Brits hit by cyber theft could be forced to foot bill as banks shirk responsibility

© Kacper Pempel
Brits who use online banking services vulnerable to criminal hackers could be made liable for financial losses stemming from theft, as intelligence officials, central bankers and Downing Street seek to shirk responsibility.

The potential policy shift could see firms or individuals with poor online security left without compensation if their bank accounts are hacked. Customers vulnerable to criminal hacking could also be locked out of vital online banking services under the proposals, the Financial Times reported on Wednesday.

Cyber security challenges in financial sector 

In a climate of ever-evolving cyber threats, UK authorities have become increasingly concerned about the damage cybercriminals could wreak over Britain’s national and economic security. Banks are also worried about fraud losses mounting on their books.

High street banks and other financial institutions generally compensate customers who are victims of cyber fraud, irrespective of who bears responsibility for exploited security risks. As a result, shifting the burden onto customers’ shoulders while financial actors and regulators escape responsibility could prove controversial.

British spy base and cyber security hub GCHQ is encouraging banks and other private sector businesses to take their cyber defense strategies more seriously. The agency wants private sector firms to encourage customers to bolster their online protection. It has also informed banks that customers’ lax security leaves them open to criminal hackers and is counter-productive to any decent cyber defense strategy.

In addition to this, the spybase reportedly refuses to take responsibility for problems in the financial sector born of poor oversight and lackluster digital security.

Lauri Love, an information security consultant and chief hacking officer at cybersecurity firm Hacker House, said the responsibility to uphold the robustness and security of online financial services rests on banks and regulators shoulders.

“Banks and their regulators are acting in bad faith if they expect to harness the benefits and opportunities of information technology, while pushing the risk and liability for insecurity onto depositors and taxpayers,” he told RT.

“Implicit in the value proposition for savers is that their deposited funds - which banks leverage to capitalize their investments and underwrite wealth creation through lending - are vouchsafed.”

Love, a privacy rights campaigner and high-profile political activist, said financial institutions entrusted to manage capital flows are responsible for ensuring their online systems are stable. He also suggested regulators and policy-makers have an important role to play.

“We are still paying the price in terms of protracted austerity, decreased quality of life and expectations of prosperity and housing security as a direct result of the irresponsibility of central banking and the legal and cultural environment that is supposed to maintain integrity,” he said.

“Those who benefit inordinately from their economic position of trust and privilege should be wary of attempting to shift yet further burdens and liabilities consequent to their own incompetence. With the rise of peer-to-peer and cryptographic ledger technologies, it may begin to be deemed that their continued existence is no longer required by their patrons.”

Financial fraud and cybercrime in Britain 

Scams are increasingly used to dupe unsuspecting web users into handing over personal details or parting with hard-earned cash.

A report released by British industry group Financial Action Fraud (FAF) earlier this year uncovered the extent of the problem. The study shows that losses stemming from financial fraud involving payment cards, checks and remote banking hit £755 million (about US$1.1 billion) in 2015, up 26 percent on the previous year.

Attempted fraud intercepted by financial institutions, meanwhile, hit £1.76 billion in 2015. In this context, banks and other financial institutions intervened before cyber criminals were able to cash in on lax online security.

Some of the starkest increases in financial fraud occurred on online platforms linked to the financial services industry, according to FAF. The group says the cost of internet banking fraud rocketed to £134 million in 2015.

FAF’s report links a number of core drivers to financial crime in the online world. Drawing from unnamed intelligence sources, the study says a rise in “impersonation and deception scams” and sophisticated cyber-attacks involving malware and data breaches are key.

© Ina Fassbender

In the case of an impersonation and deception scam, a fraudster will approach a customer claiming to represent a legitimate organization. Such ruses often involve phone calls, text messages or emails, in which the scammer pretends to be from a bank, government agency, police force or utility firm. Citing suspicious activity, the cybercriminal will tell the victim to update or verify their account details. The objective is to lure the victim into parting with valuable personal data or money.

A number of high profile data breaches were made public in 2015. However, FAF stresses lower-level attacks are more common. In such a case, stolen data can be deployed to commit fraud. A simple example of this is cyber criminals’ use of stolen credit card details to make remote purchases. Criminal syndicates also use phishing emails and malware to steal unsuspecting citizens’ data.

‘Think strategically’ 

Approached by RT, GCHQ declined to confirm or deny reports that it has been actively encouraging British banks and businesses to bolster their cyber defense capabilities.

On the question of cyber security oversight in the face of financial fraud, RT asked the listening post whether it would consider serving the public interest alongside the so-called national interest by taking a more interventionist approach.

The agency said this was not a matter it could comment on.

Love argued GCHQ’s remit is twofold.

“One half of its responsibility is information assurance [and] the anticipation and preemptive defense against information insecurity risk,” he said.

“There is widespread concern that too much emphasis has been placed over recent years on the offensive role:increasing collection and analysis capabilities."

Love explained GCHQ's strategy in this respect results in "a dereliction of duty" to assist government and the business world in thwarting malicious attacks.

“This also contributes to an alarming degree of systematic risk as vital digital infrastructure is ever more exposed to compromise," he said.

"The duty to balance the priorities of the security services rests upon their regulators, who should be informed in their decision-making by cogent and forward-thinking discussions with business and public stakeholders.”

Love called on UK authorities to think strategically and reassess the "national interest value" of having the ability to attack "the entire world's networks and systems" while failing to protect those at home. 

“The cutting edge advantage of offensive technology is an understandable ambition,” he said.

“But if it comes at the cost of mounting insecurity risks due to marginalization of defensive responsibilities, then the public may not be forgiving when the chickens come home to roost.”

Love is a key member of Hacker House, which was established last year. The firm deals with a broad spectrum of clients and has a dedicated team of cyber security experts from a diverse range of backgrounds.