The failure of customers to secure their own money during internet transactions could potentially lead banks to pass off the responsibility of financial losses back to the customer. User education for online banking customers on how to avoid phishing scams has failed, according to Paul Henry, senior vice president of Secure Computing. This form of commonsense defence has failed to work time and time again, he added.
Henry said lots of financial organisations have done a great deal of customer education in response to phishing attacks. But it has done very little, Henry said, because commonsense isn't applicable when dealing with phishers.
"Even if you manually enter a URL, security is obsolete as phishers have created Trojan code that modifies the host file on Windows to automatically redirect," he said.
"Phishers can also attack a router and redirect information to a different server - user commonsense is no longer valid. It is amazing how many banks have servers compromised to host phishing sites.
"It is now more common to attack a network in a bank because it is the last place someone would look. Phishers need to eliminate the number of emails sent out to reduce the noise and just focus on, say, 100 emails directed towards employees of a bank. I think banks will be passing the costs of losses to phishing scams onto the customer in the next two years."
Henry said banks are reluctant to refund losses if an account is hijacked. For example, he said a Bank of America customer had a PC compromised with a Trojan losing $90,000 from the account. The funds were sent to a bank in an European country - with $20,000 taken out immediately.
Although the theft is currently before US courts, Henry said the Bank of America has adopted the attitude that a Trojan on your PC is "your problem".
"The defendant claims he was told to move to internet banking by the bank and from the bank's perspective, Internet banking reduces the cost of transactions enhancing profits; if the court rules in the bank's favour then that is a bad precedent," Henry said.
David Bell, chief executive of the ABA (Australian Bankers' Association) said systems are in place to constantly monitor online transactions. As a result fewer customers are actually reporting incidents of online fraud, particularly when it involves phishing.
"Banks tell us that customers are reporting fewer incidents of online fraud due to the industry's efforts in fraud prevention such as employee training, strict privacy policies, rigorous security and encryption systems," Bell said.
"This is in addition to communicating with customers and educating them on how to avoid becoming a phishing victim. These combined efforts have resulted in a comparatively low level of fraud in Australia compared to the UK and other countries."
Bell said the credit card fraud rate for signature-based transactions globally is currently around 7¢ for every $100 transacted compared to 4¢ for every dollar in Australia.
"The Australian PIN-based debit card system does even better at less than 1 cent for every $100 transacted," Bell added.