New Zealand’s banks say they will only request inspection of a PC used for internet banking in rare circumstances, and to determine what had gone wrong.
The new Bankers’ Association Code of Practice (Computerworld, June 25) allows banks to request an examination of a customer’s computer security in the event of internet fraud.
Computerworld surveyed a number of banks last week and most of them don’t see themselves having to apply the controversial provision very often. However, one bank, Westpac, doesn’t propose implementing the provision at all.
“It’s our terms and conditions that govern our relationship with our customers,” says Stu Woollett, Westpac’s head of e-business. The Code of Practice, which contains the inspection provision, is “only a framework” for those terms and conditions, he says.
Ironically, Westpac is also the only bank among the four that replied to Computerworld’s questions not offering two-factor authentication for internet banking transactions. Two-factor authentication, which requires two different methods of identity verification, is generally thought to offer more secure protection against internet banking fraud than the conventional ID and password combination.
However, Woollett says it is “cumbersome” for some users. Westpac bases its fraud detection on keeping a watch for anomalous transactions outside the legitimate account owner’s normal pattern of use, he says.
The basic identifier/password combination without a second factor is said to be easily crackable, but mostly, Woollett says, it’s not cracked — it’s stolen.
A customer who leaves his or her PC unattended and logged-on to internet banking, for example, would be held liable, he says. “That’s like leaving your car in a car park with the engine running and the door open.” Otherwise, customer liability is usually limited to $50 for any one fraudulent transaction, he says.
National Bank, ASB and BNZ all offer users of their internet banking services two-factor authentication.
National Bank’s managing director of retail banking, Craig Sims, says the bank is yet to finalise its policy on the new code, but he doesn’t expect the inspection clause to be invoked very often.
“We don’t anticipate invoking this clause except in very rare circumstances,” says Sims.
In April, National introduced two-factor authentication, called “Online Code”. This sends an eight-digit, code to the customer’s mobile phone when he or she uses online banking. Sims says any inspection would only be with the consent of the customer and with the “specific purpose of seeking as much information as possible on how the loss may have occurred and protecting against future losses.”