Banks could block customers from claiming money back if they are a victim of fraud and it is found they had substandard online security. Following this news, IT security experts from Lieberman Software, ESET, Imperva and AlienVault discuss whether this is a good idea.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
While all of this is best practice in security, it’s also a pain in the neck in the eyes of the uneducated online consumer.
On the other hand, banks are under competitive pressures like any other. If one bank makes things too hard on their users from a security perspective, they may decide to simply switch banks. This is doubly so for the younger, mobile, first generation of users that everyone is competing to capture.
When banks say they may ask users to take on some of the risk for using bad security practices, it seems they are saying that they want to split the tab for allowing people to be lazy. The banks won’t force good security on people – which they could – but they will instead say that choosing to opt out of good security is done so at your own, very grave, risk.
Mark James, Security Specialist at ESET:
You should also be very mindful of the device you’re accessing any online banking with and ensure you always log out and never save passwords. Whenever there are big breaches or data found on the internet one of the biggest things that still amazes is the fact that users still do not use complex passwords. You really need to have at the very least a unique password for any financial login and ensure it contains enough unique characters to not be easily guessed, this could be a passphrase or even a few words added together with numbers, uppercase and special characters thrown in for good measures. You really are the first defence and can easily make things harder for the bad guys.
Amichai Shulman, CTO of Imperva:
Javvad Malik, Security Advocate at AlienVault:
In the first instance, the banks would be better placed investing in better fraud detection and prevention controls on their own end. The systems should ideally be designed in a manner that even if a customer machine is compromised, it would be difficult for a fraudster to steal credentials.
Ongoing customer education is not to be discounted. Many people still fall victim to phishing or even telephone scams where fraudsters pose as the bank. The customers shouldn’t be victimised twice, once by the fraudster and second by the bank. Rather a collaborative approach is needed with more vulnerable customers perhaps given lower limits or limited functionality on their online banking in order to minimise the impact of fraud.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.