Online banking: just don’t

The Guardian:

He is one of Britain’s foremost experts on cyber security, a man who has spent 30 years following the development of first telephone, and then online, banking. The professor of security engineering at the University of Cambridge’s computer laboratory has witnessed the mass take up of online banking, and more recently the explosion in fraudulent activity.

So when Ross Anderson says he has never banked online – and has no plans to do so primarily because the customers carry the risks of fraud – the rest of us might want to take notice.

Crucially, and contrary to what you will find in the banks’ marketing materials, if you fall victim to an online fraud the chances are you will never see your money again.

According to Anderson and other security experts, one of the banks’ most extraordinary feats of recent years has been their ability to shift liability away from themselves and on to the customer – aided by a Financial Ombudsman Service (FOS) that they claim rarely challenges the banks following a fraud.

“I’ve seen far too many scams, and I’ve tracked the evolution of the banks’ bad attitude to customer complaints,” Anderson says. “Since the late 1990s the move to phone banking and then the internet has led to contract terms and conditions along the lines of ‘You agree to be liable for any transactions which, according to our records, were made using your password, whether you actually made them or not’. Basically, the banks used the move online as an opportunity to dump the fraud risk on the customer.”

Anderson says online banking in the UK contains many vulnerabilities, and he does not believe the official figures tell anything like the full story. “The government changed the rules so that fraud is reported to the banks, not to the police. This made the crime figures go down. The banks for their part have changed the rules so that most of the frauds reported to them are seen as customers attempting to defraud the bank.

“They take the view that if your password or pin was used you were either complicit or grossly negligent, so if you complain it is you who is trying to get money you’re not entitled to. So much of the fraud reported by customers doesn’t end up in the official figures.”

This is the article I mention when people ask why I don’t bank online.

Related: Prof Anderson responded to Met Police commissioner Sir Bernard Hogan-Howe’s bizarre view that banks should not refund online fraud victims.  On the subject of paying money into the wrong account, remember the asymmetry: when a bank does it, they can get the money back.  If the customer does it, they can’t.