KEY POINTS:
A major bank has turned up the heat on its rivals by taking responsibility for any online fraud.
Up until now, BNZ customers have been accountable for losses if their PINs and passwords were stolen online by fraudsters.
The BNZ's move follows an earlier one by Westpac to "promise to pay" customers who fall prey to online crime. The move goes beyond the Banking Code of Practice that requires customers to have up-to-date antivirus, firewall, anti-spyware and operating system software.
Both BNZ and Westpac now say they do not require customers to have up-to-date software. But customers are advised to use it even if it's not compulsory, says Blair Vernon, general manager for strategy and marketing. He says such software is still essential to protect customers' privacy.
At the same time as changing its terms and conditions for online banking, the BNZ has announced it will make its two-factor authentication compulsory from March next year.
Two-factor authentication adds a step to logging into online banking, over and above a PIN and password.
BNZ customers are given a card called NetGuard, and are asked to enter numbers from the card.
Two-factor authentication makes banking on computers infected by viruses or Trojans safer.
BNZ head of fraud Ron Watt says online fraud is relatively rare. Losses, which the BNZ has reimbursed, have ranged from $10 to $13,000.
The BNZ is expecting protest at compulsory two-factor authentication from some customers, but says that an extra layer of protection is a fact of life of banking on the internet.
Both BNZ and Westpac said customers would be reimbursed if their account was plundered while they used an internet cafe overseas, a common situation for online fraud.
Overseas, the picture varies from country to country. Banks in Belgium and the Netherlands are required to take appropriate measures to protect their customers, Mike Heath chief executive of RaboPlus in New Zealand says.
"Exact definition of 'appropriate' is left to the banks but they must adhere to minimum standards. If a customer is defrauded and the bank neglected its responsibility, the judges tend to rule in favour of the customer."
The British Banking Code protects innocent victims from fraud. In Ireland, for banks other than RaboPlus, the rules are that any transaction done with a customer's password is the customer's responsibility, Heath says.
In Australia there is no requirement to have security software updates to prevent customer liability, the BNZ says.
Banking Ombudsman Liz Brown welcomed the move by the BNZ because the requirement in the banking code for "appropriate protective software" was open to interpretation.
"If the banks provide some way for a customer to protect themselves such as two-factor authentication and make that a condition of protection against fraud, in principle that is a very reasonable way to approach things."
The Business Herald contacted other banks to find out what protection customers received.
Kiwibank is "not liable to you for any loss that you incur using internet banking due to things outside our control" although a spokesman says the bank has always made good any losses.
ASB says liability lies with customers who do not have up-to-date protective software or leave their computers unattended while logged in or fail to follow "reasonable security warnings about the appropriate processes and safeguards to follow when using internet banking". This could mean clicking on phishing emails, which attempt to obtain customer account details, often by claiming they are from the customer's bank. Customers are unable to take out more than $500 a day without using two-factor authentication called Netcode.
The ANZ/National "conditions of use" do not make it clear whether victims are liable for any subsequent financial loss.
The bank says: "Our policy is that where a customer is the unwitting victim of any fraud, including internet banking, and they have not knowingly contributed to the fraudulent activity, the bank will reimburse them for that loss."
RaboPlus has two-factor authentication. Criminals would need a RaboPlus Digipass in their possession to log in. "If the client's Digipass and customer number/PIN have not been used to do the plundering, then RaboPlus will take responsibility unless the plundering is caused by circumstances outside RaboPlus' reasonable control," says Mike Heath.
BNZ CHANGES
* The bank will cover customers who lose money through online fraud.
* The bank will not require customers to have the latest protection software.
* BNZ will make its card authentication system for online banking compulsory next year.
Fraudsters have many online tricks
Just how far online fraudsters will go to get access to bank accounts is one of the reasons the BNZ has moved to take responsibility for losses.
In a recent attack, eight customers fell for phishing scams, where fraudsters use email to obtain account details. Two were cleaned out, but the bank refunded them, two had no money in their accounts and the other four were using NetGuard and the fraudsters failed.
They did, however, make a concerted effort to crack one customer's NetGuard code.
The customer inadvertently clicked on an email, which enabled the phishers to record her username and password when she logged on to her internet banking. They couldn't, however break her code and directed her computer to open a BNZ look-a-like web page and asked her to enter all of her NetGuard grid co-ordinates. The customer phoned the bank confused and the fraud was prevented.
One of the two customers the fraudsters did succeed with, retired Northland man Frank Leadley, had just started banking online when he was targeted by Nigerian-based fraudsters.
"I had decided I should get into the modern age and have online banking to make transactions," says Leadley. At the time of the fraud he was waiting for his first NetGuard to arrive and was transacting without it.
"I got an email on BNZ letterhead, which said the BNZ needed to update verification. It said to click on the link below. I assumed this was part of the [setup process for online banking], so I clicked on it." The email actually directed him to a fake copy of the BNZ website and he typed in his details.
Next time Leadley looked, $5600 had gone from his account. "Fortunately the bank refunded it very quickly and I was very grateful."
Fraud detection officer at the BNZ Ian Luttrell said that in one instance that the bank observed, the fraudster who was based in Canada took just 15 minutes to physically get his hands on the cash from a customer's account.
