to retrieve ill-gotten gains before the fraud department comes in Monday morning.
Not a great article, but it ends by calling on banks to be more responsible - so, it's also funny.
a four digit PIN is pretty secure when you have centralized authentication (the one bank) and get very very few tries before account lock-out, which is how Debit cards work.
If you had 3000 stolen debit cards, you'd have a shot at guessing a few of them while locking out 2990+ other ones, and I'm kinda thinking the bank might notice you doing that.
have you heard that thieves are guessing PINs someplace in the world? I haven't, and the world is full of dedicated thieves.
and even then, do you know how long that would take versus what you get when you guess one? $500? you might actually make more money panhandling or flipping burgers; of course you've got to trade that off against free meals and healthcare in prison :)
Sounds like organized crime, which is to say a rogue employee was forced, paid, or conspired to only generate one of three PINs knowing that they'd the theif would get three chances.
Today, pretty sure that a solicitor in the same situation would be required by law to report the information to the Serious Organized Crime Agency.
My bank sent me a new card with the same PIN as my old card. Somewhere my bank has a backup of each and every PIN.
Now, it may be encrypted (not during renewal) or hashed (10000 values, <1s verification) but neither gives any security. (It's safer however than sending a new PIN with the card or in another letter)
By storing the public key of your unique debit card and you only have the PIN inside the chip. This limits attacks to physical access and trained professionals in chip deconstruction.
This however needs a way to send your initial PIN over an insecure channel. To limit the attack surface go to the secure website to receive your PIN (no humans) (either an old card/digital state ID) or go in person and force a new PIN.
All the previous poster said was that the bank said they sent him a card with the same PIN. The bank can do this by storing PINs or hashed PINs.
As rrobukef noted, storing a PIN hashed offers little additional security as storing them unhashed because of the small number of unique PINS that are possible.
Passwords are specially bad when you are forced to have a certain number of digits and a specified format of letters (case insensitive!) and numbers. ASB.
Obviously she was tricked. What are you trying to imply, that when someone is tricked it's not fraud? The vast majority of fraud is people getting tricked.
If the bank teller is tricked or their bank servers hacked, the bank should be liable. If the account holder is tricked, the account holder should be liable. If a merchant is tricked, the merchant's agreement with their payment processor determines whom is at fault.
That's one possible view. Another one is that, as a matter of contract, I am letting the bank profit from the growth of my money in exchange for protecting me from fraud, no matter who was defrauded.
Essentially it's insurance. If someone else crashes into me, and it's their fault, their insurance pays. That's why they're insured.
If that's indeed the contract, but it appears this article is decrying the fact that it's not part of the contract to protect you from your misuse of private information. I don't think it's reasonable to assume such a burden of responsibility if not explicitly agreed upon.
On the other hand, it's basically impossible to negotiate fair terms with a bank because it's almost impossible to survive without a bank account, doing so carries extraordinary costs, and bank customers have basically zero leverage. You can argue that the bank's unilateral terms don't support a moral claim, but it doesn't invalidate the morality of the claim, only the legality.
My banking fees are enough that they could go some distance should I fall for a scam. I can't remember the last time I called them, I don't use ATMs and I never go in. All the stupidly high fees give me is a basic app and safety - which isn't as great as it could be according to this.
Two problems with that. If the banks are responsible for mistakes made by customers (in the example given, the bank did exactly what the customer herself asked them to do), then there's no incentive for customers to be careful and not make mistakes. That seems like a dangerous way to missalign incentives from responsibility.
Secondly, if banks have to cover the mistakes of their other customers, they will need to make that money back somehow, by higher fees for customers like you.
It's possible to split the responsibility. If the bank were responsible for, say, half the loss, both sides would still have plenty of incentive to do the right thing.
(That's not to say that 50% is the right split, but 0% seems too low.)
What 'right thing' should the bank have done in the example case? Should they not have transferred the money to the account the customer told them to send it to?
Additional verification? Call the customer, email them, put a BIG RED notice at the top of e-banking for each login, delay the transaction a reasonable time(hell, it's probably only executed at midnight).
Can't imagine that KYC only works for governement investigations.
HSBC started trying that - asking customers withdrawing large unusual sums what it was for, and suggesting those customers be aware for scams. It got quite a lot of pushback from people saying "It's my money, I can do what I want with it".
That's a shame, because giving people warnings about common scams when they're transferring large sums of money might reduce the amount of successful scamming.
And this is the whole point of anti-money laundering and fraud detection controls within banks.
There's not enough information in the story to tell if the customer turned controls off, if a transfer of this type was unusual, if the customer confirmed an alert, etc.
Reporting in the story is horrendous, almost to the point it appears it is intentionally exploiting the victim and misinforming the public.
Banks in Europe use SWIFT, which is much faster, often instant. Scammer in this story appears to have received the funds and transfed them out within less than 20-mins of the victim clicking send.
Actually being available on the weekend when the customer calls in a panic to reverse the transaction. If the bank has some skin in the game, they have incentive to be responsive.
Customer in the story wired all the funds in her account, more than half of the median average UK salary, to the scammer; she wired £17500 ($22948 USD).
Do you really pay that much in bank fees to warrant covering you making a mistake like that?
No I don't. I'd prefer to be handed actual notes of money for my wages rather than deal with the bank and pay them for the pleasure. But that isn't an option.
Where do you live? If you are in the US then there is plenty of fee free banks, mostly online banks. You seem to be paying more in fees than necessary.
Please correct me if I'm wrong, but last I looked the trend is toward:
- Traditional banks are jacking up fees
- For people who already don't need it (good credit, savings) those fees can be waived
- Credit unions can reject you for credit scores (obvs)
Where do the online banks fall on that spectrum? If you need good credit or stable cash you can't spend, it leaves a whole lot of people out in the cold. Never mind that a lot of the same class of people can't always reliably use the tubes to do their transactions (phone primary Internet device, often shut off, often changing numbers).
New Zealand. We have very few banks and they are a broadly similar. Your giving me a few ideas about trying to use something different and it's probably time I had a look around again.
Downvotes? lol whatever. It was demonstrable fact.
It took 15-20 years in court before banks stopped always blaming the customer and stopped claiming their systems (computer and otherwise) were infallible. A position they've generally returned to, despite holes in chip and pin and internet systems.
I'm not implying anything, though I very clearly stated the customer, not the bank is the party responsible for allowing the fraud to take place.
Are you implying that being a victim of fraud automatically results in the damages being covered by someone other than the victim? If so, you're wrong; yes, some types of transaction do, but not this type of transaction.
What if the bank is the enabler, making it possible to gain access to someone's account only by publicly available social information?
In the end, here, she made the transfer - after the fraudsters were able to do multiple things that emulated the behavior of the bank - sending activation codes to her that were genuine, because they were able to get that from the bank.
>> "What if the bank is the enabler, making it possible to gain access to someone's account only by publicly available social information?"
Using that logic, why would the scammer even need to call the victim?
>> "after the fraudsters were able to do multiple things that emulated the behavior of the bank - sending activation codes to her that were genuine, because they were able to get that from the bank."
According to the victim, who's story does not add up and appears to have been coached by the expert hired by the paper.
Feel free to look into it, but I'm not about to go auditing bank security measures without written permission.
>> "The exact sequence of events that led to her losses is complex, so Telegraph Money enlisted the help of fraud expert James Freedman to piece together with Ms Jefferys what is likely to have happened."
This is not how an investigation is done, regardless of if you're law enforcement or not.
Further, none of the statements from the victim support the speculation provide by the expert, nor does the experts speculative commentary appear to be based on investigation in how the bank process works, what information the bank provided, what information the bank has on record to recover an account, how the account was deactivated without information from the customer, etc.
-----
More importantly, this conflicting statement from the expert:
>> Mr Freedman added, “With these frauds, there always comes a point when the victim 'buys’ the story. From that point, evidence to the contrary is ignored or explained away. [...] In cases such as this, it is not the bank’s system that has been hacked, it is the victim.”
This isn't about "fault," this is about contracts.
One of the reasons I have a contract with a bank, and that I pay the overhead of having the money sit in a savings account instead of growing at market rate, is that they will protect my money from fraud. If the bank is looking into finding ways not to protect me, I'll look into ways not to keep my money with the bank but instead invest it at market rate. That's all.
I suspect it's a game theory situation - until banks are unilaterally made responsible at once (say by a new law) - none want to be the ones to make their workflows more complex and invest in better ways to remotely authenticate an identity.
For my ordinary checking account, I opt for convenience. I don't want transactions randomly declined and I don't want to have to wait for banking hours to authorise activity. To compensate, I limit the amount I keep in the account.
For certain other accounts, I opt for more security. Cheques are blocked; foreign transactions are, by default, blocked; online banking must be two-factor authenticated every time; transfers must be authorised with a phone call below certain amounts and in person at a branch, with ID and a passphrase verified, above certain amounts; et cetera. These are flags one can have enabled on most bank accounts. They're just debilitatingly irritating for ordinary use.
If you make banks responsible for user-authorised fraud, e.g. a customer wiring money to a scammer, you're also asking them to nanny you. Freedom and protection from your own stupidity exist on a spectrum.
This is asinine. Asking a bank to do their job is not asking to be nannied. Let's pretend only stupid people get defrauded, do they deserve it? Finders keepers losers weepers? This is a juvenile world view. Tricking people is not a service, is not a job, does not absolve a bank of their primary responsibility, which is safeguarding money.
> Asking a bank to do their job is not asking to be nannied
The only way this transaction could have been prevented is if the bank told the customer "you want to do X with your money but we aren't going to let you because we find it ill-advised". Not everybody wants that level of oversight and restriction.
You see blocking fraud as a bank's main job. There are times, however, when one can reasonably find facilitating transactions to be their main role. When I'm travelling, a constantly-declining debit card is more of a nuisance than the risk of having a thousand dollars pilfered from my checking account.
There's no way to do both risk management and transactional freedom perfectly, since the former means restricting the latter, even to the point of telling a customer what they can and cannot do with their money.
> a [bank's]...primary responsibility...is safeguarding money
As with everything, there are trade-offs. Absurdly put, a bank which refused to allow anyone to withdraw or transact could score splendidly in terms of "safeguarding money". They'd also be useless, because that's not a bank's only job.
At some point there's only so much you're able to do.
Once had someone ask me how to send their bank account information to someone. I asked why, and they proceed to show me an email from a scammer. I told them it was a scam, and their response was that I was trying to keep them from making money.
First thought was okay, I'll prove it's a scammer; scammer and the person had already exchanged a number of emails, which I exploited to get more information from the scammer.
Using bit of social engineering and data leaked from the scammer, I was able to discover the scammer's exact location.
When I confronted the scammer, they demanded to know how I knew where they were, then stopped responding.
The person that originally asked me how to send bank account info - having watched everything I had done with an explanation added - blamed me for chasing away a valid opportunity.
Week later, scammer contacted them again, and they sent cash requested by the scammer via mail.
Should the bank have asked them what they intented to do with cash withdrawal? Should the bank make sure they're not lying? Is the bank responsible?
I've heard those banking in the US should approach these incidents as "clerical errors" during the initial report. This terminology places the onus on the institution to investigate and correct the matter unless or until proved to be the fault of the client.
This is in contrast to the client reporting "identity theft" or "fraud" when they see an unauthorized charge, which makes it an at-fault issue for fraud & liability.
I thought it seemed believable, but can anyone confirm whether this represents actual internal banking policy?
Right, but so is relying on lack of awareness of internal policies to misrepresent client concerns in the bank's favor, for an example.
A client doesn't know an unexpected transaction not to be a clerical error any more than they know it to be identity theft. So it's not exactly nefarious not to immediately and unnecessarily claim culpability by using incorrect terminology.
The prevalence of advertisement by banks for fraud protection and identity theft services creates a situation where people are likely to assume unexpected (or unrecognized) transactions are always the concern of the division of the bank that handles "identity theft", and that the correct way to have it investigated is to call those transactions "identity theft", whether or not they are.
From how it was explained to me, using "clerical error" passes the request through an additional filter where the bank attempts to determine whether it was at fault before redirecting the request. It's the difference between starting out by saying "I made a mistake" and "a mistake was made", which could be important later.
I hope you understand that I wasn't condoning fraud, but that people shouldn't be quick to implicitly admit liability for what may not be their own mistakes.
The bank is something of an accomplice in a crime of theft. When banks deny grocery store charges for security reasons and then allow a transfer of the entire balance of an account, they're not merely ignorant the latter is fraud, they're sufficiently incompetent that it becomes negligence.
From a risk management perspective it's never a good idea to separate liability from control. If the banks don't provide adequate security controls to their customers why should their customers be liable?
Even though the controls that a customer has are less than what Gmail provides the banks continue to push the the illusion that the customer is actually in control. Even the vocabulary they use implies the customer was always in control.
For example you were a victim of identity theft. How crazy is that? How can somebody steal my identity? Oh, I woke up this morning and I wasn't me!!!
Nope.. Checked my identity and I'm still me. Why did you allow somebody to steal all my money?