One-time passwords at the heart of blame game
The legal issues information security attorney Mark Heyink has raised with ombud Reana Steyn include the risk you assume when using internet banking, possible negligence by the banks, the duty of care a bank owes you, and the liability of banks' agents.
Assumption of risk
When you open a bank account, you become a debtor or creditor of the bank. Only you can authorise payments to be made from your account. If payments are made without your authorisation, the bank is obliged to credit your account.
However, with internet banking, you are said to agree to take the risk that if your password or PIN was used to log on, you authorised the payment.
Heyink says banks are obliged, in terms of the Consumer Protection Act, to draw your attention to this shift in risk in their agreements with you.
Heyink says Absa claims its clients have signed agreements shifting this risk, but has failed to provide these agreements to clients when asked to.
Phumza Macanda, the head of media relations at Absa, says the bank cannot respond to allegations that it has failed to provide these agreements without the specifics of each case.
Heyink says there is no evidence that the banking ombudsman has asked Absa to provide the agreements that it claims it relies on, or to prove its compliance with the CPA.
But Steyn says the bank's terms and conditions for use of its online platform clearly state that you will be regarded as having authorised payments made by anyone who gains access to your PIN, password or user number, "unless you are able to prove that this person obtained the PIN, password or user number because the bank was negligent, or because of internal fraud perpetrated at the bank".
Heyink says that in terms of the Electronic Communications and Transactions Act, banks are responsible for providing a payment system that is secure and the bank is liable for any damage you suffer due to its failure to comply with the act.
Banks implemented one-time passwords as a security measure to protect high-risk transactions, such as the adding of a beneficiary. Heyink says it has been well-known for many years that SIM swaps undermine one-time passwords. He says the ombudsman's failure to consider the bank's responsibility relating to these passwords is a failure to deal with a critical factor in internet banking fraud.
Macanda says that in 2017, Absa introduced SureCheck two-factor authentication to combat SIM-swap fraud and that it has "significantly reduced" such cases. She says the bank is always looking for ways to further safeguard access to your account.
Heyink admits that compromising your PIN and password renders you vulnerable to fraud, but without the one-time password being compromised, the transfer of funds to the fraudsters is impossible.
But Steyn says it is the ombudsman's opinion that victims' losses are caused by their passwords and PINs being compromised - without which no one-time password will ever be sent.
Macanda says it is wrong to assume that bank employees are complicit in cybercrime. Customers' passwords are held in an inaccessible, encrypted database, she says. Investigations have failed to provide evidence of staff involvement.
Liability of banks' agents
Where there has been a SIM swap and fraud occurs as a result of the one-time passwords being intercepted by fraudsters, Absa often claims the cellphone service provider was negligent.
Heyink says the cellphone providers are acting as agents of the bank in providing the security measures that the bank is obliged to implement. He says the ombudsman has erred in avoiding this issue by claiming the banks have no jurisdiction over third parties.
But Steyn says the losses stem from the compromised PINs and passwords, without which the internet banking platform could not be accessed.
Heyink says the banks know that phishing is not the only manner in which your information may be compromised with no negligence on your part.
Macanda says perpetrators of SIM-swap fraud use information that is not held by the bank only. "For instance, customers who have post-paid mobile phone contracts provide most of this information to mobile phone service providers."
She says cybercriminals probably have accomplices who provide them with information held by entities that are not directly connected to the bank. This includes any company that has your bank account number and cellphone number, and is why all who hold this data have a responsibility to protect it, she says.