Friday, 4 April 2008

Safe online banking

If you are careful with your bank/credit card details, you'll get your money back if someone breaks in a loots your online account. This is because the Banking Code provides protection for bank customers who are defrauded. Specifically, "12.13 Unless you have acted fraudulently or without reasonable care (for example by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service."

I've highlighted the red part above, noting the part that implies customers who act carelessly will be liable for financial losses from their accounts. But what does section 12.9 specify? There are six points listed in the code:

  • Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
  • Keep your passwords and PINs secret.
  • We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
  • Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
  • Always access internet banking sites by typing the bank or building society’s address into your web browser. Never go to an internet banking site from a link in an e-mail and then enter personal details.
  • Follow our advice – our websites are usually a good place to get help and guidance on how to stay safe online.

All of this advice is sensible. It won't provide 100 per cent security, but then nothing does.

It would be interesting to see how a bank goes about proving that a defrauded customer had failed to follow any or all of this advice. Falling foul of a phishing attack, having ignored the advice to "Never go to an internet banking site from a link in an e-mail and then enter personal details", would be obvious if the customer admitted their mistake. It would be hard to prove, though, without the customer's admission.

Being "wary" is not very specific advice, wariness being hard to quantify. Being wary could mean looking both ways before crossing the road, but it could also mean spending every night holed up in the wardrobe, armed with a kitchen knife. This would be both wary and insanely paranoid. Following advice that is completely unspecified (see the last bullet point) is vague to say the least.

However, there is some very straight-forward advice, namely the requirement of users to install and update regularly anti-virus and anti-spyware software, as well as using a personal firewall. Out-law.com has published a news story that leads with the line, "The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware and firewall software installed on their machines."

So, does spurning the use of anti-virus software put you at risk of personal financial loss? In practice, no. According to Out-law.com, "The BBA said that it was not aware that any bank had ever invoked that clause of the Code to avoid covering a consumer's online banking losses." It seems that the advice is advice and not a set of definitive codes of behaviour. Which makes you wonder why they are in the Code at all.