Has your bank got your back?
In a world of various Pins, codes and passwords, bank customers find themselves at the mercy of increasingly tougher fine print. Tom Pullar-Strecker reports.
Ever left your cellphone unattended, not changed your internet banking password for while, or failed to keep anti-virus software on your computer up to date?
Or perhaps you have downloaded an app that wasn’t from the Google Play Store to your Android smartphone, or included some sequential letters or numbers in your internet banking password or Pin?
If so – depending on your bank – it is no longer safe to assume your bank will reimburse you if you lose money to an internet fraud and it is judged you have contributed to the loss.
For years, New Zealand banks routinely shelled out, to protect consumer confidence in online banking.
But in May, they ditched a ‘‘guiding principle’’ that they would continue reimbursing genuine victims of internet banking fraud.
A new code of banking practice makes it clear consumers may not be covered if they have breached their individual bank’s terms and conditions. Banks are free to change them at any time.
The only other consumer protection is a general requirement – enforced by the Banking Ombudsman – for banks to be ‘‘fair and reasonable’’.
Different banks appear to have different views on what being ‘‘fair and reasonable’’ might mean.
ANZ Bank states that if customers breach its terms and conditions, they could be liable for fraud losses if they bank from devices that don’t have an up-todate operating system and upto-date anti-virus software.
But it does not say say exactly what it means by ‘‘up to date’’.
The head of Victoria University’s computer science department, Stuart Marshall, agreed that would appear to rule out people banking from computers running Windows Vista, which is now out-ofsupport.
It also raised doubts over whether people would be covered if they banked from work computers that they didn’t control.
‘‘Many businesses don’t automatically install updates because they can contain bugs and could be incompatible with a core piece of software – they wait to see how things play out and go from there.’’
ANZ spokesman Stefan Herrick said that while it ‘‘asked’’ that customers use the latest version of operating systems and software, and ‘‘recommended’’ they did not access internet banking from shared networks, it would consider fraud reimbursements on a ‘‘case-bycase basis’’.
It would consider whether customers had taken ‘‘reasonable steps to ensure their computer or device was as secure as possible’’, he said.
If in doubt about work computers, ‘‘customers should talk to their employer’s technology team’’, he said.
BNZ’s fine print means customers could be liable for fraud losses if they included sequential numbers or letters in their internet banking username or password.
The bank gives the examples of ‘‘123’’ or ‘‘ABC’’.
But a strict reading of the condition would appear to mean customers would also be putting themselves at the bank’s mercy if they included just two sequential letters or numbers, say, ‘‘KL’’ or ‘‘56’’, anywhere in their username or Pin and were defrauded.
Marshall said that if banks were to argue Pins or passwords breached their conditions, then they should not allow them to be used in the first place.
‘‘From a personal perspective I think it would be deeply unfair for a bank to accept a password and then reject it afterwards as being insecure.’’
At least some banks appear to be rigidly enforcing the latter rule.
Banking Ombudsman Nicola Sladden – whose office is funded by the banks – published details of a case in which a customer of an unnamed bank saved his phone banking registration number and Pin in a disguised form as a ‘‘contact’’ on his laptop.
He didn’t realise the updated file would be automatically synched to the contact list on a cellphone that he had lost months earlier, when he synched a new cellphone to his laptop.
A thief who had his old phone saw through the disguised credentials and used them to steal ‘‘a significant sum’’ from his bank account, according to her report.
Sladden declined to uphold a complaint from the victim that his bank should have covered the loss.
The fairness of many of the other terms and conditions imposed by banks has yet to be put to the test.
The Banking Ombudsman Scheme observed a 37 per cent rise in reported banking scams over the year to the end of June, many of which involved internet banking.
But Sladden said she hadn’t so far seen any complaints about banks declining liability on the basis that a customer did not have an up-to-date operating system and/or anti-virus software.
Nor had she seen a situation where one had declined liability on the basis of sequential letters or numbers.
Importantly, when considering complaints, her office would consider what was ‘‘fair in all the circumstances’’ and a breach of a banks’ terms and conditions by a consumer would only matter if it had in fact contributed to the loss being considered, she said.
‘‘For example, where a customer chose a Pin based on their year of birth, but the fraudster obtained the Pin by other means that did not involve a customer’s breach of the terms and conditions, we would not consider the breach caused the loss.’’
Even so, customers of some banks would arguably be doing well to stay completely on the safe side.
Westpac and ANZ’s terms and conditions both require that users of its banking apps only install software approved by ‘‘the relevant operating system provider’’ – such as Apple or Google.
ANZ requires customers ‘‘don’t leave their mobiles unattended’’ and regularly change their Pins and passwords, while still making them hard to guess, always memorising them and – of course – never writing them down.
Herrick said ‘‘a good rule of thumb’’ was that passwords should be changed every 90 days, but said there were no ‘‘hardand-fast requirements’’. That was even though ‘‘regularly’’ changing passwords is one of the bank’s conditions.
Nor would ANZ be specific about exactly what it meant by requiring customers not to leave their mobiles unattended, though Herrick accepted ‘‘keeping a phone in sight 24/7 clearly isn’t realistic’’.
But Victoria University cyber security expert Professor Ian Welch said requiring customers to regularly change passwords was no longer considered ‘‘best practice’’ because it did force them to write them down.
‘‘It is better to encourage people to use good passwords in the first place,’’ he said.
Marshall said internet banking security had improved as a result of the widespread availability of two-factor authentication.
If consumers wanted to have secure internet banking then they had their part to play, he said.
But if banks were going to penalise customers it wasn’t enough for them to just say they should have read the terms and conditions.
‘‘That is probably putting too much of an onus on the user.’’
‘‘I think it would be deeply unfair for a bank to accept a password and then reject it afterwards as being insecure.’’ Stuart Marshall, Victoria University