Monday, February 22, 2010

Customer vs. Bank: Who is Liable for Fraud Losses?

Bank Information Security's Linda McGlasson writes the upcoming court case, involving Comerica Bank and Michigan based Experi-Metal, Inc will ultimately decide who is liable for losses stemming from phishing attacks. 



As far as I'm concerned, this is truly a No-Win situation for Comerica and online banking as a whole. 



I have to ask...instead of fixing the blame on who is responsible for a phishing attack, why not take another angle.  How about fixing what "causes" the problem.  Eliminate typing and it would eliminate phishing altogether.  That's what the bad guys are phishing phor...the information "you type" into a box in browser.  Authentication has to be done outside the browser.  Why not use the banks existing ATM rails to two-factor authenticate the online banking session?



If online customers, both business and consumers alike, swiped their bank issued card and securely entered their bank issued PIN, then there would be nothing to phish phor.  HomeATM's PCI 2.0 Certified PIN Entry Device 3DES DUKPT encrypts the data inside the box at the magnetic head.  When the device is attached to the online banking customers computer, HomeATM's API, which can be easily downloaded by any banking institution in less than an afternoon, recognizes it and requests the consumer to "Swipe their Card" and "Enter their PIN."  No more "typing" in online banking credentials.  So stop fixing to blame someone and start fixing the security gaffes involved with typing vs. swiping. 







Comerica/EMI Case Raises Key Questions About Responsibility, Security


February 22, 2010 - Linda McGlasson, Managing Editor


At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.+

But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.



"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.
Continue Reading at BankInfoSecurity.com





Disqus for ePayment News