As always, banks look for ways to shift the risk of fraud to someone -
anyone - else. The New Zealand banks have come up with some interesting
wrinkles oh this process. From Computerworld.
-- Jerry
NZ banks demand a peek at customer PCs in fraud cases
Stephen Bell
June 26, 2007 (Computerworld New Zealand) Banks in New Zealand are
seeking access to customer PCs used for online banking transactions to
verify whether they have enough security protection.
Under the terms of a new banking Code of Practice, banks may request
access in the event of a disputed transaction to see if security
protection in is place and up to date.
The code, issued by the Bankers' Association last week after lengthy
drafting and consultation, now has a new section dealing with Internet
banking.
Liability for any loss resulting from unauthorized Internet banking
transactions rests with the customer if they have "used a computer or
device that does not have appropriate protective software and operating
system installed and up-to-date, [or] failed to take reasonable steps to
ensure that the protective systems, such as virus scanning, firewall,
antispyware, operating system and antispam software on [the] computer,
are up-to-date."
The code also adds: "We reserve the right to request access to your
computer or device in order to verify that you have taken all reasonable
steps to protect your computer or device and safeguard your secure
information in accordance with this code.
"If you refuse our request for access then we may refuse your claim."
InternetNZ was still reviewing the new code, last week, executive
director Keith Davidson told Computerworld.
"In general terms, InternetNZ has been encouraging all Internet users to
be more security conscious, especially ... to use up-to-date virus
checkers, spyware deletion tools and a robust firewall," Davidson says.
"The new code now places a clear obligation on users to comply with some
pragmatic security requirements, which does seem appropriate. If fraud
continues unabated, then undoubtedly banks would need to increase fees
to cover the costs of fraud," he says, so increasing security awareness
and compliance in advance is probably the better tactic for both banks
and their customers.
"Bank customers who are unhappy with the new rules may choose to
dispense with electronic banking altogether, and return to dealing with
tellers at the bank. But it seems that electronic banking and in
particular Internet banking has become the convenient choice for
consumers," Davidson says.
The code also warns users that they could be liable for any loss if they
have chosen an obvious PIN or password, such as a consecutive sequence
of numbers, a birth date or a pet's name; disclosed a PIN or password to
a third party or kept a "written or electronic record" of it. Similar
warnings are already included in the section that deals with ATM and
PINs for Eftpos that was issued in 2002.
There is nothing in this clause allowing an electronic record to be held
in a password-protected cache -- a facility provided by some commercial
security applications.
For their part, the banks undertake to provide information on their
websites about appropriate tools and services for ensuring security, and
to tell customers where they can find this information when they sign up
for Internet banking.
"One issue we have raised with the Bankers Association in the past is
that banks should not initiate email contact with their customers,"
Davidson says.
The code allows banks to use unsolicited email among other media to
advise of changes in their arrangements with the customer, but Davidson
says they should only utilize their web-based mail systems.
"It is hardly surprising that some people fall victim to phishing email
scams when banks use email as a normal method of communication, and
therefore email can be perceived as a valid communication by end users,"
he says.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
