Friday, January 19, 2007

A Swedish-Trojan tale

According to the Beeb

"Internet fraudsters have stolen around 8m kronor ($1.1m; £576,000) from account holders at Swedish bank Nordea. The theft, described by Swedish media as the world's biggest online fraud, took place over three months. The criminals siphoned money from customer's accounts after obtaining login details using a malicious program that claimed to be anti-spam software.
Nordea said it had now refunded the lost money to all 250 customers affected by the scam.

"What is important is that none of our customers will have lost their money," said a bank spokesman. "

Really? At a conference last Tuesday organised very helpfully by ISPA , the UK ISP Association, to discuss the upcoming HL Inquiry into Personal Internet Security, the view was informally expressed that the banks are not really hurting on this one yet. If and when they do, we'll start to suddenly see a trend for these kind of losses to be absorbed by the customers. One wonders how the bank offsets their losses - what do their own insurance policies cover? Or are they just using up profits?

It is generally believed on the high street that any misuse of money in consumer bank accounts is the responsibility of the bank. In fact the real law is much less clear - especially in cases like phishing where the customer is arguably the one in breach of duty of care. Cases like this where Trojans are implanted as key loggers or other forms of spyware are a middle ground, being (again arguably) neither the fault of customer or bank; and misuse of credit cards, as in ID theft, falls clearly (after the latest clarification as to use overseas) into the consumer credit protection guarantees of the EC ie the responsibility of the card issuer.

I've yet to see a really clear piece of work in the UK dealing with these issues and not sponsored by an obviously involved party eg a bank or a law firm who wants bank work. It might be a good PhD for someone, since we apear to be in PhD application season..:-) Better than doing electronic signatures AGAIN for sure!

1 comment:

Ian Brown said...

Did you see:

Bohm,N., Brown,I., Gladman,B. (2000). Electronic commerce: who carries the risk of fraud? Journal of Information, Law and Technology

Could do with updating to cover phishing :)