Online banking fraud: who’s to blame?
Local bank could learn a thing or two from the 'phishing scam' policies of other lenders.
May 3, 2010 2:11 by Katherine Azmeh
“I’m interested in how I can get my money back from the bank because it’s not my fault,” Pravin Bakliwal told local media after he lost a reported AED121,000 from his bank account last year. Bakliwal lost virtually his entire Mashreq bank balance when internet fraudsters made repeated debits to his account of AED500 and AED1,000 – leaving him with a grand total of about $38. “They’re telling me I revealed my internet password, so they won’t pay anything,” the man was quoted as saying.
Mr. Bakliwal was not alone. Scores of Mashreq customers were victimized last year in a phishing raid that defrauded bank clients out of tens of thousands of dollars.
Following the highly-publicized scam, the bank released a statement, reported in local media, that said investigations “proved that Mashreq’s security systems were not at fault.”
Effectively denying that any breach had occurred, Mashreq said it was “not liable to refund customers,” the National reported, adding that “in all cases customers’ valid online banking log-on credentials were used to conduct these disputed online transactions”.
“Protecting your wealth is a shared responsibility,” Mashreq reminds clients on their website. “Any transaction arising out of a valid Sign On using your username / password will be treated as authentic, and the bank will not liable for any loss due to unauthorized transactions in your account,” the bank advises.
But are regional banks right to safeguard online banking services by nothing more than a username and password? Compared to the counterparts abroad, the answer is a resounding “No!” Indeed, one analyst commented that the Mashreq case “demonstrates how far behind the Middle East is in information security.”
Consider the online banking guarantee of the UK’s Lloyds Banking Group: “We guarantee to refund your money in the unlikely event you experience a fraud with your Internet Banking. As long as you’ve been careful, for example, by taking reasonable steps to keep your security information safe.”
Kipp contacted Lloyds and asked for clarification of their guarantee. Specifically, we asked bank reps how the online bank fraud guarantee would be applied in the event that a client unknowingly divulged login credentials via a phishing site.
“If you use our online service and become a victim of online fraud, we guarantee you won’t lose any money from your account, and will always be reimbursed in full.”
Further, Lloyds employs sophisticated fraud detection systems that highlight unusual spending patterns. This would have come in handy in the case of the Mashreq fraud, where repeated (and unprecedented) account debits were made.
In fact, Citibank, American Express and scores of other online providers of financial services advertise account protection guarantees – offering clients peace of mind and confidence in their online banking services.
If regional financial institutions are to build investor confidence in the banking sector, they should be implementing such safeguards – and, of course, offer refunds to customers hit by the ‘phishers’.
But Kipp wonders: Are regional banks listening?