/ Money, Technology

Should banks refund victims of online fraud?

Sir Bernard Hogan-Howe

The Times reports that Met Police Commissioner Sir Bernard Hogan-Howe has said victims of online fraud should no longer be refunded by banks if they fail to protect themselves.

With online fraud increasing, this is an astonishingly misjudged proposal from the Met Police Commissioner.

Sir Bernard on bank fraud

The front page of The Times reports that Sir Bernard Hogan-Howe said:

‘If you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing behaviour. To be fair to the banks, if one says they’ll do it and the others don’t that’s a competitive advantage.

‘The system is not incentivising you to protect yourself. If someone said to you, “If you’ve not updated your software I will give you half back”, you would do it.’

However, the priority should be for banks to better protect their customers, rather than trying to shift blame on to the victims of fraud.

Reimburse fraud victims

Of course, it’s vital to educate consumers about how to avoid fraud, but suggesting that banks could make people more security-conscious by refusing to reimburse fraud victims risks sending the wrong signal about the banks’ own crucial role in preventing crime.

We know that scammers are using increasingly sophisticated techniques to defraud people out of their money, in many cases beyond the control of consumers.

We believe that banks should be doing more to improve their security processes and systems, share their intelligence to prevent fraudulent activity, and support their customers when they fall victim to crime.

Banks inconsistent with fraud

In September 2015, we found that banks were inconsistent when dealing with fraud. A Freedom of Information request revealed that the Financial Ombudsman Service uphold around one in four complaints relating to fraud and disputed transactions in favour of the customer, stating that in many cases banks have based their decisions ‘on a hunch’, without conducting a full investigation.

The Met has since clarified Sir Bernard’s comments, saying that he also agrees banks need to consider investing more in their security systems. However, if banks did not have to reimburse victims, what incentive would they have to protect their customers from fraud in the first place?

Should banks reimburse victims of online fraud?

Yes (97%, 28,600 Votes)

No (1%, 424 Votes)

Don't know (1%, 403 Votes)

Total Voters: 29,427

Loading ... Loading ...
David Roe says:
29 March 2016

As Banks are usually poor in service , products and Interest rates because the same people look after our money are those who had to be baled out by the tax payer then of course they should compensate.
How many viruses have put personal data at risk in the past 5 years at various Banking institutions?

mary says:
29 March 2016

One word, Unbelievable!

Steve Beaumont says:
29 March 2016

There should be an agreed level at which the responsibility becomes the customer’s. If you left your car or house unlocked the insurance company may not compensate you because you were negligent. I know a lot of people locally who let family and friends use their credit and debit cards.

Chazzy says:
29 March 2016

I’ve found a simple solution. I don’t do on-line banking! I agree with everyone who has blasted Hogan Hough. If the banks follow his suggestion I would suggest everyone refuse on-line banking, and on-line payments. The amount of money the banks and other organisations will lose will soon change their minds. Remember how much power you have as a consumer.

A.W.W says:
27 August 2016

Chazzy: just found this article. I am fed up with online banking, my bank has just changed the look of its website and so much harder to find things and all my auto payments list I had set up for bills has vanished. No idea how to set it up again. It made me fed up with online banking and I have decided to pay via other methods. In time, may change banks as my bank is an internet only bank.

Boblechien says:
29 March 2016

Has Sir B sorted out his post retirement employment yet?

How he can suggest the victim is to blame for a crime is incredible.

Scottie says:
2 April 2016

“Dear Sir , we have noticed that there is a virus on your computer. Give me access and I’ll sort it out for a small fee.”

Who is to blame when the user gives someone they don’t know access to their PC/laptop?

Scottie, “someone else” – they are always to blame. 🙂

Who is responsible?


” Imagine being given the keys to the internet. One minute you could be looking at a building’s air conditioning panel, a pharmacist’s inventory, and a Windows programmer’s console, and the next minute it’s a school administrator’s email inbox, and a touch-screen toilet customer satisfaction monitor (which, sadly isn’t a joke).

Give it time, and you’ll likely land on something more sinister, like the desktop belonging to a receptionist in a pediatrician’s office, and you’re looking at their screen which is packed with patients’ names, addresses, dates of birth, and parents’ phone numbers.

It’s a whole new meaning to the “open” internet, and one you wouldn’t want to be on the wrong side of.
It’s not only possible, but it’s been happening for a while. Thousands of screenshots have been collected and uploaded to a website called VNC Roulette, which shows a snapshot in time of a random internet-connected desktop.

All these desktops have something in common: they’re running VNC, an open-source software that allows users to remotely access and control a desktop from anywhere else in the world. But if VNC is set up without a password, anyone can scan the web and access an unsecured computer.”

Jane says:
29 March 2016

I am not for a blanket ‘yes’ – I do think that banks should put more security measures in place when large amounts of money are being transferred via internet banking or even when someone goes into a branch to do it. But I also think that customers have a responsibility to be ‘aware’. There are numerous radio programmes, newspaper articles and maybe even social media comms about the various scams in operation – yet people fall for them…..

olive brown says:
29 March 2016

Yes I think they should unless the victim has been careless over security

ken says:
29 March 2016

another flaw to his record

Caz says:
29 March 2016

I believe the banks should be helpful to their customers in this way. As we all know it is very easy to be ‘caught out’ even if you are a seasoned computer user. If Sir Bernard had been targetted then he would know how this feels. Some companies take advantage and once you have made a payment on line they believe they have the right to charge you for any goods they deem to send you, even if you have not requested them, and do not want them. The so called ‘small print’ is often misleading and there is no address for you to remedy the situation.

So why should other customers of your bank pay for it to compensate you if that happens? There are other legal remedies to get redress for unfair or illegal trading and any recompense should come from the party that committed the misdeed.

If you get goods you didn’t order you don’t have to pay for them, and if the supplier has taken money for them the bank or credit card company will at your request stop or recover the payment to the supplier as part of its normal service. Compensation does not arise because there is no loss and the customer does not become a victim. The supplier’s actions, although disreputable, are not criminal. The Distance Selling Regulations apply and the situation is exactly the same whether it is carried out on line or by mail order. Traders that routinely cause the banks to stop or recover payments will soon fall foul of their banking arrangements and have their credit facilities withdrawn.

On-line advertisements are now subject to action by the Advertising Standards Authority. In law the customers interests in respect of misleading terms and conditions prevail over the trader’s. Dealing with unknown firms and those that do not clearly show a business address is always risky and best avoided.

It is unfortunate that some people might get ‘caught out’, but is that due to any fault or negligence on the part of their bank?

ash says:
29 March 2016

Sir Bernard is a silly banker

David says:
30 March 2016

The option “Not Necessarily” was not given in the poll. An example is when the customer has acted negligently “trusting a friend, neighbour or anyone who’s not a joint account holder with their PIN to draw cash from an ATL” is just one. (Yes it does happen). For those saying that isn’t “online fraud” – it is if the person trusted uses the card online where the PIN isn’t even needed.

Another that comes to mind is a scam that people are asked to give their card number to pay a nominal sum for delivery of a prize they’ve won (Usually £1) They are asked to tick a box to say they have read the terms and conditions (T&C) – if they’d taken the trouble to read the T&C they would have found they were agreeing to be charged £69 a month for joining unless they cancelled within three days. Why should the banks be responsible for a person who has probably LIED by saying they have read the terms and conditions?

Don’t think I don’t sympathise with people who are scammed in such a way – I also sympathise with bank’s shareholders if banks are held responsible for things beyond their control – and not their fault.

As I have said somewhere else in this Conversation, the risks of becoming the victim of fraud are much higher if card-holders are in any way lax in their own security. In our more casual society, cards are carried openly, they fall out of pockets, they are used to scrape ice off windscreens, they are left on the counter or checkout, the numbers are read out over the phone to unknown call-centres, and so on. For distance selling, the three ‘security’ numbers on the back of cards are usually required [to prove that the purchaser is actually in possession of the card] and these also are read out over the phone or written in the box on a mail order form; at least with on-line ordering the code numbers are encrypted [don’t deal on sites that don’t have that protection].

The opportunities for fraud have escalated way beyond the banks’ initial imaginings and it is impossible to put the genie back in the bottle now. While the banks have to accept responsibility for fraud perpetrated within [and through the assistance of] their systems, it is a foolish card-holder who does not do all they personally can to protect their own security – if only to avoid the hassle of having to make a claim or having their card account frozen.

It is disappointing that the card security code is printed on the card, which could encourage fraud.

Too true, but it is the only way to prevent someone who knows the card number and issue/expiry dates but doesn’t physically have the card in their hand from being able to use it for on-line crime. Once the card has fallen into the wrong hands security is significantly reduced and if the PIN is known then then there is no security. People could erase or cover over their three-digit security number on the back of the card so long as they are confident they can remember it.

I suspect a lot of people have their PIN’s and security nos. written down somewhere, and sometimes in conjunction with each other. The more cards people have the worse the problem becomes and many people use the same PIN for several cards. Fraudster heaven!

I have obliterated the security codes on the cards I take out of the house.

I think companies should not be permitted to request the three-digit security code for telephone sales and mail order transactions. It was never intended to be used in those circumstances and it completely compromises the code’s security. It was really only intended for use in on-line transactions where encryption is used to prevent unauthorised knowledge of the code. For mail order the supplier should either send an order confirmation to the purchaser’s card billing address and request acceptance before despatch of the goods or provision of the service, or otherwise accept the risk of a fraudulent order. It would be more cumbersome and slow everything down but any lesser degree of security is pointless. The encrypted on-line alternative is available in most cases although customers without access to a computer would be at a disadvantage, but cheques and postal orders [up to £250] are usually still accepted.

It seems to me that very few companies have keypad encryption facilities for taking telephone orders. The banks could protect themselves [and their customers] better by making this a condition of the authorisation to take credit and debit card orders over the phone.

I’m glad I’m not the only one who is uncomfortable giving their card security code on the phone, John. Nevertheless, we do need security systems that allow us to make phone and online purchases with little risk of fraud. I use PayPal when buying from items advertised on eBay, rather than giving credit card details to an unknown company.

At least eBay has the PayPal system – I doubt eBay would be viable without that as so many of the traders are unknown companies or individuals and there would be a lack of trust and confidence on the part of buyers, and it works both ways. It is a very useful facility for ensuring (1) that the seller cannot acquire the buyer’s payment card details, and (2) that the buyer will not default. Quite a number of other companies that deal on-line now include PayPal in their acceptable payment facilities and this is an aid to security where customers might have reservations about the supplier.

David says:
30 March 2016

That seems a very good idea – I presume you keep copies of the codes somewhere safe.
I write my phone number on mine – perchance I leave card in machine. I’m sure retailers would appreciate the chance to easily contact the shopper and I can’t see any security issue in connecting the card to a phone number (name which in many cases could find phone number in directories is already on them).
Incidentally I also carry a piece of paper with four digit numbers on it (one more than the cards I have) in my card wallet. Any unscrupulous person stealing or finding it would be very disappointed when trying out the numbers and blocking each card after the third attempt. (none of the numbers are my PINs),☺

I keep my card security codes safely at home. I carry the phone numbers needed to report lost cards when I’m away from home, though have not needed them yet.

I love the idea of the phoney PINs, David. 🙂

David says:
30 March 2016

“and many people use the same PIN for several cards. Fraudster heaven!”

I question that for a few reasons:

1. This could only be known to the card’s owner.(Even the banks couldn’t cross check).

2. A fraudster (unless he already knew the PIN for one card) wouldn’t have any clue to the PIN of others.

I will concede that a fraudster who knows the PIN of one card might guess that it might be used for other cards – but it could never be proved as negligence by a bank. (The card holder would need to admit it – and as we all know banks will NEVER ask for your PIN – so they’re hardly likely to ask you for the PIN you use with another bank).

I will also concede that a person finding (or stealing) multiple cards could increase odds of finding the PIN of one by chance, if all PINs were the same. But I believe the risks are less than those taken by owners of multiple cards (with different PINs) who need to use written clues (however disguised) to the different PINS of their cards.

Perhaps with computer technology it could be made possible for a person with several cards (different banks) to make it possible that if one card is blocked after three attempts all other cards (registered with that card) were also blocked. Just an idea.

I keep the lost card reporting nos. in the contact list on my mobile phone as well as various other useful code nos. but not actual PIN’s – I have no difficulty memorising the few I have.

I wasn’t suggesting that banks would be in any way negligent if a customer used identical PIN’s across several cards. I was trying to point out to card-holders the increased risk they are taking if they do that. In any case, with multiple cards using the same PIN, it would be impossible to identify which bank might have been involved if a fraud occurred. This is purely about customer responsibility and ensuring that people are aware that they cannot look to the banks for compensation if they do ill-advised things of their own volition. I don’t rule out the possibility that some crimes are committed by people who know the victim very well and how they look after their cards.

PIN is crackable. Once we understand that it is the case then we can concentrate on how easily they are cracked.

Please ignore the following which is about where people choose their own numbers:
People are humans and humans tend to think alike.

However this article from 2003 on machine-cracking PINs is more scary in its description of the Banks attitudes to security encryption.
” By using adaptive decimalisation tables and guesses,the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique,instead of the 5000 guesses intended.”

And to pass forward to when it became a secret that no longer could be hidden in 2008 when 40 million cards were compromised.

Anyway that is a short lesson on PIN and choosing your own number and the defects in the system as currently and historically known. And as with all systems the people flogging the technology to the consumer may have a different view on security versus their savings on costs.

David says:
30 March 2016

“People are humans and humans tend to think alike”.

Quite true and so many humans are “stupid”. Last week thousands of “stupid humans” were very disappointed and annoyed when their Lotto tickets for which they had selected 7 – 14 -21 – 28 – 35 – 42. Only paid £15 for 5 correct numbers. when the numbers 7 -14 – 21 – 35 – 41 – 42 were drawn. In my opinion they were very lucky 28 wasn’t drawn instead of 41 or they’d have been sharing the jackpot with thousands of others and been even more disappointed and FURIOUS. I don’t like calling people STUPID but if any of them didn’t realise that although their odds of winning were the same their prize would be minimal if sharing the prize with thousands of others who thought using multiples of LUCKY SEVEN was a bright idea.
They are as stupid as the THOUSANDS of people who apparently use the numbers 1 – 2 – 3 – 4 – 5 – 6 (They probably have the word PASSWORD as their password too)☺

When choosing a password it is common to specify requirements, which may include both numbers and letters, upper and lower case, non-alphanumeric characters, minimum length, and so on. Is it too much to expect banks to reject any PIN that would be easily guessed, such as 1234, 8888, etc?

Thats my point wavechange as I posted , the banks should have recognition apps to reject anything like this including a computer that has been hacked as I know for a fact there are digital programmes that can detect and block that. Its down to money outlay –they wont !

David says:
31 March 2016

” Is it too much to expect banks to reject any PIN that would be easily guessed, such as 1234, 8888, etc?”

I am not sure if it’s just advisory but I’ve noticed that it’s written that such numbers should not be used. If people do use them then in my opinion they are NEGLIGENT in not following the advice given. I actually believed that certain combinations were rejected (but haven’t actually checked)

I personally think PINs are too short for good security 5 or even 6 digit numbers – would multiply the combinations enormously.

A tip I read was always press (randomly) a few more keys after you’ve finished. Sensitive heat detection cameras can determine the last few buttons pressed.

Mark Johnson says:
3 April 2016

You think PayPal is better? Clearly you haven’t understood the t&c as you do not have the same legal protection as you would with a credit card; you are entirely at the mercy of whatever PayPal thinks is in its best interest.

Whilst this is often the same as the consumers best interest, don’t assume that this is always the case.

Malcolm says:
30 March 2016

Perhaps this is another example of the police abrogating their responsibility to tackle criminal fraud. They have already given up dealing with antisocial behaviour, such as obstructive parking, so it is not surprising that they are shirking other aspects of their job.

Of course people should use commonsense and savvy however not all of the population is going to be at that level of competence – ever. However the Govt. and many other bodies are forcing people to use the Internet.

And how does the Internet help the average user? Issuing SSL’s to fake sites. You would think that slamming the issuers of the SSL’s would be a top priority wouldn’t you.



DT: I concur. The possibilities are horrendous.

Hello everyone, I’m sorry for the floating comments at the bottom of this thread. This is because we have had to put a number of comments in moderation as they broke our community guidelines. The floating comments are replies to these now missing parent comments. We will moderate the comments as soon as possible.

To new commenters, please have a read of our community guidelines: https://conversation.which.co.uk/commenting-guidelines/ Please don’t make comments that are rude about others or that are potentially offensive. Thank you.

Now that we have had over twelve pages of ripostes and responses to this topic, would it be too much to expect Which? Executive Director Richard Lloyd [who started this debate] to clarify Which?’s position in the light of the comments received and the lack of explanation of which particular on-line frauds are implicated in the Conversation? Starting provocative conversations and then walking away from them is one of Which?’s less-endearing behaviours.

Furthermore, could we please have a new picture at the head of the Conversation (a) because it is not about Sir Bernard Hogan-Howe but on-line fraud and how society deals with it, and (b) because I am fed up with seeing it every time I go to this topic [and I suspect I am not alone in that]. At least please tell us who he has under arrest on his left-hand side; it looks like he is in Downing Street so the possibilities are interesting – the nominations are . . .

John Wright says:
30 March 2016

[Sorry John, your comment has been removed for breaching our Community Guidelines. Thanks, mods]

G.J.FISHER says:
30 March 2016

Wouldn,t it improve safety if the security no. Was committed
to memory?

This has been blown out of all proportion.

Sir Bernard is not suggesting a blanket ban on any & all refunds, he’s simply pointing out the disparity between “bank-grade” security (which is historically pretty poor) and their user’s approach to security, which is sadly even worse.

The suggestion that banks would simply stop investing in security is ludicrous, equalled only by the assumption that insurance somehow negates the need for threat modelling & solid security procedures. My home is fully insured too, but I wouldn’t leave the doors unlocked while I’m away. If I did, it’s reasonable to expect the insurance company to turn down my claim.

The same applies here.

If the bank is able to assert that a user has been negligent in their efforts to mitigate fraud, I believe they’ve every right to refuse a refund. If you disagree with their findings, you’re able to take it to the next forum and plead your case; procedures for which are already in place.

” However, the priority should be for banks to better protect their customers ”

That sounds great in theory, but it’s sadly ignorant to how the industry really works. It’s a futile & foolhardy proposal to “prioritise” reactive measures (refunds, chargebacks etc) over a proactive, customer-oriented approach to actually preventing fraud in the first place; neither option eradicates fraud completely, but genuine cases are likely to be handled more efficiently if cases of negligence/direct fraud are minimised. I’m no fan of the banking industry and certainly no advocate of their security practices, but the current system is too heavily weighted in favour of the customer. For that to be reasonable & fair, we’d have to assume that practically every case was in no way attributable to poor security practices on behalf of the user… and we have a wealth of database/password leaks which irrefutably disproves that.

Talking of passwords, they’re a major factor in many cases of fraud and yet, many companies still haven’t mastered the basics. For example, I asked “Which” to disclose their password storage algorithm, something which any responsible firm should be able to do in a heartbeat. Given their outspoken response to Sir Bernard’s comments, I had hoped “Which” would demonstrate a sound understanding of the issue and give a clear, reasoned explanation.

Instead, this was the response…

Frankly, it’s unconscionable to hide behind “policy” while publicly berating someone, public figure or not, for actively seeking to improve end-user security. Unless it’s demonstrably insecure, there is no valid reason to withhold such information… and certainly disgraceful to question a user on why it’s beneficial to know how it’s stored. Passwords are secrets, by definition; they’re personal, private pieces of data which they’re trusting with you. These responses do not help instil trust in either your ability to store them safely, or your understanding of the wider issue. That being the case, I’m not sure “Which” are best placed to comment on the security stance of others.

I wholeheartedly agree with Sir Bernard’s comments; provide refunds where appropriate and punish those who fail to follow even basic security standards. The only caveat being, the public should also be able to hold banks accountable when they’re equally lax in their approach.

” If the bank is able to assert that a user has been negligent in their efforts to mitigate fraud, I believe they’ve every right to refuse a refund. If you disagree with their findings, you’re able to take it to the next forum and plead your case; procedures for which are already in place.”

” The only caveat being, the public should also be able to hold banks accountable when they’re equally lax in their approach.”

The problem I have is that Banks will and do lie as to whose fault it is – witness the number of people who were being refused refunds until the BBC demonstrated that thieves had correctly seen a flaw in the way phone operators and the Banks interacted. Was it foreseeable ? Darn right it was.

However if we can get to the position where Banks are fined/Directors jailed for foisting insecure systems on the public one might find thta there are less claims anyway. Given my experience in lending and recovering money, and of sorting out people’s finances I do have series doubts to driving all people online and particularly to online banking.

The Banks make a vast amount of profit from the people least able to understand and control their expenditure. I believe that we may almost need to have a competency test for people however with much of the public having trouble with maths this is not reassuring.

Are there any charities/Universities investigating the , again forseeable problems, that will come from the drive to ecommerce and those left behind?

Sorry dont agree with you Paul, just like Sir Ben you are throwing the responsibility onto the Internet bank user and defending the banksters . You are actually putting forward a political viewpoint thats approved by not just the banks but by HMG. As you seem to be an expert in security I quote the words of Hitoshi Kokumai, President , Mnemonic Security ,inc in relation to the recent FBI/Apple controversy . Although this is in relation to smartphones the same principles apply when he speaks of Pincodes and fingerprint scanners ,in that its a false picture to think several means of protecting access to sensitive info on a device will make it more secure unless BOTH means are operated consecutively and not -either/or as that makes it more open to back-door attack . In actual fact two-factor authentication is “below one ” factor authentication . This misconception is sadly supported and spread by a number of BB , leading financial institutions and government agencies as well as not a few security professionals . And may I refer you to the GCHQ whose public information wing said last year that the people in this country should use SIMPLE passwords(obviously to make it easier for them) ,that beggars belief . My whole point is that as the government -aka BB is forcing the British public to accept online banking it should provide a 100 % cast-iron security service that once a computer user device user accesses a bank there is ZERO chance of it being hacked , if you are blaming the public then all the banks have to do is get hacker recognizing apps installed so that any compromised computer will be blocked from accessing the banking website and if you are who I think you are you should know thats possible as certain services already do that. Dont pin it on the customer , the banks just dont want to stop income by blocking access to online banking or admitting security isnt foolproof. This is a big money spinner shutting branches for shareholder profit . If you know a lot about computer programming and Internet coding and recognition which provides a wealth of info, as you know , then the banks can spend more on security.

Hello Paul, thanks for your comment. We support the Commissioner’s views that people need to take steps to protect themselves, and we provide a lot of advice and guidance on how consumers can do this, such as: http://www.which.co.uk/consumer-rights/problem/scams Scams are becoming increasing sophisticated and enforcement is a challenge, so law enforcement, industry and consumers will need to work together to get ahead of this. We’re not prioritising the reactive measures over a proactive, customer-oriented approach, but we do believe that the reactive measures have a place in dealing with scams and victims of fraud. We receive many stories from supporters where the scam committed was beyond their control and with the bank unable to explain how it occurred. The Commissioner’s comments risk sending the wrong message to the banks, as it is important that they continue to properly invest in protecting their customers from fraud and strengthening their security to prevent further crimes. What we wouldn’t want to see is relaxing of security and advancements in this area because they feel less responsible. Victim support is particularly important for vulnerable people, rather than passing blame at what would be a very distressing time. There is also currently no evidence to suggest that the Commissioner’s comments would effectively change behaviour and prevent scams, which is why it is a particularly dangerous message to send to banks.

I’m sorry we weren’t more specific in how we protect passwords – I just want to make clear that we fully encrypt our customers’ stored password data.

“The Commissioner’s comments risk sending the wrong message to the banks”. Patrick, I doubt that what any police commissioner says will have any impact upon what banks decide to do to protect their security measures.

I think this attempt by Which? to lead an attack on the commissioner’s remarks was misplaced and not a constructive move. I would prefer if Which? adopted a positive approach and show, if they can, how people can do better with their online security and continue to identify organisations with poorer security.

Which? advertises a booklet on fraud and scams – on tv today. If it is that good, perhaps it could persuade all banks to purchase copies in bulk and distribute to their customers? Such guides are advertised regularly; why are they not sent automatically (or at least a link to a pdf emailed) to all members? I could not see this fraud one on the website but maybe did not look hard enough.

Hello Patrick

I’m slightly confused by your response.

We seem to agree there’s a need for a balanced approach, but Sir Bernard’s suggestion to restore that balance is written off as misguided. The current system is weighted in favour of the customer and because of that, any polls based upon it are likely to be misleading… as “Which” have demonstrated.

“We receive many stories from supporters where the scam committed was beyond their control and with the bank unable to explain how it occurred”

I’m not sure I understand the relevance here. We’re talking about cases where the bank is able to prove negligence. If there’s no supporting evidence, it’s reasonable to expect a full refund under current legislation. If they suspect you’ve been negligent and you disagree with a bank’s decision, you can escalate the matter to arbitration. I dare say the vast majority would find in the customers favour, simply because it’s more costly to fight a fraudulent £50 transaction.

“What we wouldn’t want to see is relaxing of security and advancements in this area because they feel less responsible”

They aren’t responsible, that’s the point. These are crimes for which current legislation holds the bank financially liable. Instances of direct fraud against banks are dwindling; attackers rarely target the strongest link in a chain. Instead, they’ll leverage other flaws in the payment life-cycle; process, security & storage for example. The dark web is festooned with credit card data gleaned not from a bank, but from sites which fail to adequately protect their customers. On that basis, is it right to hold the bank (and by extension, every customer of the bank) responsible for the failings of one user, or one site? Yes, insurance covers their losses but it’s naive to think those costs are simply absorbed… they are passed on.

Can you imagine a similar scenario in the motoring industry? Failure to adopt strong passwords, install vital updates, be vigilant of phishing/vishing threats etc are metrics used to determine risk… in much the same way a person’s age, no claims bonus & gender are contributory factors in the cost of your insurance renewal each year. The current system makes (typically poor) recommendations on how to protect yourself from online threats, but rarely uses them to determine liability. Anecdotally, Sir Bernard’s suggestion would reduce the overall cost of banking by effectively punishing those who fail to take basic steps to protect themselves. I disagree with Sir Bernard’s description of “rewarding” people with refunds; that’s a risky misnomer. A refund under these circumstances is to make someone financially “whole” again, as not to penalize unfairly. Using “password” as your password is akin to leaving your front door open 24/7… insurers rightly refuse those claims to keep our costs to a minimum, and yet “Which” and your respondents appear to be willing to pay for comparable negligence in a different industry.

“There is also currently no evidence to suggest that the Commissioner’s comments would effectively change behaviour and prevent scams, which is why it is a particularly dangerous message to send to banks.”

That’s not true at all. There’s both anecdotal and academic evidence from other countries which suggests that a user’s approach to security/privacy is greatly improved when their safety net (insurance) is either unavailable or financially out of reach. Sir Bernard probably wasn’t referring to them, but the evidence is there to justify his position.

“I’m sorry we weren’t more specific in how we protect passwords – I just want to make clear that we fully encrypt our customers’ stored password data.”

“fully encrypt” is one of those equivocal, meaningless “PR” responses Patrick. For starters, “encrypt” is either the wrong description or the wrong method… but your reply (and that of “Which” via DM on Twitter) suggests a lack of understanding. This isn’t aimed at you specifically Patrick, but rather your IT team who appear to have adopted the faith-based “just trust us” approach which never, ever ends well.

I’m afraid your reluctance to disclose this information diminishes the validity of your input into discussions surrounding security, fraud & risk.

@malcolm r
Well said.

Hi Paul, I’m not sure Sir Bernard was suggesting restoring the balance by saying banks should no longer refund customers who do not protect themselves. Banks can (and do) already refuse to refund customers if they can prove negligence, so his comments would suggest that either banks aren’t doing this, or that the balance should shift so that defining negligence is more open to interpretation and banks have greater leeway to refuse to refund victims of online fraud.

I’ve also been wondering about the point about using “password” as a password, and this being akin to leaving your front door open 24/7, with insurers refusing claims in such a circumstance. It strikes me that while it’s clear in insurance contracts that leaving your door open invalidates your insurance, this isn’t really what drives people to lock their front door! Surely there are other ways to incentivise people’s behaviour than banks making them more financially liable?

I think others have also made this point, but if banks know that people are using “password” as their password, and fraudsters are exploiting that, then is there not a more pressing question as to whether banks should allow their customers to use that password in the first place, and rely on what they know to be a flawed security system? Indeed, advancements over the past few years suggest that they don’t – banks increasingly require upper case, lower case, symbols, numbers etc within passwords, and two or three step verification. It’s also no surprise that, given how much information that can be found out about you online (for multiple reasons – not simply individuals being too free with what they share), banks are also moving away from simply asking for your date of birth, mother’s maiden name, or place of birth, as ID verification.

In my opinion, this is the sort of progress we should be pushing for more of in all areas. Improving consumer behaviour is important, no doubt – it would help prevent fraud amongst those who were reached/effected and changed their behaviour. But those who didn’t would still be vulnerable, and fraudsters would no doubt adapt to prey on another human element that makes people vulnerable to fraud. Alternatively, we could focus on making security systems – for everyone – less vulnerable to being abused by fraudsters. There’s room for both, but I think I’d prefer more of the latter.

Hi Richard

“so his comments would suggest that [..] banks have greater leeway to refuse to refund victims of online fraud.”

That’s exactly what he’s suggesting, but it doesn’t allow free rein to reject claims without evidence… they simply want a greater ability to hold customers accountable for their actions, or lack thereof. The aim isn’t to refuse refunds to as many as possible, but to prevent refunds from being necessary in the first place. That leads nicely on to your next point…

“Surely there are other ways to incentivise people’s behaviour than banks making them more financially liable?”

If there is, I honestly can’t think of any. The web is awash with “best practice” security advice which, even though most of it is astonishingly dangerous, the vast majority ignore it. Do you have any suggestions?

“but if banks know that people are using “password” as their password, and fraudsters are exploiting that, then is there not a more pressing question as to whether banks should allow their customers to use that password in the first place”

That’s a valid point, but it’s also a different threat model entirely. To leverage that, an attacker would need to attack the bank directly which, as I mentioned earlier, is rarely the case.

“Indeed, advancements over the past few years suggest that they don’t – banks increasingly require upper case, lower case, symbols, numbers etc within passwords”

Mindful that we’re discussing a different issue now, I’d question that.

Many banks (Halifax for example) *allow* mix-alphanumerics (no special characters) but force them all to lowercase during storage, hence the note saying “remember: passwords are not case sensitive”. That reduces the key space from 62 possible characters (a-z, A-Z. 0-9) to 36. Other banks (Natwest for example) continually push dangerous & demonstrably insecure advice re: passwords – but they’re at least open to withdrawing it when it’s proven to be inaccurate.

“Alternatively, we could focus on making security systems – for everyone – less vulnerable to being abused by fraudsters”

The industry continues to progress significantly in this area, especially wrt: banking… but user behaviour hasn’t changed significantly in the last decade. Going back to my front door analogy, even the strongest, most resilient of locks is defeated as soon as you leave the key in, or under the mat. I’m not one for placing blame for poor security solely on the user; that’s a lazy & ignorant response to a broad series of threats… but it’s equally ignorant to expect “tech” to protect you… from yourself.

Hi Paul, thanks for sharing your views, it’s a really interesting debate. While i get your first point, I’m still concerned that it’s a slippery slope to go down, given banks already can refuse to refund consumers if they can prove negligence. Banks would have a clear incentive to reject as many refunds as possible if they were given greater leeway.

I’d also like to think that there are other possible solutions above generic best practice advice. More targeted communication at those most at risk, for example – and directed support to help them change behaviour. Maybe other measures too – prompts to install security software, default installation, making it easier to update security programmes on devices etc – that are tested to see how people respond. I’m sure others, working in this area, would have suggestions too. Indeed, going back to an earlier point, banks not allowing you to use “password” as your password, or banks requiring multiple step verification – that could help change people’s behaviour too.

I’m afraid I still don’t get agree with your front door analogy. Of course, if the key is left under the mat or in the lock (or your password is given out) it compromises the security system! But what we’re talking about is someone being able to open the door without having the key (and without breaking down the door). If your front door lock is picked, then the insurance is still valid, no?

Thanks Richard.

“Banks would have a clear incentive to reject as many refunds as possible if they were given greater leeway.”

I think that’s the fundamental concern here, so let’s play devils advocate and assume the bank will, in every given situation, attempt to use the information to refuse a refund. Also, keep in mind the scale of fraud happening every minute of every day.

If we assume:
A) the majority of cases are genuine and the customer isn’t at fault:
> The bank is required to inform the customer of their decision in writing.
> The customer inevitably calls the bank to complain, at least once.
> The customer puts in an official complaint, the bank must respond in writing.
> The complaint goes to deadlock and the customer seeks arbitration.

By this point, it’s probably cost the bank in excess of the typical claim amount… so win or lose, it’s losing money. They’ll either back down & pay, or attend an arbitration hearing at further expense to the bank; the costs for which they cannot recover unless the claim was vexatious.

Now let’s assume:
B) there’s a claim which gives an indication of negligence, but is not certain.
> The bank is required to inform the customer of their decision in writing.
> The customer inevitably calls the bank to complain, at least once.
> The customer puts in an official complaint, the bank must respond in writing.
> The bank must now investigate the matter more thoroughly, almost certainly visiting costs beyond the initial claim amount. That’s unlikely to be authorised for anything other than very serious amounts of money… so the claim is accepted.

By this point, the cost of investigating is almost certainly higher than the claim amount. As before, they’ll either back down & pay or proceed to a hearing.

Now let’s assume:
C) there’s a claim with multiple indications of negligence, the majority of which are strong metrics.
> The bank is required to inform the customer of their decision in writing.
> The customer inevitably calls the bank to complain, at least once.
> The customer puts in an official complaint, the bank must respond in writing.
> The bank, already confident that the user has been negligent, still has to weigh up the costs of attending arbitration and rolling the dice, or simply refunding in full.

As you rightly said, they already have this “power” as it were… but even when there are clear indications of negligence, it’s not always cost effective to prove it. Right/wrong isn’t on the agenda… it all comes down to money & risk.

The more granular a risk assessment, the more effectively & efficiently they can mitigate them. The ability to assess, and therefore punish, customers who fail to adopt basic security principles is inevitably going to increase the amount of claims which are denied, but only in the minority of cases. What it does do however, is provide a substantial incentive to the end user to, as it were, get their house in order wrt: security.

“Indeed, going back to an earlier point, banks not allowing you to use “password” as your password, or banks requiring multiple step verification – that could help change people’s behaviour too”

Current two factor authentication & two step verification processes (two very different concepts!) are a usability nightmare, not to mention the inherent risk it introduces to the 95% of the population who either don’t use it, or choose not to use it. You often find companies which adopt 2FA/2SV haven’t actually implemented the first factor properly (typically the password). Your ATM card is possibly one of the earliest examples of two factor authentication, as it’s necessary to present both the card (something you have) and the PIN (something you know) to the verifier… in this case, the ATM machine. The introduction of “contactless” payments somewhat negates those benefits, but it’s a considered risk.

Although I don’t agree with it, allowing the use of “password” as your bank password is actually a good metric on which to base a decision of a claim. At least 2 UK banks (which I can’t name for legal reasons) use a technique known as behavioural biometrics; the process of watching *how* you type. By measuring the periodicity of your keystrokes, they’re able to build a very solid profile of your typing habits. If you give out your password or it’s leaked to an attacker, their systems are able to use that data (along with other metrics) to determine if the bearer of the credentials is actually the account owner. This is also two factor authentication, but using the “inherence” factor. It’s also referred to as “barrier-less 2FA” or “keystroke dynamics”, as it doesn’t require user adoption or interaction. This technique has been studied for years, but has only recently been adopted by large, typically financial, companies with a watchful eye on fraud. It’s remarkably accurate too, with systems which can identify your gender after a few keystrokes and your identity in less than 30 keystrokes.

It’s cutting-edge technology which the majority of banks won’t admit to using, as there are inherent privacy implications which even they still can’t quite grasp. If you’re interested in knowing more about it, here’s a 13 minute video of my research at Cambridge University a few months ago: https://www.youtube.com/watch?v=v5tjBF5zlkg

“But what we’re talking about is someone being able to open the door without having the key (and without breaking down the door). If your front door lock is picked, then the insurance is still valid, no?”

For the most part, yes… but insurance companies have strict rules on which locks reach the minimum standards for external doors. If you use a lock which doesn’t meet their requirements, picked or not, they won’t pay out. The same applies (or at least should apply) to your passwords.

A cryptographically-strong password like…

… becomes weak the moment it’s re-used, so even sites (bank or otherwise) which enforce strict rules have no knowledge of its relative strength. The definition of what constitutes a “strong” password differs greatly too, with sites like GetSafeOnline & CyberStreetWise offering some of the worst, demonstrably insecure advice available. If a user follows that advice and falls victim to fraud, there’s absolutely no doubt (in my mind at least) that they should be given a full refund. There is however, a general consensus on what constitutes a weak password… they’re on top 100 lists in every breach ever published. If, in those cases, the weak password is a contributory factor in facilitating fraud, I wouldn’t hesitate to refuse a refund. It’s unfair to visit the cost of their negligence on others, including the bank.

Ultimately, if your password is chosen at random by a password manager, 13 characters is way beyond the realms of being broken. If you’re using > 13, great… but be mindful that you’re not actually increasing real-world security at all, unless your adversaries include 3 letter agencies 😉

If, like the majority of users, you choose & re-use passwords manually (please don’t!), it’s absolutely critical that each site stores them responsibly. If they don’t, a breach will almost certainly compromise other sites too… and the only way to ascertain that, is to ask 😉

— If you’re here and haven’t dozed off, I’m impressed! —


This is an issue of taking responsibility for your actions and not placing blame and/or liability on an innocent 3rd-party. The customer is often seen as the only victim in cases of fraud, but that’s simply not true. In the overwhelming majority of cases, the customer receives a full refund. The cost for managing & investigating claims are covered by the bank (but are subsequently passed on to everyone) and ultimately, it’s the merchant that stands to lose out, again passing on its losses to every customer.

Hitoshi Kokumai’s comments are somewhat misguided, I’m afraid. Revocation/fall-back weaknesses are well understood and virtually every method of authentication is susceptible to this kind of abuse. A password is considered a single factor, even when combined with “security questions” and email-based revocation/reset links. His definition effectively destroys the concept of “factors” as defined by NIST which, although technically sound, is neither helpful nor productive. Whilst removing “forgot password/reset links” unquestionably increases security, they’re convenience features which the web just cannot do without.

“may I refer you to the GCHQ whose public information wing said last year that the people in this country should use SIMPLE passwords(obviously to make it easier for them) ,that beggars belief”

That’s actually not what it said… nor what it meant.

The “Simplify Your Approach” publication (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf) is intended for use by sys admins / developers (as it says on the very first page) with the intention of shedding the complexities of modern password policies which, contrary to popular belief, can actually weaken security. The single largest threat to passwords is not length nor strength, but re-use. Forcing users to pick & remember inconceivably long passwords may increase security on a single site, but it also increases the likelihood they’ll re-use/recycle that password elsewhere. The suggestion was not to force weak passwords, but to allow both weak(er) and strong credentials.

Yes its always about –“taking responsibility for your actions ” isnt it Paul -quoting from the “good book” of far right neo-conservatism . The government sets up a political position in relation to the public disadvantage and then blames the public for “not being up to it ” . This country spends its time copying the US model of– stand on your own two feet , act like a man , the state doesnt owe you ,you owe the state , dont be dependent on society supporting you , remove the Welfare State as its full of “hangers on ” -those “working the system ” -” lazy people ” etc.etc . All “nice “Libertarian ” quotes . The problem is most people dont diddle the State when real survey,s took place percentages were under 8 % ,some only several % . Most people on welfare cant get jobs ,as no jobs are available , most people really are ill and cant work but the government propaganda goes forth . This country used to be MIddle-of-the -Road , now its far-right . Its filled with mass marketing via the US model of buy-buy-buy while dumbing down the population at the same time to make them more acceptable to rip-off advertising -just sit in front of the TV and eat a Big Mac- Coke – with fries ,dont think , let “us ” take care of the thinking and then schools are taught PC instead of maths/science/ English which “helps ” with the dumbing down and then you complain many people put down “easy passwords ” typical autocratic thought process of HMG and Washington. How about people stopped the process of Internet banking and payed by cash ? BB wouldnt like that would they ? nor HMG nor the banksters . Yes carry on blaming those vulnerable people, those with illnesses requiring psychiatric care . those with low IQ,s those with dementia etc its THEIR fault ,isnt it Paul ? What a “wonderful caring vision ” of neo-capitalism !

Whilst I do not agree with everything Duncan writes and sometimes he writes things I dont like there is something I really dont like!!
I dont like the p***s who are forever giving him or anyone the thumbs down just because he is a little left of centre or someone recons someone is too extreme or outspoken. . .
There is not one person on here who Duncan would not take the time to help if he could. . .He is not going out of his way to hurt anyone rather the opisate in most cases
It is everyone’s entitlement to voice their views no matter how left or right their views are
I was taught
If you dont like something pass on by
If you cant say something good about someone say nothing at all

DeeKay, I, for example, may or may not agree with comments but this is a conversation where opposing or differing points are made, and deserve in some cases a response. I think the reply to Paul was a little unkind considering that Paul made a valid contribution to the topic.

However “Yes carry on blaming those vulnerable people, those with illnesses requiring psychiatric care . those with low IQ,s those with dementia etc its THEIR fault ,isnt it Paul ?” is going too far, I think, as that was not what Paul said.

This response is sometimes made when we discuss topics that require people (in general) to look after themselves (and their families), to learn how to deal with what life throws at them and to – yes- stand on their own feet and not rely on a nanny state, or someone else, to always take care of them when they should be taking care of themselves. The vulnerable people who cannot look after themselves and need help from others should, of course, be helped. But there are plenty of others who are not in this category. I like to think I am of average capability, but I do not pretend to understand all the ramifications of the security needed to protect myself using “modern” technology; I am, however, quite capable of applying advice and instruction if it is offered to me, and to be wary of scams when made aware of them.

Thanks for the advice Malcolm
Not what I ask for but I’m sure I’ll treasure it
I wont be giving any thumbs down just the same. . If I dont like something that much I’ll open my mouth or write a few simple lines
The thumbs to me are like with held numbers, , Faceless, , nameless but you seem to support the theory so I’m sure it’ll remain

Thanks for the honest reply Dee , I realise i am by far in a minority but when I see a speech that puts forward a platform that to me seems uncaring , or unthoughtful of the wider mass of the population and know for a fact that most people in poor areas of the UK dont get a real education and are easily influenced by the media I feel I need to speak out on their behalf . I have a cousin who thinks of them-self rather than have any care for others , I havent spoken to him in over 30 years as we are poles apart in our thinking . Perhaps I care too much for the general public and that is not appropriate for Which but I see very clearly what way this country is heading and I dont like it. I accept many dont agree with me but if somebody criticises the public for a lack of understanding , or knowledge relating to a technical situation that involves a personal loss to them because of that lack of understanding brought about by a situation created by the political will of HMG I cannot in truth blame the person but blame the system. I cant help being a fighter on the publics behalf ,its built into me , but when that voice is squashed then I will know that Freedom ,in the REAL sense has gone from that society.

I think you enjoy being in the minority Duncan. . . My Dad is like that also and perhaps myself to a lessor degree

No I dont agree with some of your outpouring above but some of it is not without foundation so I did not pour scorn on it

Paul Moore wrote a well mannered and as best he see’s it,, view on the subject. . . .I cannot fault him for that. . Thats where he finds himself but you and I find ourselves in a rather different place in different ways
I understand why you head off at a tangent and give off, , yes even ott at times and I would not shake a red rag at a bull but not all share my idea’s
I know you have your problems with caring etc. . . I do also with my Dad and I have awful health issues and our NHS is operating at a snails pace so any light at the end of the tunnel is very far away

Not so many years ago I paid a lot of tax. . . I seen things very differently back then as do others here it seems. . . But just before someone decides they know everything about everything it’s not as easy on the way down as it was on the way up and the more you give off about the imperfections of others on the way up the more you may recognise the parallels to your personal situations on the way down

This life does not come with a lifetime warranty no odds how well educated or how hard a worker you are. . . .
Life’s a B**** and then you die
Its the times that its the b**** that p***** me off

Richard – If, as you assert, the banks are taking reasonable precautions to prevent password fraud occurring on their customers’ accounts, it doesn’t matter what the Metropolitan Police Commissioner says on the matter as it would be irrelevant – so why did Which? make such a big fuss about what he said? You can’t have it both ways!

I happen to think that Sir B H-H has a point [up to a point]. Unfortunately the point has got completely lost and distorted as a result of this Conversation which you are now lamely seeking to justify. I endorse the view of others here that think that Sir Bernard was wrong to say what he did and that he should wait until he retires before relieving himself of controversial comments in public.

I don’t agree with everything Paul Moore has said but he is certainly on the right lines, in terms of responsibility and liability between the banks and their customers. The banks and building societies that offer current accounts are effectively forced to enroll anyone who can put some money on the counter every month, doesn’t have a live criminal record, and doesn’t have a bad credit score. Within this cohort there is a phalanx of people who are compromising their own security and lose money through no fault of the bank [whether accidentally or not is immaterial] but expect the banks to make good their losses, and Which? goes along with this even though it is against the interests of the overwhelming majority of customers who take better care over their on-line transactions?

In the Intro Richard Lloyd says ” . . . if banks did not have to reimburse victims, what incentive would they have to protect their customers from fraud in the first place?” Maybe, but if customers knew they could get a refund every time an on-line transaction went wrong, what incentive would they have to take more care over their data and cards?

I agree with the Metropolitan Police Commissioner that the banks should consider investing more in their security systems [as I have said previously], and I don’t think banks should try to blame customers [if they were – I don’t recall any such comments] , but I think it would be remiss of banks, in the interests of all their account holders, if they did not resist unwarranted compensation claims. I am sure many claims are met on an ex gratia basis with no acceptance of liability merely to stop the action and to avoid disproportionate costs.