Tan Kin Lian - Perspectives Responsibility for losses from hacked bank accounts
The managing director of the Monetary Authority of Singapore, Ravi Menon, said that we have to be careful in deciding how much responsibility to apportion to the bank for losses incurred by customers when their bank accounts are hacked by a crook. 

I give my view on this matter. If the customer has been careless and does not observe the precautions advised by the bank, the customer should bear the loss entirely or largely. However, if the customer has not been careless, and the hacking is caused by weakness in the online system of the bank, the bank should bear the loss entirely or largely. 

For many hacking incidences reported in the media, it appears to me that the bank's computer systems were poorly designed. This allowed the scammer to fool the customer and led to the bank account being hacked. 

Here are the common incidents of hacked bank accounts:

1. The scammer sent an email to ask the bank customer to a website to stop an fraudulent transaction. The link in the email led the customer to a fake website where the hacker was able to retrieve the login credentials. The customers were not aware of the scam.

2. The customer was fooled into download an app which contained malware that allowed the hacker to view the transactions on the customer's device and to retrieve the login credentials and messages sent to the phone. 

The customers were not careless. But they were unaware of the scam. It is not reasonable to expect the ordinary customers, who are lay people, to be aware of these sophisticated scams. 

The solution is for the banks to require the customer to login to the bank account with a fingerprint or face recognition on the mobile device, i.e. biometric access

I understand that it is extremely difficult, perhaps impossible, for the scammer to clone the biometric access. Even if it was possible, it would not be worth the effort required from the scammer. 

Most, if not all mobile devices, have the biometric access. The customer should be compelled to use this feature to access their bank account.These mobile devices with biometric access are available at a low cost.

As an additional measure, the customer should be required to confirm all transaction, except for small transactions involving less than $100 (say)  with the biometric access. 

If the customer insist on bypassing this biometric access, the customer will be required to bear the loss that arises from the hacking of the bank account. The customer should be informed clearly of this risk. 

I hope that MAS will adopt this approach and the law should specify the responsibility using this framework. 

Tan Kin Lian 






 

Add Comment

---