Who Should Pay For A Phishing Attack?

According to a recent article at Netcraft, there is some legal dispute over who should be required to pay for bank funds lost due to phishing scam.

Say somebody sends you an email with a phony link on it. It looks like its your bank, but its just a scammer trying to get your password. Assume you give the scammer your password, and he steals thousands of dollars from you. Should the bank cover this fraudulent transfer, or should the customer have to?

Personally, I believe its in everybody's best interests for the bank to pay for the loss. This is not some anti-bank rank, its simple pragmatism.

If its the consumer's responsibility, then the consumer will most likely stop doing online banking at all. That means more work for the bank, and less profit.

On the other hand, if the banks are forced to pay for losses, they have the incentive to join together with other banks to combat the problem in general... that would be much more effective at getting rid of the problem, and would eventually lead to a safer, more secure, and more profitable bank.

Or maybe the better approach is insurance? The banks take out 'scammer insurance' against these kinds of internet criminals. Then the insurance companies give the banks an independent audit to see how secure they really are. If the banks have a web site that is less susceptible to phishing, then the premiums are much lower. The banks can add as much security as they wish, depending on how much risk they are willing to absorb.

This isn't a new concept... Bruce Schneier talks about it all the time. I just hope the banks don't make the wrong choice and go for the short-term profits.

Recent comments