UK police chief advises banks not to compensate online fraud victims
Thu 24 Mar 2016
Metropolitan police commissioner Sir Bernard Hogan-Howe has said that banks should not compensate consumers who lose money as a result of cybercrime, in an effort to encourage users to take responsibility for their own cyber-security.
Speaking to The Times, Hogan-Howe posited that people could be made more security-conscious if the security net of automatic compensation were removed.
“The system is not incentivising you to protect yourself, “ said the Commissioner, who took up the post in 2011. “If someone said to you: ‘If you’ve not updated your software I will give you half back, you would do it.”
Hogan-Howe stated that cybercrime victims who may not have taken adequate measures to install or keep updated adequate security software, are being “rewarded for bad behaviour”.
The issue has come into focus because of the imminent inclusion of cybercrime figures into general crime statistics, a move being initiated from this July, and one which is potentially a PR nightmare for the British police, since it threatens to augment general crime figures without providing any easily accessible distinction between ‘real world’ and cyber-based crimes.
The Financial Conduct Authority explains [PDF] that under rules laid down by the Financial Services Authority (FSA) in the UK citizens have a right to compensation in cases where their card details have been appropriated and abused – but there are caveats which support Hogan-Howe’s suggestion:
‘Your bank may only refuse a refund for an unauthorised transaction if…it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card and PIN proves you authorised a payment; or…it can prove you are at fault because you acted fraudulently, or because you deliberately, or with gross negligence, failed to protect the details of your card, PIN or password in a way that allowed the transaction.’
In a case where a user’s card details were stolen from a hacked retail database, the thieves will inevitably only have half – or less than half – of the information they need to complete transactions. But withholding compensation for those cases where the criminals have managed to obtain all the information they need to make purchases, it seems likely to be very difficult to forensically demonstrate the point at which the final information was obtained.
Additionally, domestic cyber-security software is well-known for its reactive (rather than anticipatory) approach to the latest MitM techniques to appropriate bank and card access; therefore even a user with out-of-date security software could become a victim in circumstances where the latest and best version would not have helped anyway.
A spokesman for Which? retorted strongly against Hogan-Howe’s suggestions, noting that banks often either drag their feet or contest consumer claims against online fraud in any case. “The priority should be for banks to better protect their customers, rather than trying to shift blame on to the victims of fraud.”